Permissions
Create granular permissions for CRUD operations on any API endpoint.
Overview
-
A permission grants or denies read and write operations and access on a specific entity.
-
An entity maps to an existing API endpoint in the Mage application.
-
A permission can grant or deny access to a specific entity with a specific UUID.
-
Each operation and attribute operation has an access level that denies access to a specific entity for that particular operation or attribute operation.
- When denying an attribute operation, define the set of attributes that the permission forbids the user from querying, reading, or writing.
Operations
List
List
This access level grants permission to perform a GET
request
to the collections API endpoint for a specific entity.
Create
Create
This access level grants permission to perform a POST
request
to an API endpoint for a specific entity.
Detail
Detail
This access level grants permission to perform a GET
request
to the details API endpoint for a specific entity.
Update
Update
This access level grants permission to perform a PUT
request
to an API endpoint for a specific entity.
Delete
Delete
This access level grants permission to perform a DELETE
request
to an API endpoint for a specific entity.
All operations
All operations
This access level grants allows the following operations to be performed for a specific entity:
- List
- Create
- Detail
- Update
- Delete
Attribute operations
Query
Query
This access level grants permission to use a specific set of query parameters when making an API request for a given entity.
Read
Read
This access level grants permission to read a specific set of attributes from an API response for a specific entity.
Write
Write
This access level grants permission to write a specific set of attributes when submitting a payload in the API request body for a specific entity.
Query attributes
When granting Query
access, you must define the set of query parameters this permission allows.
Read attributes
When granting Read
access, you must define the set of attributes this permission
allows the user to read.
Write attributes
When granting Write
access, you must define the set of attributes this permission
allows the user to write.
Groups
The following access levels contain logic that grants access to multiple operations and attribute operations.
The attribute operation that the group access grants still requires you to define the specific set of attributes that the user is permitted to query, read, or write.
Viewer
Viewer
This access level grants the following for a specific entity:
- Operations
- List
- Detail
- Attribute operations
- Read
Editor
Editor
This access level grants the following for a specific entity:
- Operations
- Everything from Viewer
- Create
- Update
- Delete
- Attribute operations
- Everything from Viewer
- Query
- Write
Admin
Admin
This access level grants the following for a specific entity:
- Operations
- Everything from Viewer
- Everything from Editor
- Attribute operations
- Everything from Viewer
- Everything from Editor
Owner
Owner
This access level grants the following for a specific entity:
- Operations
- Everything from Viewer
- Everything from Editor
- Everything from Admin
- Attribute operations
- Everything from Viewer
- Everything from Editor
- Everything from Admin
All
All
This access level grants every operation, attribute operation, all query attributes, all read attributes, and all write attributes for a specific entity.
Special conditions
Disable unless user has notebook edit access
Disable unless user has notebook edit access
This access level will deny the user from performing an operation or attribute operation on a specific entity unless the user has notebook edit access.
Disable unless user has pipeline edit access
Disable unless user has pipeline edit access
This access level will deny the user from performing an operation or attribute operation on a specific entity unless the user has pipeline edit access.
Disable unless user owns the current entity
Disable unless user owns the current entity
This access level will deny the user from performing an operation or attribute operation on a specific entity unless the user owns the current entity they are attempting to perform an action on.
The only entity this access level supports currently is the User
entity.
Entity names
List of available entities
List of available entities
ALL
ALL_EXCEPT_RESERVED
AutocompleteItem
Backfill
Block
BlockLayoutItem
BlockOutput
BlockRun
BlockTemplate
Chart
ClientPage
Cluster
CustomTemplate
DataProvider
Database
EventMatcher
EventRule
ExtensionOption
Feature
File
FileContent
FileVersion
Folder
GitBranch
GitCustomBranch
GitFile
GlobalDataProduct
IntegrationDestination
IntegrationSource
IntegrationSourceStream
Interaction
Kernel
Llm
Log
MonitorStat
Oauth
OauthAccessToken
OauthApplication
Output
PageBlockLayout
PageComponent
Permission
Pipeline
PipelineInteraction
PipelineRun
PipelineSchedule
PipelineTrigger
Project
PullRequest
Role
RolePermission
Scheduler
SearchResult
Secret
Session
SparkApplication
SparkEnvironment
SparkExecutor
SparkJob
SparkSql
SparkStage
SparkStageAttempt
SparkStageAttemptTask
SparkStageAttemptTaskSummary
SparkThread
Status
Sync
Tag
User
UserRole
Variable
Widget
Workspace
ALL
Using this entity for a permission will grant the operation or attribute operation for every entity listed above.
ALL_EXCEPT_RESERVED
Using this entity for a permission will grant the operation or attribute operation for every entity listed except the following entities:
Oauth
OauthAccessToken
OauthApplication
Workspace