Authorize by Category
Resource Authorization Model
Applicable Resource Types
- Metrics / metric categories
- Datasets / dataset categories
Permission Role Definitions
Category Permissions
| Role | Permissions |
|---|---|
| Owner | - Includes Manage permission - Can grant the Manage role to others - Can delete or transfer the category |
| Manage | - Includes Create permission - Can grant the Create or Use role to others - Automatically inherits the Owner role for child categories and resources |
| Create | - Includes Use permission - Can create metrics or child categories under the category |
| Use | - Can query all metrics under the category |
| View | - Can view metadata for child categories and metrics under the category |
Resource Permissions
| Role | Permissions |
|---|---|
| Owner | - Includes Manage permission - Can grant the Manage role to others - Can delete or transfer the resource |
| Manage | - Includes Use permission - Can grant the Use role to others - Can edit the resource |
| Use | - Can use the resource in queries |
| View | - Can view resource metadata |
Category-to-Resource Permission Inheritance
| Category Role | Role Inherited by Resources |
|---|---|
| Owner | Owner |
| Manage | Owner |
| Create | Use |
| Use | Use |
💡 Inheritance principle: Child categories and resources inherit parent category permissions by default, but parent category restrictions take precedence over child-level openness.
Category Visibility Rules
Visibility Scope
| Type | Description |
|---|---|
| Visible to everyone | Category metadata is visible to all users by default. |
| Visible to specified users | Metadata is visible only to users on the access whitelist or users with Use or higher permission. |
Core Rules
- Parent restrictions take precedence.
If a parent category is visible to specified users, all child categories and resources are hidden from unauthorized users, even if a child node is set to visible to everyone.
- Child restrictions are not inherited upward.
If the parent category is visible to everyone but a child category has restricted visibility, unauthorized users can see only the parent category and cannot view the child node.
- Visibility is guaranteed for authorized users.
Users with Use or higher permission can always view the full resource path.
Examples
Example 1: Open Parent Node, Restricted Child Node
-
Configuration
-
Structure: Category A (visible to everyone) → Category B (visible to everyone) → Metric C (visible to specified users)
-
User permissions and visible content
| User | Permission | Visible Content |
|---|---|---|
| X | Use permission on Category A | Category A, Category B, and Metric C through parent category inheritance |
| Y | Directly authorized on Metric C | Category A → Category B → Metric C, with the full path |
| Z | No permission | Category A only |
Example 2: Restricted Parent Node, Open Child Node
-
Configuration
-
Structure: Category A (visible to specified users) → Category B (visible to everyone) → Metric C (visible to everyone)
-
User permissions and visible content
| User | Permission | Visible Content |
|---|---|---|
| X | Use permission on Category A | Category A, Category B, and Metric C |
| Y | Directly authorized on Metric C | Metric C only, without the full path |
| Z | No permission | No visible content |
Example 3: Restricted Parent Node and Restricted Child Node
-
Configuration
-
Structure: Category A (visible to specified users) → Category B (visible to everyone) → Metric C (visible to specified users)
-
User permissions and visible content
| User | Permission | Visible Content |
|---|---|---|
| X | View permission on Metric C, but no permission on Category A | Not visible because the parent category restriction blocks access |
Permission Feature Summary
| Capability | Category Permissions | Resource Permissions |
|---|---|---|
| Visibility scope control | ✓ | ✗ |
| Create child categories or metrics | ✓ (Create role only) | ✗ |
| Inherit the resource owner role | ✓ (Manage role) | ✗ |