Users and Access Administration

User Access Control for the DataOps Platform

This page explains how access is controlled on the DataOps platform and which permissions you need for each area (Builder, DevOps, Blueprints, Marketplace, Computational Policy).

User access is managed through Blindata permissions and enforced by the Blindata Agent. To grant or modify permissions for a user, follow the permissions guide .

For the full list of available permissions, see:

The DataOps Module Permission Matrix below summarizes what each permission allows on the platform.

DATAOPS_ADMIN users always have full access to all DataOps platform services.

Granular Control and Permission Inheritance

In addition to platform-level permissions, you can grant access to specific Data Products in two ways:

  • Teams — Assign Data Products to a team with defined access policies. See the Teams Management Guide .
  • Stewardship (ACL) — Assign responsibilities (e.g. Data Product Owner) so that access is based on the Access Control List (ACL) of each Data Product. See the Stewardship Responsibilities Guide .

When a row in the tables below shows Team or Stewardship, the user must have the corresponding access (team membership or stewardship role on that Data Product) in addition to the listed permission.

Examples:

  • John can read objects associated with the “Finance” team.

Alternatively, Access Control Lists (ACLs) can be enabled based on responsibilities assigned to specific objects. For example:

  • Mary is the Data Product Owner for the “Invoices” Data Product and has full access to it.

Permission Overview by Functionality

Before you start:

  • DATAOPS_ADMIN can perform all operations in this section; no other permission is needed for admins.
  • AGENTS_VIEWER is required to use the Blindata Agent (and thus to interact with DataOps services).
  • For operations on a specific Data Product, the user must have DATA_PRODUCTS_EDITOR and the appropriate access via Team or Stewardship (see Granular Control and Permission Inheritance ).

The tables below list the permission required for each operation by module. A ✔️ in Team or Stewardship means that, in addition to the permission, the user must have access through team membership or stewardship responsibility on that Data Product.

Builder

Data Product and descriptor lifecycle, and repository operations. Repository operations also require authentication and the right permissions on the underlying Git provider. Builder admin operations require DATAOPS_ADMIN.

Functionality Permissions Team Stewardship
Data Product registration DATAOPS_EDITOR
Data Product modification DATAOPS_EDITOR ✔️ ✔️
Data Product deletion DATAOPS_EDITOR ✔️ ✔️
Data Product Version publication DATAOPS_EDITOR ✔️ ✔️
Data Product init DATAOPS_EDITOR ✔️ ✔️
Data Product update documentation fields DATAOPS_EDITOR ✔️ ✔️
Data Product Version publish / delete / update documentation DATAOPS_EDITOR ✔️ ✔️
Descriptor init DATAOPS_EDITOR ✔️ ✔️
Descriptor modify DATAOPS_EDITOR ✔️ ✔️
Data Product Version resolve DATAOPS_VIEWER ✔️ ✔️
Descriptor get DATAOPS_VIEWER
List products / Get product DATAOPS_VIEWER
List product versions / Get product version DATAOPS_VIEWER
Create repository DATAOPS_EDITOR
Create repository tag DATAOPS_EDITOR
Get repositories DATAOPS_VIEWER
Get repository commits DATAOPS_VIEWER
Get repository branches DATAOPS_VIEWER
Get repository tags DATAOPS_VIEWER
Get Git provider repository branches DATAOPS_VIEWER
Get provider custom resource definitions DATAOPS_VIEWER
Get provider custom resources DATAOPS_VIEWER
Get organizations DATAOPS_VIEWER

DevOps

Activity lifecycle operations:

Functionality Permissions Team Stewardship
Activity creation DATAOPS_EDITOR ✔️ ✔️
Activity start DATAOPS_EDITOR ✔️ ✔️
Activity delete DATAOPS_EDITOR ✔️ ✔️
Task stop DATAOPS_EDITOR ✔️ ✔️

Blueprint

Blueprint operations:

Functionality Permissions Team Stewardship
Blueprint registration DATAOPS_ADMIN, BLUEPRINTS_ADMIN
Blueprint instantiation DATAOPS_EDITOR, BLUEPRINTS_EDITOR, DATA_PRODUCTS_EDITOR

Marketplace

Marketplace operations:

Functionality Permissions Team Stewardship
Marketplace user (consumer) MARKETPLACE_VIEWER
Marketplace request approval (provider) MARKETPLACE_EDITOR,DATAOPS_EDITOR
Full marketplace access (admin) MARKETPLACE_ADMIN

Computational Policy

Governance policy deployment and evaluation:

Functionality Permissions Team Stewardship
Policy deployment DATAOPS_ADMIN, GOVERNANCE_POLICIES_ADMIN
Policy evaluation DATAOPS_VIEWER, GOVERNANCE_POLICIES_VIEWER

For more on the Data Product Builder (initialization, descriptor editing, and publishing), see the Data Product Builder guide.

DataOps Module Permission Matrix

Summary of what each permission allows on the DataOps platform:

Permission Capabilities on the DataOps platform
DATAOPS_ADMIN Full access to all DataOps services and admin operations
DATAOPS_EDITOR Builder and DevOps write operations (where applicable), plus Data Product write when required
DATAOPS_VIEWER Builder and DevOps read operations
GOVERNANCE_POLICIES_VIEWER Policy list and validation (use together with DATAOPS_VIEWER)
GOVERNANCE_POLICIES_ADMIN Policy read and write
BLUEPRINTS_VIEWER Blueprint read
BLUEPRINTS_EDITOR Required for blueprint instantiation (together with DATAOPS_EDITOR and DATA_PRODUCTS_EDITOR)
BLUEPRINTS_ADMIN Blueprint registration and write
DATA_PRODUCTS_EDITOR Required to work on specific Data Products; must be combined with proper Team or Stewardship (ACL) access
MARKETPLACE_VIEWER Marketplace read
MARKETPLACE_EDITOR Marketplace write and request approval (with DATAOPS_EDITOR)
MARKETPLACE_ADMIN Full marketplace access
AGENTS_VIEWER Required to interact with the Blindata Agent and DataOps services
AGENTS_EDITOR Not used by DataOps (only for Blindata job management)
AGENTS_ADMIN Not used by DataOps

Updated on 06 Mar 2025