• Documentation
    • Search documentation
    karat

    +

    K

    API Reference ↗
    Ontology buildingOntologiesOntology permissions
    Feedback

    Permissions

    Warning

    The authorization model for Ontology resources is changing from datasource-derived permissions to Ontology roles. The documentation on migrating to Ontology roles provides a step-by-step guide on how to proceed with the migration.

    Ontology roles are not yet generally available to all customers. Contact your Palantir representative for your specific Foundry installation for more information.

    Ontology resources refer to object types, link types, and action types along with their metadata (schema).

    Two authorization models are currently used to handle permissions of Ontology resources:

    1. Datasource-derived permissions are the legacy solution for authorizing Ontology resources. Datasource-derived permissions rely on the permissions defined on the backing datasource for each object type, creating a direct 1:1 dependency between object types in the Ontology and the backing datasource. For this reason, object types with datasource-derived permissions require a backing dataset.
    • For example, a user must have Editor access to the backing datasource and be a member of the Ontology Administrators group (at the Ontology level) to edit an object type in the Ontology.
    1. Ontology roles are the new and improved solution for authorizing Ontology resources and will be the default authorization model from now on. Ontology roles enable the direct application of roles onto each Ontology resource, independent of its backing datasource.
    • For example, a user only requires the Ontology Editor role on the object type and does not require any permissions on the backing datasource to edit an object type in the Ontology.
    • The Ontology Editor role only allows editing Ontology resources and their metadata and does not grant any permission on the data or datasource itself. Access to object data (not metadata) is still governed by the permissions granted on backing datasources.
    Warning

    To ensure there is clear separation between users responsible for configuring Ontology resources and users responsible for building data pipelines backing the Ontology, we recommend migrating object types, link types, and action types to Ontology roles as soon as possible. In a future platform release, support for datasource-derived permissions will be reduced, and those permissions will eventually be removed from the platform. Additional in-platform communication and updates will appear as the migration progresses.

    Ontology roles

    Overview

    Ontology roles are defined as:

    • Ontology Owner: Can edit Ontology resources and has full control over their security and sharing
    • Ontology Editor: Can edit Ontology resources
    • Ontology Viewer: Can view Ontology resources, but cannot edit them
    • Ontology Discoverer: Can only see Ontology resource names and metadata, excluding schema

    In addition to directly granting the above roles on Ontology resources, you can also grant these roles at the Ontology level by navigating to the Ontology Configuration tab of an Ontology in the Ontology Manager application. Only the Ontology Owner role, granted at the Ontology level, is inherited by all of the resources in that Ontology; the Ontology editor role is only relevant for Ontology-level permissions.

    As a best practice, we strongly recommended defining a trusted group of users that would be responsible for the Ontology as a whole (also referred to as the Ontology Governance Board) and grant that user group the Ontology Owner role for the entire ontology.

    It is possible to customize the operations included in a default Ontology role or configure additional custom roles depending on the specific needs of different user groups. For more information on roles and how they can be customized, refer to the documentation on roles.

    Create new resources with Ontology roles

    Resource creation in the Ontology is restricted to users with Ontology Owner or Ontology Editor roles at the Ontology level. Newly created object types, link types, shared properties, and Action types with roles will show the creating user as an Ontology Owner on that resource and all other users as an Ontology Viewer by default. Once the resource is created, the creating user can apply further roles to the resource.

    By default, every user is granted the Ontology Editor role at the Ontology level and can create new Ontology resources for their workflows. To customize which user groups are allowed to add new Ontology resources, an Ontology Owner can navigate to the Ontology configuration tab in Ontology Manager and adjust the Ontology-level role grants.

    Type-specific edit permissions with Ontology roles

    Permissions for editing object types and their properties

    To make changes to an object type and its properties, a user must have Ontology Editor permission on the object type. If the user would like to map datasources/columns to object type properties, then Viewer permissions to the datasource that is being mapped is also required.

    Permissions for shared properties

    To make changes to a shared property, a user must have Ontology Editor permissions on the shared property. The user must have Ontology Editor on any object types to which the user wishes to add the shared property.

    Permissions for editing link types

    To make changes to a link type (create, delete, update, and so on), a user must have the following permissions:

    • Ontology viewer permission on the object types referenced on both sides of the link type.
    • Ontology editor permission on the link type itself.

    If the link type uses a join table and the modification made involves changes to the join table, then Viewer permissions to the join table datasource backing the link type is also required.

    Permissions for editing action types

    To make changes to an action type (create, delete, update, and so on), a user must have the following permissions:

    • At least Editor permissions of the action type, either directly or through inheritance from the ontology level
    • Ontology Editor on all object types for which the action type can generate edits during execution.

    The object types for which an action type can generate edits include the following:

    • Object types referenced in create, modify, and delete object rules.
    • Object types connected to link types referenced in create and delete link rules.
    • Object types edited in functions of function-backed Actions.
    • The Action Log object type (if one is configured).

    Read-only views

    When a user does not have access to edit an object type, link type, shared properties, or action type, the edit views will be disabled and a banner will explain to the user what permissions they do and do not have.

    For the Ontology Viewer role:

    View permission banner

    For the Ontology Discoverer role:

    Discover permission banner

    Warning

    To begin migration to Ontology roles, follow the guidance here.

    Datasource derived permissions (legacy)

    View permissions

    Having Viewer permissions on the datasource backing an object type or link type allows users to see the object type or link type associated with that specific datasource.

    By default, action types are visible to all the users who have access to the Ontology. All users will be able to see the title, description, and rules of all action types with the datasource-derived permissions model.

    Type-specific edit permissions

    To make any changes in the Ontology Manager, a user must be a member of the Ontology Administrators user group. Read more about groups and platform security.

    A user may need additional type-specific permissions to successfully make changes in the Foundry Ontology when datasource-derived permissions are used.

    Permissions for editing object types and their properties

    In order to make any changes to an object type and its properties, a user must have Editor permissions to the datasources backing the object type.

    Permissions for shared properties

    To create or edit a shared property or add a shared property to an object type, a user must be a member of the Ontology Administrators group.

    Permissions for editing link types

    In order to make any changes to a link type, a user must have Editor permissions to the datasources backing the link type and Viewer permissions on the datasources backing both object types referenced in the link type.

    Permissions for editing action types

    • All users with access to an Ontology can view the complete action type definitions (editable properties, name, or user permissions, for example).
    • To make changes to an action type in an Ontology (create, delete, update, and so on), a user must be a member of the Ontology Administrators group.
    • To run the action, the user must be a Viewer on all the edited object types.
    • If a user creates an action that modifies or adds to an object type, the Edits option must be enabled for that object type.

    For more information on action types permissions, review the documentation.

    Read-only views

    When a user does not have access to edit an object type, link type, or action type, the edit views will be disabled and a banner will explain to the user what permissions they do and do not have.

    Deleting the backing dataset

    If the backing dataset of an object type with datasource-derived permissions has been permanently deleted from the trash, the object type is considered orphaned. Since permissions are derived from the backing dataset, which can no longer be accessed, users can no longer modify the object type as all editor permissions have been lost. The ontology automatically deletes orphaned object types.

    Warning

    For datasource-derived permissions, all object types must have a backing dataset. To prevent an accumulation of non-editable ontology types, object types with datasource-derived permissions but no backing dataset will be removed after 24 hours.