Roles

Managing Optable DCN roles and permissions for users and service accounts

Getting Started

Roles let you assign granular permissions to specific Optable objects and prevent unwanted access to other objects. By granting only the necessary permissions to an account, you ensure maximum privacy, security and data governance.

Roles management can be done:

by navigating to https://<your DCN>.optable.co/admin/roles
or by using the role command in the Optable CLI

Default Roles

Default roles are system roles created by Optable. They cannot be modified or deleted in any way.

Admin is the default role the original platform admin is assigned to at the DCN creation time. An admin has all permissions. Future permissions added to Optable will automatically be granted to admins.

Guest is the default role that is suggested when inviting a new user to your Optable DCN. It has view-only permissions, on a limited set of features, excluding settings such as accounts and roles. Guests will be granted view-only access when Optable adds new permissions to the platform, unless the permission is a DCN setting, or is considered sensitive (e.g. privacy budget management).

Creating a Role

From the Roles page, click the "Create Role" button at the top-right of the page. Alternatively, you can click the button of an existing role and duplicate it. The duplicated role is identical, except for the role name, which will be suffixed with -copy

You must give the role a name, a description (both mandatory fields) and at least one permission.

View permissions are enforced in the UI however it is possible to create roles without these permissions through the CLI. Please refer to Permissions for more details.

Using the CLI, the command is optable-cli role create <title> <description> <role-id> <permissions>, where all permissions are listed individually.

E.g. optable-cli role create "ad ops" "ad ops can only access audiences." "ops-1" "permissions/audiences.view" "permissions/audiences.edit"

You will receive a confirmation message similar to this one:

{
  "name":  "nodes/acmeco/roles/ops-1",
  "title":  "ad ops",
  "description":  "ad ops can only access audiences.",
  "permissions":  [
    "permissions/audiences.view",
    "permissions/audiences.edit"
  ],
  "created_at":  "2022-08-30T20:43:20.010655650Z",
  "updated_at":  "2022-08-30T20:43:20.010655650Z",
  "details":  {}
}

Please note that future permissions added to an Optable DCN will not automatically be granted to user-created roles.

Updating a Role

From the Roles page, click the beside the relevant role and click "edit". Apply desired changes and save.

If the updated role is assigned to a user, you will get a prompt asking you to confirm your choice.

With the CLI, the command is optable-cli role update <name> <title> <description> <permissions>.

As an example, suppose you want to change only the description of the ad ops role mentioned above, and remove its audiences.edit permission, you would use the following command:

optable-cli role update "nodes/acmeco/roles/ops-1" "ad ops" "this is a new description" "permissions/audiences.view"

The name has to be the exact name shown in the optable-cli role list command, or as per the JSON example printed above. the name structure always is nodes/<your node name>/roles/<role id>. All fields are required, and partial updates are not supported.

Deleting a Role

From the Roles page, click the beside the relevant role and click "delete". Please note that a role cannot be deleted if it is assigned to an account.

With the CLI, the command is optable-cli role delete <name>. Note that the name has to be the exact name shown in the optable-cli role list command, or as per the JSON example printed above. The name structure always is nodes/<your node name>/roles/<role id>.

For instance, the command to delete the ad ops role would be optable-cli role delete "nodes/staging1/roles/ops-1"

Assigning a Role

Roles can be assigned when inviting a user, creating a service account, or by updating accounts.

Last updated 3 months ago