Admin Permissions Management

The permissions system in Pangolin allows for fine-grained access control over resources. Permissions are granted to Roles, and Roles are assigned to Users.

Concepts

Roles

Pangolin uses a hybrid RBAC system:

System Roles (Fixed): Root, TenantAdmin, TenantUser.
Dynamic Roles (Custom): User-defined collections of permissions (e.g., data_engineer, analyst).

Actions

READ: View metadata and read data.
WRITE: Modify metadata and write data.
DELETE: Delete resources.
CREATE: Create new resources.
LIST: List resources.
MANAGE_ACCESS: Grant/Revoke permissions.
MANAGE_DISCOVERY: Manage business metadata.

Resources

Resources are hierarchical strings.

System: system (Global control)
Catalog: catalog:{catalog_name}
Namespace: namespace:{catalog_name}:{namespace_name}
Table: table:{catalog_name}:{namespace_name}:{table_name}
Tag/Attribute: tag:{name} or attribute:{key}

Commands

List Permissions

List all active permissions, optionally filtered.

Syntax:

pangolin-admin list-permissions [--role <role>] [--user <user>]

Examples:

# List all permissions in the system
pangolin-admin list-permissions

# See what the 'analyst' role can do
pangolin-admin list-permissions --role analyst

Grant Permission

Grant a specific action on a resource to a User.

Syntax:

pangolin-admin grant-permission <username> <action> <resource>

Examples:

# Grant 'admin_user' read access to the 'sales' catalog
pangolin-admin grant-permission admin_user read catalog:sales

# Grant 'data_engineer' write access to a specific namespace
pangolin-admin grant-permission data_engineer write namespace:sales:region_us

# Allow 'audit_bot' to read tables tagged with 'compliance'
pangolin-admin grant-permission audit_bot read tag:compliance

Revoke Permission

Remove a previously granted permission from a Role.

Syntax:

pangolin-admin revoke-permission <role_name> <action> <resource>

Examples:

# Revoke 'write' access to 'sales' catalog from 'analyst' role
pangolin-admin revoke-permission analyst write catalog:sales

Assign Role

Assign a Role to a User (or Service User).

Syntax:

pangolin-admin assign-role --user-id <user_id> --role-id <role_id>

Example:

pangolin-admin assign-role --user-id 550e8400... --role-id 770e8400...

Revoke User Role

Revoke a Role from a User.

Syntax:

pangolin-admin revoke-user-role --user-id <user_id> --role-id <role_id>

Example:

pangolin-admin revoke-user-role --user-id 550e8400... --role-id 770e8400...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Admin Permissions Management

Concepts

Roles

Actions

Resources

Commands

List Permissions

Grant Permission

Revoke Permission

Assign Role

Revoke User Role

FilesExpand file tree

admin-permissions.md

Latest commit

History

admin-permissions.md

File metadata and controls

Admin Permissions Management

Concepts

Roles

Actions

Resources

Commands

List Permissions

Grant Permission

Revoke Permission

Assign Role

Revoke User Role