When creating a new project, the default permission is set to Viewer. However, members of the teams-admin group automatically receive Owner permission via the namespace. Could you please explain the mechanism for granting permissions via the namespace?
Hi! Namespaces are managed from the control panel space (search for namespace).
I found the role setting in the part of spaces. And I want to confirm that how the roles set in the spaces will affect the permission of each single project.
For example, I set teams-admin with Owner in the spaces setting.
When making a new project in the namespace, will all the users in the teams-admin group have Owner permission. In my case, the default permission is set to Viewer. However, members of the teams-admin group automatically receive Owner permission via the namespace. But when I change the default permission to Discoverer, the teams-admin group will not receive Owner permission. Can you tell me the reason of that? Thank you.
Here’s a few descriptions of settings you can change in your namespace: https://www.palantir.com/docs/foundry/platform-security-management/manage-orgs-and-spaces#spaces-settings
You might be interested particularly in the administration of project template to manage default roles at project creation time: https://www.palantir.com/docs/foundry/platform-security-management/manage-project-templates#administration
I think there might be a confusion between the permissions on given on the namespace itself (ie the ability to create a project) versus the default roles at project creation time (ie the roles assigned by default when creating a new project).
The behavior that you are seeing is due to the distinction between “private” and “public” projects in the Foundry filesystem, which is a confusing piece of legacy behavior that we hope to eliminate at some point via a migration. Projects with a default role of “None” or “Discoverer” are “private,” and for “private” projects, there is no inheritance from the Space. Projects with a default role of “Viewer” or above are “public,” and the “Owner” role (and only the “Owner” role) from the Space is inherited to all public projects. This inheritance does not occur when using a custom role set, as briefly documented at https://www.palantir.com/docs/foundry/platform-security-management/manage-orgs-and-spaces#spaces-settings.
We do not recommend architecting your permissions structure around this behavior, since as mentioned above, it is legacy and will hopefully go away at some point.
Thank you for the information. I’d like to ask a few more clarifying questions. Does this behavior differ between AWS and Azure?
Nope - this behavior is independent of the cloud provider.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.