Hi,
We have an internal permissioning system that stores people’s team membership and other attributes in a database. We can ingest this into Foundry as a dataset, but is there any way to use that dataset to assign group membership in Foundry or control who can submit actions?
I know we can map these user permissions to Foundry user ids and use them for row-level permissioning by creating an array of userids that can see a given row but is it possible to do something similar to permission actions? Maybe by having a list of permissioned users as a property of the object type that the action is being applied on?
Has anyone done anything like this before? Another option is to do some internal dev work to get these permissions added into our AD groups but we’d like to avoid that if possible.
Thanks,
Theo
hey!
If the list of attributes is fixed (ie you don’t need to be able to support new attributes with no manual action) then what I would recommend is creating a Foundry group per attribute, and then, for each action, add the Foundry groups that a user should have in order to submit the action.
Once that is setup, you can setup a source based transform that reads the dataset and manually add and removes users from the groups based on the dataset. For this to work, you will need to maintain a mapping of attribute to group id, but that should be a one time thing as long as the attributes aren’t constantly changing.
To see a reference on how to do source based transforms with our platform APIs, you can install the platform governance one state, which shows you how to use the platform SDK.
If you are unfamiliar with it, the platform SDK is documented here. Its basically a wrapper around our platform APIs, that live in this documentation.
Code example for the add group member endpoint is here.
Thanks @arochat! When you refer to the list of attributes being fixed, do you mean the schema of the internal permissioning table needs to be constant? or that we can’t have new teams being created over time because there won’t be a corresponding Foundry group created for them yet?
Yea the second thing. Whenever a new team gets created, you would need to manually create a group, and then add that group to any needed actions