Data Connection Source Creation Perms

is there no workflow permission set in control panel to control who can create sources in data connection? Sometimes I want people to be able to create a sync, or explore a source, but i don’t want them to be able to create a new source. We want to open up a training space where people can go and experiment with the different apps (data connection being one of them) but we’re afraid that in doing so people will try to connect to sensitive DBs in the training space which is currently shared by multiple organizations. is there any foolproof way to democratize access to the data connection app without democratizing access to source creation?

One approach here would be to create a custom role that allows for users to work in those projects without the ability to create and save data connection sources. The role management UI can be found under the Roles tab of the platform settings page.

First, you can choose whether to create your own role set or use an existing role set. If this is a custom set of permissions you need to keep limited to your particular organization, it may make sense to create a new role set. If you’re comfortable with this role being discovered by administrators when configuring role permissions on default projects, you can add this in the “Project Defaults” role set.

See more information about role sets here: https://www.palantir.com/docs/foundry/platform-security-management/manage-roles/#role-sets.

From there, you can create a role such as “Editor without Data Source Admin” within your chosen role set. You can model this role after the existing “Editor” role from the Project Defaults role set. Then go to the Data Connection section of the role and unselect all permissions required to manage a source, such as “Administer Source” and “Edit Source”. These permissions can be found in this section here:
image

Check out this documentation here for more detail about how to create this custom role: https://www.palantir.com/docs/foundry/platform-security-management/manage-roles/#creating-a-custom-role

Once you have this new role created, you can assign this role to the group of users on the desired projects so that they cannot create sources within your training space.

I see, so it seems that creating a data connection is a permission that is granted on the Project level, and that therefore there is no way to limit a users ability to create a new connection/sync assuming that they can create their own project (and grant themselves owner permissions) other than denying them access to the Data Connection application itself via Control Panel?