Sharing and Permissions
Sharing in Dremio can be configured for datasets, sources, spaces and folders.
How Sharing Works
Users can restrict access to a space or source in Dremio.
By default, all users will have access to spaces and sources.
Once users and/or groups are added under
Sharing, other users will no longer have access.
Datasets and folders inherit the permissions of their parent folder, source or space. Later changes to the parents'
Sharingsettings are not reflected in the dataset or folder.
Users need to be able to access each folder, source or space included in a dataset's path to be able to access it.
Datasets in users' home spaces cannot be shared.
A dataset under restricted access can be shared with another Dremio user by creating a virtual dataset that selects from the underlying dataset, even if the other Dremio user doesn't have access to the underlying data. This applies to each dataset in the data graph — the chain of datasets.
Query and edit permissions can be defined on Datasets, Folders, Spaces, and Sources.
Dremio's permission model is based on the UNIX model:
.. An attempt to add a file to a directory, delete a file from a directory, or to rename a file, all require write permission for the directory ..
For example, given a folder named Taxes in a space named Personal.
You cannot delete or modify Taxes unless you have
Can Edit permissions on the Personal space.
Any permissions on the Taxes folder are not valid.
If you attempt to delete the folder without
Can Edit permissions on the Personal space,
the delete request fails with a 403 error.
|Further Notes||The ability to delete, rename, or move a Dataset is not controlled by the Sharing settings of the Dataset itself but by the Folder, Space, or Source which contains it.|
|Further Notes||Only Folders within a Space can be shared or modified. Folders within Sources inherit the settings of the containing Source and cannot be changed. The ability to delete, rename, or move a Folder is not controlled by the Sharing settings of the Folder itself but by the Folder, Space, or Source which contains it.|
Some sources support the ability to do impersonation, i.e. the ability to access the source data as the user in Dremio. If the user cannot access specific datasets in the underlying source, then they will be unable to view the data for those datasets. However, as these permissions are independant of Dremio's internal Sharing abilities, users will still see those datasets listed in the UI.
As a convience, users are not shown the names of Datasets, Folders, Spaces, or Sources which they cannot query. However, users can still discover the names of these items (but not the data they represent). For example, if a user tried to create an item with the same name as an existing item, then the user could learn an item with that name already exists.