Localizing dataset access granting in a multi-organization setup

Use-case: I have a centralized IT group or Center of Excellence (COE) that’s in charge of maintaining the administration and uptime of the cluster and Arcadia services, which act as “super administrators”. However, I have multiple organizations or user groups in my company that will need to delegate and control access to datasets in Arcadia themselves, without the required intervention of the COE.

Solution: Arcadia’s “Grant” permissions in our Role Based Access Contols (RBAC) allow you to localize the granting and permissioning of datasets on a Connection by Connection basis.

Example Scenario: I have an organization called “XYZ”. This organization wants to delegate access to datasets to their own users (i.e. Analysts).

The first step is to have the Administration/COE team creates 2 roles in Arcadia: “Organization XYZ Admin” and “Organization XYZ Analyst”

The “Organization XYZ Admin” role is given Connection level access to their datasets that’s separate from other organizations. In this case, the Connection is called “Arcadia Enterprise”:

The “Organization XYZ Admin” role is also given access to “All Datasets” on their connection (i.e. Arcadia Enterprise).

Meanwhile the “Organization XYZ Analyst” role is only given access to their organization’s Connection (i.e. Arcadia Enterprise) at this time. This allows them to create new Datasets, but has not given them access to any existing datasets.

After the “Organization XYZ Analyst” role is created, we can now go back to our “Organization XYZ Admin” role and assign a new “Role” level permission that allows this local admin group to grant access to their organization’s datasets to other roles that are within their organization (i.e. “Organization XYZ Analyst”):

Now if we login with a our user that’s been assigned to the “Organization XYZ Admin” role we can all of the Datasets within our organization’s connection (i.e. Arcadia Enterprise):

If we click on one of our datasets (TV Viewers), we now see a new option to configure at the Dataset level called “Permissions”:

Now if we Edit the Permissions, we can modify our “Organization XYZ Analyst” role to have full permissions on this particular Dataset (TV Viewers):

And when any of the users with the “Organization XYZ Analyst” role login they will now see their newly accessible Dataset (TV Viewers):