Kitchen Roles¶
Kitchen roles is a feature that uses custom roles to define kitchen access on a per-user level.
Request and configure kitchen roles¶
DataKitchen provides a default list of kitchen roles with a pre-defined permission schema best suited to working in DataOps Automation. Roles can be further customized for each Automation customer account. Work with your DataKitchen representative to set up the roles and permission schema for your needs.
Considerations¶
- Every role is defined with a set of permissions for permanent (static) kitchens and a set of permissions for temporary (sandbox) kitchens. For more information on static and sandbox kitchens, see Set Kitchen Type.
- A user can only be assigned one role per kitchen.​
-
The system maintains a list of Super Users, per customer, that is not displayed in any kitchen. These users can perform advanced functions related to system infrastructure within a customer account.
There must always be at least one Super User per customer. A system restriction is in place to prevent the removal of the last Super User.
-
The system setting—Kitchen Creator—defines the role assigned to a user when they create a child kitchen. You can select any of your pre-existing kitchen roles for Kitchen Creator. All other users in the child kitchen will inherit their roles and user assignments upon creation.
If the Kitchen Creator setting is not defined, all users inherit their roles from the parent kitchen.
-
If the kitchen roles feature is deactivated, all users who had access to a kitchen remain in the kitchen's user list, regardless of their prior kitchen role permission level.
Note: without kitchen roles, all users in a kitchen's user list have the same permission level. If the feature is deactivated, a user who had a limited permissions role would then have full access.
-
Users cannot remove their own accounts from a kitchen list.
- Depending on the permissions assigned to a role, the actions a user can perform in the UI may be hidden or disabled.
Permissions¶
The following lists the permissions that can be added to a kitchen role:
- Set kitchen type
- Create child kitchen (from this kitchen)
- Configure vault
- Edit secrets
- Configure agent group
- Configure kitchen alerts
- Manage kitchen users
- Merge into this kitchen*
- Edit kitchen override variables
- Delete kitchen
- Edit recipes
- Run orders
- View recipes
- View orders
Note
Merge into this kitchen: merging requires a user have the view recipes permission on the source kitchen and the merge into this kitchen permission on the target kitchen.
Example roles and permission suggestions¶
- Start by setting up an Admin role with unrestricted permissions.
- By default, the Set kitchen type permission is assigned to Super Users only.
- Consider limiting the Delete kitchen permission to Super Users and to Admins for sandbox kitchens.
- For everyday work, design a more restricted kitchen role that does not include infrastructure functions. You can create a role for users who need to edit recipe code and run orders in the kitchen, but prevent those users from changing any settings on the Configure Kitchen page.
- Create a role for "view only" users. For example, set up a role for users who require permission to View recipes and View orders but do not need to make updates.
-
Best practice is to assign the Kitchen Creator setting the Admin role.
Tip
Assigning Admin to Kitchen Creator allows users with limited permissions in the parent kitchen to create kitchens where they have fuller access and sufficient permissions to do work. This provides secure self-service environments for experimentation outside of production.
Default roles and permissions¶
DataKitchen provides a pre-defined permission schema that aligns with DataOps best practices.
Static kitchens¶
| Admin | Developer | Deployer | Operator | Guest | |
|---|---|---|---|---|---|
| Create child kitchen (from this kitchen) |  |
|
|||
| Configure vault | |
||||
| Edit secrets | |
|
|||
| Configure kitchen alerts | |
||||
| Configure agent group | |
||||
| Manage kitchen users | |
||||
| Merge into this kitchen* | |
||||
| Edit kitchen override variables | |
|
|||
| Delete kitchen | |||||
| Edit recipes | |||||
| Run orders | |
|
|
|
|
| View recipes | |
|
|
|
|
| View orders | |
|
|
|
|
Sandbox kitchens¶
| Admin | Developer | Deployer | Operator | Guest | |
|---|---|---|---|---|---|
| Create child kitchen (from this kitchen) | |
|
|||
| Configure vault | |
||||
| Edit secrets | |
|
|||
| Configure kitchen alerts | |
||||
| Configure agent group | |
||||
| Manage kitchen users | |
||||
| Merge into this kitchen* | |
|
|
||
| Edit kitchen override variables | |
|
|||
| Delete kitchen | |
||||
| Edit recipes | |
|
|||
| Run orders | |
|
|
|
|
| View recipes | |
|
|
|
|
| View orders | |
|
|
|
|