> ## Documentation Index
> Fetch the complete documentation index at: https://docs.getcollate.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Advanced Guide for Roles and Policies

> Manage roles and policies to control permissions, ownership, and governance enforcement.

# Advanced Guide for Roles and Policies

## Users and Teams

Collate introduces a versatile hierarchical team structure that aligns with your organization's setup. Administrators can mirror their organizational hierarchy by creating various team types.

**Organization** serves as the foundation of the team hierarchy representing the entire company. Under Organization, you can add Business Units, Divisions, Departments, Groups, and Users. For instance, if your company is Facebook, then the Organization represents entire Facebook itself, which further houses diverse teams like Engineering, Sales, Finance, and Marketing.

<img src="https://mintcdn.com/collatedocs/MrJbbiNG3Gqux6Hk/public/images/how-to-guides/roles-policies/all-teams.png?fit=max&auto=format&n=MrJbbiNG3Gqux6Hk&q=85&s=e60ed74ab48bd1e98c93b0d20e7b356f" alt="Teams Hierarchy" width="1438" height="775" data-path="public/images/how-to-guides/roles-policies/all-teams.png" />

**BusinessUnit** is positioned one level below the Organization and can contain other Business Units, Divisions, Departments, and Groups. To illustrate, the Engineering Business Unit could be one of the top-tier Business Units in the Organization. It contains other teams like Groups and additional Business Units.

<img src="https://mintcdn.com/collatedocs/MrJbbiNG3Gqux6Hk/public/images/how-to-guides/roles-policies/b-u.png?fit=max&auto=format&n=MrJbbiNG3Gqux6Hk&q=85&s=87bdbd013248699ff94c593e111240a6" alt="Business Unit" width="1438" height="775" data-path="public/images/how-to-guides/roles-policies/b-u.png" />

**Division** is positioned below Business Unit and can include Divisions, Departments, and Groups. For example, a Division named 'Product Development' under the Engineering Business Unit. It can have teams like 'Software Division,' 'Hardware Division,' and 'QA Division.'

**Department** is positioned below Division and can include other Departments and Groups. For example, a 'Data Engineering Department' could include specialized teams like 'Infrastructure,' 'Data Science,' and 'Platform.'

**Group** represents the final tier in this hierarchy. It contains a group of users that reflect finite teams within your organization.

<Note>
  **Note**: Only Groups have the privilege of owning data assets within the Collate platform.
</Note>

This structured hierarchy enhances your control over team management and resource ownership. By creating a dynamic model mirroring your organization's functions, Collate empowers you to effortlessly manage permissions, access controls, and data ownership at different levels of granularity.

## Access Control Design: Roles and Policies

<img src="https://mintcdn.com/collatedocs/MrJbbiNG3Gqux6Hk/public/images/how-to-guides/roles-policies/evaluation.png?fit=max&auto=format&n=MrJbbiNG3Gqux6Hk&q=85&s=b21708621091a842f7ee496caec57893" alt="Policy Evaluation" width="2302" height="1428" data-path="public/images/how-to-guides/roles-policies/evaluation.png" />

Collate incorporates a robust Access Control framework that merges Role-Based Access Control (RBAC) with Attribute-Based Access Control (ABAC) in a powerful hybrid model. This security design is reinforced by:

**Authentication with SSO Integration**: Collate seamlessly integrates with various Single Sign-On (SSO) providers, including Azure AD, Google, Okta, Auth0, OneLogin, and more. This ensures a unified and secure authentication experience for users.

**Team Hierarchy**: Collate offers a structured team hierarchy that mirrors your organization's structure, enhancing manageability and granularity in access control.

**Roles and Policies**: Policies and Roles are pivotal in determining who can access what resources and perform what actions. These policies are based on a combination of user attributes, roles, and resource attributes.

**User and Bots Authentication**: Collate accommodates human users and automated applications (bots). For human users, logging into the Collate UI mandates SSO authentication. Upon successful authentication, a JSON Web Token (JWT) is issued.

Bots, on the other hand, are equipped with a JWT token generated based on SSL certificates. This token serves as their identity and authorization mechanism when interacting with the Collate server APIs.

## Authentication Flow

<img src="https://mintcdn.com/collatedocs/MrJbbiNG3Gqux6Hk/public/images/how-to-guides/roles-policies/auth.png?fit=max&auto=format&n=MrJbbiNG3Gqux6Hk&q=85&s=8e69c50d3eacee3b6c5c5d7862c8e020" alt="Authentication Flow" width="1446" height="944" data-path="public/images/how-to-guides/roles-policies/auth.png" />

**User Authentication**: When users access the Collate UI, they authenticate with their SSO provider. Upon successful authentication, a JWT token is generated. This token validates the user's session and permits them to authenticate requests to the Collate server.

**Bot Authentication**: Automated applications like the ingestion connector are equipped with a pre-generated JWT Token. Collate, with its configured SSL Certificates, authenticates the JWT token, establishing the bot's identity. This token authorizes the bot to interact with Collate server APIs.

## Authorization Framework

Collate's authorization is a result of evaluating three crucial factors:

<img src="https://mintcdn.com/collatedocs/MrJbbiNG3Gqux6Hk/public/images/how-to-guides/roles-policies/access.png?fit=max&auto=format&n=MrJbbiNG3Gqux6Hk&q=85&s=5e2e6dfde4d80f1e66fba6cad77f1cbf" alt="Authorization Framework" width="2278" height="454" data-path="public/images/how-to-guides/roles-policies/access.png" />

**Who is the User (Authentication)**: The authentication process determines this – whether it is a user or a bot – ensuring that only authorized entities access the system.

**What Resource (Resource Attributes)**: Based on the API calls being made, Collate identifies the target resource and its associated attributes.

The following resources correspond to entities such as Table, Topic, and Pipeline:

<img src="https://mintcdn.com/collatedocs/zx0klkEa5N8c1XZk/public/images/how-to-guides/roles-policies/rules1.png?fit=max&auto=format&n=zx0klkEa5N8c1XZk&q=85&s=094791960f9bf8f6eb0e475af318abe0" alt="Resources Correspond to Entities" width="2214" height="974" data-path="public/images/how-to-guides/roles-policies/rules1.png" />

**What Operation (API Call)**: Each API call maps to a specific operation, such as editing descriptions, deleting tags, and changing ownership.

Common operations – Create, Delete, and ViewAll – apply to all resources. Each resource can also have its own specific operations, such as ViewTests and ViewQueries for Table.

## Resource Scope Reference

The table below maps every resource category to the real-world
access it controls. Use this when designing policies – start by
identifying which categories are relevant to the role, then add
only the operations needed.

<Note>
  **Note**: Tables are the most critical data asset resource. Over-permissioning here has the widest blast radius, as many downstream queries, dashboards, and pipelines depend on them.
</Note>

Every object in Collate belongs to a resource category — from core data assets like Tables and Databases, to governance resources like Glossary Terms and Tags, to admin resources like Users, Roles, and Policies. For a reference overview of resource categories, the resources each includes, and risk levels, see [Resource scope and operations reference](/how-to-guides/admin-guide/roles-policies/resource-scope).

### Key Scope Principles

* **Service resources** (Database Service, Pipeline Service, and so on) control
  the connection itself – granting Edit on a service gives access to all
  assets in that service.
* **User & Access Control resources** are the most sensitive category.
  EditPolicy and EditRole changes affect the entire permission model.
* **AI/Agent resources** govern automated execution paths. Restrict Agent
  Execution and Dynamic Agent to roles that actively need to run workflows.
* **Data Governance resources** (Tags, Glossary Terms, Domain) may seem
  low-risk but misuse can cause incorrect PII labelling with compliance
  consequences.

## Difference Between ViewBasic and ViewAll in Collate

The operations **ViewBasic** and **ViewAll** in Collate differ in the level of detail they provide access to. The following explains each in detail:

### ViewBasic

* Provides access to the **basic details** of an asset.
* Includes information such as:
  * Description
  * Tags
  * Owner
  * Fundamental metadata
* **Excludes** more detailed information, including:
  * Profile data
  * Sample data
  * Data profile
  * Tests
  * Queries

### ViewBasic: Key Points

* Suitable for viewing foundational asset metadata.
* Limited access for users who do not require in-depth technical details.

### ViewAll

* Provides access to **all details** of an asset.
* Includes everything available in **ViewBasic**, along with:
  * Profile data
  * Sample data
  * Data profile
  * Tests
  * Queries

### ViewAll: Key Points

* Designed for users who need a complete view of the asset.
* Offers comprehensive insights and detailed metadata.

### Summary Table

| Feature         | **ViewBasic**  | **ViewAll** |
| --------------- | -------------- | ----------- |
| Basic Details   | ✅ Included     | ✅ Included  |
| Profile Data    | ❌ Not Included | ✅ Included  |
| Sample Data     | ❌ Not Included | ✅ Included  |
| Data Profile    | ❌ Not Included | ✅ Included  |
| Tests & Queries | ❌ Not Included | ✅ Included  |

### Overview

* **ViewBasic**: Focused on essential metadata.
* **ViewAll**: Provides a complete view, including advanced details.

Choose the appropriate operation based on the level of access required.

| Permission                   | What it adds over the level below                                              |
| ---------------------------- | ------------------------------------------------------------------------------ |
| ViewBasic                    | Baseline – see entity name, type, and owner. Safe for all authenticated users. |
| ViewAll                      | Adds full schema, lineage, tags, glossary terms, and metadata fields.          |
| ViewDataProfile              | Adds column-level profiling statistics (null %, value distributions).          |
| ViewUsage                    | Adds query frequency and who accessed the asset and when.                      |
| ViewQueries                  | Adds the actual SQL text of executed queries.                                  |
| ViewSampleData               | Adds actual row-level data – treat as data access, not just metadata access.   |
| ViewTestCaseFailedRowsSample | Adds data rows that failed quality tests – often contains production data.     |

For a curated reference of common operations and resource types, see [Resource scope and operations reference](/how-to-guides/admin-guide/roles-policies/resource-scope).

<img src="https://mintcdn.com/collatedocs/zx0klkEa5N8c1XZk/public/images/how-to-guides/roles-policies/rules2.png?fit=max&auto=format&n=zx0klkEa5N8c1XZk&q=85&s=4f4ad736cea1ede8c66f041d38f0e220" alt="Each Resource has its Own Set of Granular Operations" width="2184" height="964" data-path="public/images/how-to-guides/roles-policies/rules2.png" />

By synthesizing these components, Collate dynamically determines whether a user or bot can perform a particular action on a specific resource. This **fusion of RBAC and ABAC** in the hybrid model contributes to a robust and flexible access control mechanism, bolstering the security and control of your Collate environment.

## Quick Guide: Which Role Should I Start With?

Use this table when onboarding a new user to determine which base role to assign first.

| User's primary job                                    | Start with this base role | Common additions                                          |
| ----------------------------------------------------- | ------------------------- | --------------------------------------------------------- |
| Browse the catalog, understand data landscape         | Read-Only Viewer          | `ViewDataProfile` if they need column stats               |
| Run analyses, build reports, write SQL                | Data Analyst              | `ViewSampleData` if formally approved                     |
| Define business terms, enforce data quality standards | Data Steward              | `EditCertification` if they certify assets                |
| Build pipelines, ingest metadata, deploy workflows    | Data Engineer             | `EditAll` on specific service types they own              |
| Build AI agents and prompt-driven applications        | AI / ML Engineer          | `EditAll` on AI Governance Policy if they author policies |
| Monitor compliance, tag PII, review audit trails      | Compliance Officer        | `AuditLogs` is essential for this role                    |
| Administer the platform, manage users and services    | Platform Administrator    | Minimize use of `Impersonate` and `GenerateToken`         |

<Card title="Building Blocks of Authorization: Rules, Policies, and Roles" href="/how-to-guides/admin-guide/roles-policies/authorization">
  Learn all the details of Rules, Policies, and Roles
</Card>

<Card title="Use Cases: Creating Roles & Policies in Collate" href="/how-to-guides/admin-guide/roles-policies/use-cases">
  Tailor your policies to meet your organizational and team needs.
</Card>