Permissions

Permissions determine the access level that users have on objects. When permission enforcement is enabled for your organization, you can share and grant permissions on objects.

When you create an object, you become the owner of that object and have full access to the object. By default the object is private, and can only be seen by the owner and by any user with the Organization Administrator role. A user with the Organization Administrator role has full access to all objects in the organization.

An object owner or a user with the Organization Administrator role can share the object. When you share an object, you grant others one or more of the following access levels:
  • Read - Ability to find, open, and view the object. Ability to export the object.
  • Write - Ability to edit and save the object.
  • Execute - Ability to start and stop the object.

You can share objects with both users and groups. If you share an object with a user and also share the same object with a group that the user belongs to, the user has the union of all permissions.

Changes to permissions take effect the next time the user logs in.

If needed, the object owner or Organization Administrator can change the owner of the object. You can also disable permission enforcement for your organization if you want all users to have full access to all objects.

To perform Control Hub tasks, you must have the appropriate object permissions as well as the role associated with the task. For example, if you have the Job Operator role, you can delete a job only when granted write permission on the job.

Example

The user Rita publishes a pipeline to Control Hub and then creates a job for the pipeline. She becomes the owner of the pipeline and job. She has full access to the pipeline and job and can grant other users and groups permission on these objects.

Rita wants to share the pipeline and job with her co-workers in the NorthernRegion group, granting the group full access to both objects. Miguel is not a member of the NorthernRegion group and so does not need full access to the objects. However, he does need read access on the pipeline and job to monitor them. So Rita also shares the pipeline and job with Miguel, granting him read access to both.

Let's look at the Sharing Settings window for the job in this example:

Note how the window designates Rita as the owner, and note the Is Owner icon () that displays in the row for Miguel. Rita or a user with the Organization Administrator role can click the icon to make Miguel the owner of the object. As the owner, Miguel would then have full access to the object.

The Sharing Settings window does not list the users that have the Organization Administrator role. However, remember that all users who have the Organization Administrator role have full access to all objects and can grant others permission on the objects.