Skip to content

Permissions

Permissions

Datatailr uses a permissions model to control who can view, change, and use resources such as workstations, workflows, apps, services, and data. Understanding permissions helps you share access safely and follow your team's policies.

Permission levels

Each resource has a set of permissions that define what users and groups can do. The main levels are:

  • Read — View the resource and its metadata.
  • Write — Change the resource, including its configuration and content.
  • Operate — Run or execute the resource (e.g. start a workflow or service).
  • Access — Connect to the resource (e.g. open a workstation).
  • Promote — Promote the resource to a higher environment, such as from development to production.

Read and Write apply to both jobs and data (key-value store, blob storage). Operate, Access, and Promote apply only to jobs (workstations, workflows, apps, services, and similar compute resources).

Where permissions apply

Permissions are used across the platform:

  • Workstations — Who can use, edit, and connect to each workstation.
  • Workflows, apps, services — Who can view, run, edit, and promote them.
  • Data — Keys in the key-value store and objects in blob storage each have their own permissions.

When you create or edit a workstation, workflow, app, or service, you set permissions in the Permissions step or tab of the form.

Managing permissions in the UI

When creating or editing a resource (for example, a workstation), the form includes a Permissions step. There you can:

  • See which groups and users have access and at what level.
  • Use presets such as Full access, Editor, or Viewer to assign common permission sets.
  • Add more groups or users and choose a preset for each.
  • Use Final Permissions For to preview the effective permissions for a specific user or group.

Administrators can also configure default permissions and per-environment overrides in Settings.

Managing permissions via CLI

You can view and change permissions from the command line:

  • Key-value store: dt kv acls <key>, dt kv set-acls <key>, dt kv add-acls <key>
  • Blob storage: dt blob get-acl <path>, dt blob set-acl <path>
  • Jobs (workstations, workflows, apps, etc.): dt job modify <name> -u users -g groups -o others

See the CLI Reference for full option details.

Default permissions

Default permissions are the initial permissions applied when you create a new resource (for example, a workstation, workflow, or key-value key). They let you avoid setting the same permissions from scratch every time. When you create a resource, you can keep these defaults or override them in the Permissions step of the creation form; you can also change permissions later by editing the resource.

Administrators can change the default permissions that apply to new resources. See Default permissions (administration) for how to configure them.