Set Up RBAC (Role-Based Access Control)

GET /authz/api/v1/roles/template

# Platform Admin (full access)

POST /authz/api/v1/roles

{

  "name": "platform-admin",

  "description": "Full platform administration",

  "permissions": ["*"]

}

​

# Pipeline Creator (create & manage pipelines)

POST /authz/api/v1/roles

{

  "name": "pipeline-creator",

  "description": "Create and manage pipelines",

  "permissions": [

    "pipeline.create",

    "pipeline.edit",

    "pipeline.view",

    "pipeline.execute"

  ]

}

​

# Data Viewer (read-only)

POST /authz/api/v1/roles

{

  "name": "data-viewer",

  "description": "View-only access to data",

  "permissions": [

    "pipeline.view",

    "catalog.view",

    "dashboard.view"

  ]

}

# Data Engineering gets creator access

PUT /admin/api/assign-client-roles

{

  "groupId": "group-data-eng",

  "roles": ["pipeline-creator", "catalog-editor"]

}

​

# Analytics gets viewer access

PUT /admin/api/assign-client-roles

{

  "groupId": "group-analytics",

  "roles": ["data-viewer", "dashboard-creator"]

}

# Test each role

GET /authz/api/v1/users/test-user/roles

GET /authz/api/v1/users/permissions?userId=test-user

​

# Verify users can access what they need

# Verify users cannot access what they shouldn't