menu logo
Tabular.io Log In Get Started

Roles

Roles are perhaps the most important and extensive resource in Tabular, behind tables. Roles are entities to which you assign members and grant privileges. It’s the privileges that control your access to data in Tabular, as well as your ability to administer Tabular.

On this page:

Understanding Roles

There are 2 types of role members:

  1. The people in your organization who use Tabular
  2. Other roles

This is the foundation of Tabular’s role-based access control (RBAC) model, which centralizes security down to the individual table column level. In Tabular, you grant data access privileges to roles – not to individuals. It’s the role you belong to that allows you to access and work with data in Tabular.

More on Tabular’s RBAC model.

Note   The RBAC model differs from a user-based access control model, in which rights and privileges are assigned directly to each user or group of users.

You can assign multiple roles to individuals. You can also assign one role to another role (nested roles). When roles are nested, every member of the child role inherits all of the privileges of the parent role.

Viewing Tabular roles

The Roles page provides a centralized view of all of the roles in your Tabular organization. It enables you quickly to answer questions such as:

  • Does every role have a role admin (someone who can modify role details and permissions)?
  • Does it look like each role has the right amount of members?
  • Are there any older roles whose permissions you may wish to revisit?
  • And so on

In addition to Security Admins or Organization Admins in Tabular, the Roles page can be especially useful to development teams building out the Tabular platform for their organization.

To view roles

  1. Navigate to Organization > Roles.
    • At the top are 3 panels, each of which displays information about one of the 3 default system roles in Tabular – Everyone, Security_Admin, and Org_Admin. Each panel displays at a glance the number of people and roles that belong to the particular system role.
  2. Click edit icon to view details about one of these system roles.
  3. Click any other listed role to access the Role details page and view details about that role.

Creating roles and adding role members

You can create any number of roles in a Tabular organization, and assign any number of members to those roles. Typically, organizations use roles to reflect the existing structure of departments and teams. For example, they might have separate roles for financial analysts, accountants, finance managers, and finance executives, with a different set of data access privileges per role.

Tip    However you wish to set it up, we recommend deciding in advance who in your organization needs access to what data in Tabular. Then you can create and populate roles accordingly.

Creating a role

In all but one instance you automatically become the first member of any role you create. You can remove yourself as a member at any time.

The exception is if you are a Security Admin. Security Admins can modify a role (such as adding or removing members, including themselves) at will, without being a member of any particular role.

Important    If you remove yourself from a role, you could lock yourself out of resources to which that role has access, and you’ll need a role or security admin to rejoin the role.

To create a role

  1. Navigate to Organization > Roles.
  2. On the right-hand side click Plus icon. The Create role window opens.
  3. Enter a descriptive name for the role, then click Create role.
  4. The role details page displays, with the Membership tab open.

From here you can add members to this role, or nest pre-existing roles within it.

Adding members to a role

You can add new members to a role only if you have Admin status for that role.

Tip    There are 2 ways to determine if you’re authorized to add members to a role:

  1. Select the role you want from the roles page. You’re an admin if the Admin toggle next to your name is green.
  2. Select the role you want from the roles page and click Access Control. The Access Control page displays all roles that have Admin privileges on the role you selected. If you belong to one of the roles on the Access Control page, you’re an Admin.

To add members to a role

  1. Navigate to Organization > Roles.
  2. Click the role you want. The role details page displays, with the Membership tab open.
  3. Toward the top right, click person icon. A list displays of all the members in your organization.
    • People in your organization who are already members of this role display as unavailable.
  4. Click the name of the person you wish to add to this role.
    • The list continues to display, so you can add more members to this role, if you wish.
  5. When you’re finished, click away from the list.
  6. To set any member as an admin for the new role, click to activate the Admin toggle next to that member.
button

Admin Role Members

Note    You can view all the members of your organization by navigating to Organization > Members. You cannot add members to your organization unless you are a Security Admin.

Adding members in bulk to roles

In addition to adding members to roles individually, you can also add members in bulk. You can do this by nesting – adding one role as a child of another role.

Nested roles, or child roles, automatically inherit all of the access privileges assigned to the parent role. So nesting roles is an excellent way to add access privileges to groups of people quickly.

A role can have any number of child roles, and you can nest one role within another at any time.

To nest one role inside of another role:

  1. Navigate to Organization > Roles.
  2. Click the role you want. When the role details page displays, click role add icon.
  3. From the menu that displays, click the role you wish to nest. The added role displays indented, beneath the parent role.

Adding privileges in bulk to roles

You can automatically add an existing set of data access privileges by making your role a child of an existing role.

Note    With nested or child roles, you first select a parent role and then manage all of the roles that inherit their privileges from the parent. Privileges pass down from the role you select to its children. With parent roles, you first select a child role and then manage all of the roles from which this role inherits all of its privileges. The role you select inherits privileges from the roles you add as parents above it.

Because you automatically inherit all of the access privileges that have been granted to roles that are parent roles to your role, it’s helpful to see all of the parent roles at a glance. This helps you keep track of all the privileges an individual may have and verify that no one is inadvertently granted access to data they should not be allowed to see.

To view all of a role’s parents at a glance, navigate to Organization > Roles. Click the role you want, and then click Inheritance.

Note    It’s called “inheritance” because these are the roles from which your role members inherit their data access privileges.

To add a parent role

  1. Navigate to Organization > Roles.
  2. Click the role you want. When the role details page displays, click Inheritance.
  3. Click role add icon.
  4. From the list that displays, select the parent role.

The new parent role is added.

Note    If you do not have the permissions to modify the parent role, Tabular displays an error.

Viewing and modifying role details

Note    You may not have access to all of the procedures below. Some of the below procedures require you to be a member of a role with those specific privileges – typically an Organization Amin role or a Security Admin role. If you are not a member of one of those roles, some of the options below are unavailable to you.

Every role has a role details page. This page provides an easy way to view or modify role membership, see what parent roles there may be, add and remove role admins, and more. With this page, you can quickly

  • Verify everyone belongs to the roles that are appropriate for their job function
  • Audit access privileges per role to determine whether to modify the role’s access to data.
  • Take swift action when someone leaves your organization – for example, adding someone to a role to replace the person who left

Editing a role name and removing a role

Important    You must be a Security Admin or have Admin access to that role to be able to edit role names or remove a role from your organization.

Tip    To determine whether you can edit or remove a role even though your admin privilege is disabled, select the role you want from the roles membership page and click Access Control. The Access Control page displays all roles that have modify privileges (that is, Admin capabilities) on the role you selected. If you belong to one of those roles, you can edit or delete the role you selected.

To edit a role:

  1. Navigate to Organization > Roles.
  2. Click the role you wish to edit.
  3. When the role details page displays, click Settings.
  4. In the Role name box, enter the revised name.
  5. When you’re done, click SAVE ROLE NAME.

To remove a role from your organization

  1. Navigate to Organization > Roles.
  2. Click the role you wish to remove.
  3. When the role details page displays, click Settings.
  4. Click Delete This Role, and when prompted type out the word “DELETE.”
    • This is not case-sensitive.
  5. Click DELETE ROLE.

Enabling and disabling Admin privileges

At any time you can designate a role member to be an admin of that role. Role admins have privileges to modify that role. Non-admins lack this privilege.

Tip    It’s best practice to limit the number of admins in a particular role. That said, larger organizations may need more people with this capability.

To enable or disable role admin status for a member

  1. Navigate to Organization > Roles.
  2. Click the role you want.
  3. When the role details page displays, locate the member you want. Then click the Admin slider to activate or deactivate the member’s admin status.

Identifying who else has access to modify your role

Distinct from Tabular’s role-based access controls for data access, role access controls determine who has privileges to modify or delete a particular role.

To view at a glance what roles are authorized to modify another role’s details, navigate to Organization > Roles. From the list that displays click the role you want and then click Access Control. Any member of any of the roles that displays has access to modify the role you selected.

Adding and deleting a modifier role

  1. Navigate to Organization > Roles.
  2. Click the role you want.
  3. When the role details page displays, click Access Control.
    • To add a role with access control over this role, click role add icon. Then from the list that displays, select the role you want.
    • To remove an existing role with access control, click close icon next to the role you wish to remove. Then at the prompt click Revoke.

Note    Security Admins, Role Admins, and members of access control roles can all modify a given role.

Quick summary of role hierarchy display

  • Parent roles display under Inheritance.
  • Child roles display under Membership.
  • Roles that possess admin privileges over the selected role display under Access Control. These roles do not need to be a parent or child to have admin privileges.

Monitoring a role’s access

Some roles may have a large number of members who collectively need access to a wide range of Tabular resources. You can keep track of all of a role’s access and admin privileges via the Authorizations tab.

The Authorizations tab enables you to quickly browse through and assess all of the resource authorization privileges that members of this role have. At a glance you can see:

  • The type of resource – db, table, storage profile, WH, and so on – and a total count of each
  • The level of data access and admin privileges

From this tab you can swiftly answer questions such as:

  • Does this role have access to all the resources it should have, and no more?
  • Does it have appropriate access to each resource?
  • Does it have the right mix of access and admin privileges to each resource?

To monitor role resource access

  1. Navigate to Organization > Roles.
  2. Click the role you want.
  3. When the role details page displays, click Authorizations.
    • You can modify the number of resources to display per page, from 25 to 200, by clicking and selecting from the Resources per page box.
button

Role authorizations

You can also get a closer look at any individual privilege by hovering over it.

button

Role details

And if you wish to modify a privilege for any of these roles, click the resource you want. That takes you to the Access Controls page for that resource.

Viewing and creating service accounts on a role

A service account is a 3rd-party application – frequently a query engine such as Amazon Athena or a storage service such as AWS S3 – that connects with Tabular on behalf of an authenticated individual account to analyze data or load data into Tabular Iceberg tables. These services can run automatically, on their own schedule, or are instantiated by an individual; regardless, it’s important to be able to keep track of non-human actors accessing your data.

Tabular enables you to view all service accounts associated with a particular role, as well as the corresponding IAM role mapping that connects an S3 bucket with an Iceberg table.

Note    You can find details on every service account in your organization – not just role by role – by navigating to Connections > Security.

To view service accounts

View a role’s service accounts by navigating to **Organization **> Roles. Click the role you want and then click Security.

To create and activate a service account for a role

  1. Navigate to Organization > Roles.
  2. Click the role you want.
  3. When the role details page displays, click Security.
  4. To the right of the Service accounts section, click Plus icon.
  5. In the window that displays, enter the name of the credential, or select from the list that displays. Then click Create. The new credential displays in the list of service accounts.
    1. The service account is inactive by default. To activate it, click Active to turn the slider green.

You can also manage IAM identities that can operate with the privileges granted to mapped Tabular roles.

To add a role mapping to this service account

  1. Navigate to Organization > Roles.
  2. Click the role you want.
  3. When the role details page displays, click Security.
  4. To the right of the AWS IAM role mapping section, click Plus icon.
  5. In the window that displays, enter full ARN of the role that Tabular is authorized to assume.
    • For example:, arn:aws:sts::<aws_acct_id>:assumed-role/<role>
  6. Click Create.

More information on IAM role mapping.

Frequently-asked questions about roles in Tabular

Must a role be empty before I delete it? If not, what happens to role members when a role is deleted?

A role does not have to be empty for you to be able to delete it. But when the role is deleted, all the authorizations the role had on any resource are also deleted, which of course could affect the role’s former members.

Do members get notified when their role is modified?

Role members are not notified when a role is edited

Is there an optimal or typical ratio of members to roles? Similarly, is it better to have more roles (with more granular privileges) or fewer roles (with broader privileges)?

Any ratio of members to roles really depends on organizational structure and on business use case. We have found it can vary widely.

Must I be a Sec Admin or Org Admin to make changes on the role details page? If not, who else can? And can you only make changes to roles you’ve created?

To modify a role, you must be either a Sec Admin or a Role Admin. To be a Role Admin, either your role admin status is activated individually, or you belong to a member of an access control role.

Do I have to add members to roles individually?

Not necessarily. You can also add one role (or more) to another role. By nesting roles in this fashion, you automatically pass all privileges of the parent role onto all the members of the child role.

I tried adding a parent role but got an error message stating I caused “a relationship cycle.” What does it mean? What’s a “relationship cycle?”

This can happen if you inadvertently try to make one role both parent and child to another role.