Skip to main content
Version: 1.2.0

Permissions

Permissions determine the level of access that a user has to various components of the Feature Store. For example, depending on the level of permission granted, a user may be authorized to edit feature sets, while another user with limited view-only permission can only observe the feature set.

Levels of permission

Feature Store has five levels of permission:

Additionally, Feature Store also has the concept of an admin account. An admin is any user with the admin role specified in their identity provider. Admin users can perform additional management tasks.

note

The name of the claim storing the roles and name of admin role is configurable during Feature Store deployment.

Owner

You become the owner by creating a project. As the owner, you can remove the project and assign the owner, editor, consumer, sensitive consumer or viewer permission levels to other users. If you are the project owner, you are automatically granted owner permissions to all the feature sets within that project.

note

As the owner, you have all the other permissions.

  • Editor
  • Sensitive consumer
  • Consumer
  • Viewer

Editor

If you have editor permission for a project in the Feature Store, you are authorized to update the project's metadata and register new feature sets within the project. As the editor of the project, you are automatically granted owner permission for all feature sets associated with the project.

note

As an editor, you also have the following permissions,

  • Sensitive consumer
  • Consumer
  • Viewer

Sensitive consumer

If you have sensitive consumer permission for a project in the Feature Store, you are authorized to list or obtain a feature set from the project. As the sensitive consumer of the project, you are automatically granted sensitive consumer permission for all feature sets associated with the project.

note

As an sensitive consumer, you also have the following permissions,

  • Consumer
  • Viewer

Consumer

If you have consumer permission for a project in the Feature Store, you are authorized to list or obtain a feature set from the project. In other words, as a consumer of a project, you can retrieve data from all feature sets. As the consumer of the project, you are automatically granted consumer permission for all feature sets associated with the project.

note

As an consumer, you also have the following permission,

  • Viewer

Viewer

If you have viewer permission for a project in the Feature Store, you are authorized to see what feature sets are available when the project is locked. If you do not have viewer permission and the project is locked, you are not allowed to list and obtain feature sets in a project. If the project is unlocked, you can view feature sets of the project without any permission.

Secret project and secret feature set

Projects and feature sets can be marked as secret, which means that when secret=True, the project or feature set can be seen only by its owner.

Create a secret project

To create a secret project:

Projects can also be marked as secret by passing secret=True to the client.projects.create call. In this case, only project owners can see the project in client.projects.list and can obtain the project via client.projects.get method.

Create a secret feature set

To create a secret feature set:

Feature sets can also be marked as secret by passing secret=True to the project.feature_sets.register call. In this case, only feature set owners (which are also all owners of the project where this feature set is located) can see the feature set in project.feature_sets.list and can obtain the feature set via the project.feature_sets.get method.

Locked project

Only projects can be marked as locked, which means when Locked=True, only users with viewer and higher permissions(owner, editor, sensitive consumer, consumer) are allowed to access and list feature sets within the project. Users without viewer permission cannot list and obtain feature sets from the project.

Project permission API

Add permissions to the project

To add additional owners to the project, call:

project.add_owners(["bob@h2o.ai", "alice@h2o.ai"])

To add additional editors to the project, call:

project.add_editors(["bob@h2o.ai", "alice@h2o.ai"])

To add additional consumers to the project, call:

project.add_consumers(["bob@h2o.ai", "alice@h2o.ai"])

To add additional sensitive consumers to the project, call:

project.add_sensitive_consumers(["bob@h2o.ai", "alice@h2o.ai"])

To add additional viewers to the project, call:

project.add_viewers(["bob@h2o.ai", "alice@h2o.ai"])

Remove permissions from the project

To remove owners from the project, call:

project.remove_owners(["bob@h2o.ai", "alice@h2o.ai"])

To remove editors from the project, call:

project.remove_editors(["bob@h2o.ai", "alice@h2o.ai"])

To remove consumers from the project, call:

project.remove_consumers(["bob@h2o.ai", "alice@h2o.ai"])

To remove sensitive consumers from the project, call:

project.remove_sensitive_consumers(["bob@h2o.ai", "alice@h2o.ai"])

To remove viewers from the project, call:

project.remove_viewers(["bob@h2o.ai", "alice@h2o.ai"])

Request permissions to a project

When cooperating with several users on a project, you may not have a specific permission (i.e., owner/editor/consumer/sensitive consumer) for that project. You can request a specific permission from the project owner.

To begin, check your current access rights:

from featurestore.core.access_type import AccessType
my_access_type = project.current_permission()
# returns None in case the user has no access to the project

If your level of permission is not sufficient for your needs, you can request the project owner for access rights:

my_request_id = project.request_access(AccessType.CONSUMER, "Preparing the best model")

You can track your pending permission requests from the clients API:

my_requests = client.acl.requests.projects.list()

When you can no longer see your request, this means it has been processed. To view the result of your request, call:

my_permissions = client.acl.permissions.projects.list(filters)

The filters argument is optional and specifies which permissions state(s) you are interested in. Its default value is PermissionState.GRANTED (which is the most common case). If you do not find your original request granted, it was most likely either rejected or was granted and then revoked.

To verify the status of your request, specify using the corresponding filters. For example:

filters = [PermissionState.REJECTED]

In case you changed your mind or situation changed, and you don't need access to the project anymore then you can cancel your request before it was processed by withdrawing it.

my_requests = client.acl.requests.projects.list()
request = ... # take a request based on your needs
request.withdraw()

Manage permission requests from other users

As a project owner, a user can request access to that project from you.

To list the requests pending for you to handle, call:

manageable_requests = client.acl.requests.projects.list_manageable()

You can then take an item from the returned list and either approve it:

manageable_requests = client.acl.requests.projects.list_manageable()
oldest_request = # select an item from manageable_requests
oldest_request.approve("it will be fun")

or reject it:

manageable_requests = client.acl.requests.projects.list_manageable()
oldest_request = # select an item from manageable_requests
oldest_request.reject("it's not ready yet")

You can also revoke previously granted access to a project.

First, list the existing permissions that you handle:

manageable_permissions = client.acl.permissions.projects.list_manageable()

Then, select the permission you want to revoke from the returned list:

manageable_permission = ... # select an item from manageable_permissions
manageable_permission.revoke("user left the project")

The returned request and permission objects from the list() and list_manageable() method calls contain convenient methods for accessing the internal state (the following code is not exhaustive):

manageable_requests = client.acl.requests.projects.list_manageable()
manageable_request = # select an item from manageable_requests

manageable_request.requestor()  # only on manageable objects
manageable_request.access_type()
manageable_request.status()
manageable_request.reason()
manageable_request.created_on()
manageable_request.resource_type() # requested resource type, PROJECT or FEATURE_SET
manageable_request.get_resource() # returns corresponding feature set/project

Feature set permissions API

Add permissions to the feature set

In order to add feature set permissions (owner / editor / consumer / sensitive consumer), those users should already have the project consumer permission.

For the following examples, "bob@h2o.ai" and "alice@h2o.ai" should already have consumer permissions to the project which consists of the respective feature set.

To add additional owners to the feature set, call:

fs.add_owners(["bob@h2o.ai", "alice@h2o.ai"])

To add additional editors to the feature set, call:

fs.add_editors(["bob@h2o.ai", "alice@h2o.ai"])

To add additional consumers to the feature set, call:

fs.add_consumers(["bob@h2o.ai", "alice@h2o.ai"])

To add additional sensitive consumers to the feature set, call:

fs.add_sensitive_consumers(["bob@h2o.ai", "alice@h2o.ai"])

To add additional viewers to the feature set, call:

fs.add_viewers(["bob@h2o.ai", "alice@h2o.ai"])

Remove permissions from the feature set

To remove owners from the feature set, call:

fs.remove_owners(["bob@h2o.ai", "alice@h2o.ai"])

To remove editors from the feature set, call:

fs.remove_editors(["bob@h2o.ai", "alice@h2o.ai"])

To remove consumers from the feature set, call:

fs.remove_consumers(["bob@h2o.ai", "alice@h2o.ai"])

To remove sensitive consumers from the feature set, call:

fs.remove_sensitive_consumers(["bob@h2o.ai", "alice@h2o.ai"])

To remove viewers from the feature set, call:

fs.remove_viewers(["bob@h2o.ai", "alice@h2o.ai"])

Request permissions to a feature set

Feature set permissions follow the same structure and reasoning as project permissions. The following is a short list of available methods.

To list current feature set permissions, call:

from featurestore.core.access_type import AccessType
my_access_type = fs.current_permission()
# returns None in case the user does not have access to the project

To request feature set permissions, call:

my_request_id = fs.request_access(AccessType.CONSUMER, "Preparing the best model")

To list pending requests, call:

my_requests = client.acl.requests.feature_sets.list()

To withdraw a pending request, call:

my_requests = client.acl.requests.feature_sets.list()
request = ... # take a request based on your needs
request.withdraw()

To list granted (without passing an argument) or rejected/revoked (with provided corresponding filters argument) permissions, call:

filters = [PermissionState.REJECTED]
my_permissions = client.acl.permissions.feature_sets.list(filters)

Manage feature set permissions

Feature set permissions follow the same structure and reasoning as project permissions. The following is a short list of available methods.

To list and approve/reject a pending feature set permission request, call:

manageable_requests = client.acl.requests.feature_sets.list_manageable()
manageable_request = # select an item from manageable_requests
manageable_request.approve("it will be fun")
# or
manageable_request.reject("not yet ready")

To list and revoke an existing feature set permission, call:

manageable_permissions = client.acl.requests.feature_sets.list_manageable()
manageable_permission = ... # select an item from manageable_permissions
manageable_permission.revoke("user left project")
Feedback