Permission Configuration
Advanced guide to configuring and managing permissions in your space.
Permission Model
Layers of Access Control
Qarion uses a layered permission model where checks flow from highest to lowest level: Platform Access -> Space Membership + Role -> Permission Rules -> Product Governance Roles -> Specific Access Grants.
Permission Inheritance
Permissions generally flow from general to specific. First, the system checks if you have Platform access. Then it verifies your Space membership and role. Next, it evaluates any custom Rules that might modify your rights. Finally, it considers specific Product governance roles you hold.
Base Role Permissions
Out-of-the-Box Roles
Qarion provides three standard space roles with predefined capabilities.
Viewers can read all content, including the catalog, lineage, and quality results, but cannot make changes.
Editors have all Viewer permissions plus the ability to create and modify products, manage quality checks, and approve access requests (if they are also a Steward or Owner).
Admins have full control. In addition to Editor permissions, they can delete products, manage space members, and configure detailed permission rules.
Custom Permission Rules
Creating Rules
- Navigate to Settings → Permissions
- Click Add Rule
- Configure the rule:
IF [Role] tries to [Action]
AND [Conditions are met]
THEN [Allow/Deny]
Rule Components
Actions
| Action | Description |
|---|---|
view_product | See product details |
edit_product | Modify product metadata |
delete_product | Remove product |
manage_quality | Configure quality checks |
approve_access | Handle access requests |
view_credentials | See source system credentials |
Conditions
| Condition | Use Case |
|---|---|
is_steward | User is product steward |
is_owner | User is product owner |
tag_matches | Product has specific tag |
created_by | User created the product |
Rule Examples
Allow Editors to delete products they created:
Role: Editor
Action: delete_product
Condition: created_by = current_user
Effect: Allow
Restrict credential viewing to Admins:
Role: Editor
Action: view_credentials
Effect: Deny
Allow stewards to manage quality on their products:
Role: Editor
Action: manage_quality
Condition: is_steward = true
Effect: Allow
Permission Rule Priorities
Evaluation Order
- Explicit Deny rules are checked first
- Specific rules override general rules
- If no rule matches, base role permissions apply
Conflict Resolution
When rules conflict:
- Deny always wins over Allow
- More specific conditions win
- Later rules override earlier ones (same specificity)
Source System Permissions
Credential Access
Control who can view/edit source system credentials:
| Level | Can View | Can Edit |
|---|---|---|
| No access | — | — |
| View only | ✓ | — |
| Full access | ✓ | ✓ |
Default Configuration
- Admins: Full access to all credentials
- Editors: No credential access by default
- Viewers: No credential access
Custom Credential Rules
Create rules for specific source systems:
- Go to source system settings
- Configure credential access
- Assign users or roles
Testing Permissions
Permission Checker
Verify what a user can do:
- Go to Settings → Permissions
- Click Test Permissions
- Select a user
- View their effective permissions
Common Test Cases
- Can this Editor delete products?
- Can this Viewer request access?
- What can Stewards do on their products?
Troubleshooting
"Permission Denied" Errors
Check in order:
- Is the user a space member?
- What is their space role?
- Are there deny rules affecting them?
- Do they have the required governance role?
Unexpected Access
If a user can do something they shouldn't:
- Check for permissive rules
- Review governance role assignments
- Verify space role is correct
Changes Not Taking Effect
- Users may need to refresh their browser
- Some permission changes require re-login
- Check for caching issues
Best Practices
Start Simple
- Begin with base roles
- Add custom rules only when needed
- Document every custom rule
Use Governance Roles
Instead of complex rules:
- Assign Steward to let Editors approve access
- Use Owner for important decision rights
Regular Review
- Audit rules quarterly
- Remove unused rules
- Test after changes
Documentation
For each custom rule, document:
- Why it was created
- Who requested it
- What problem it solves
Related Documentation
- Space Administration — General admin guide
- User Management — Managing users
- Access Requests — Access workflows