Overview
Persona defines what a user can do on the platform i.e., access Cloud Resources and other tools (for e.g.), but doesn’t provide automatic access to any underlying business data objects. The user has to request explicit approval from the respective Business owner to enable their access to the respective business data available on the platform.
Types of Personas
For efficient and standardised access management, RDH personas have been categorised into the following access types:
Data Consumer
Business Definition
User(s) who need to access data to perform their job functions (use cases below for example) such as analysts, researchers, or business users. They are primarily focused on data consumption rather than data creation or management. This role also provides access to view metadata, data lineage, and the data Catalog.
Use Cases:
- Business Intelligence: Data Consumers might use tools like Power BI or Tableau to generate reports and dashboards.
- Research and Analysis: They may analyse data trends and patterns to support decision-making processes.
Permissions:
Read-Only Access: Data Consumers usually have read-only permissions, meaning they can view and query data but cannot alter, delete, or create new data entries.
Access to Specific Data Sets: Their access is often restricted to specific data sets or databases relevant to their role, ensuring they only see the data necessary for their tasks.
Technical Definition
A user who has view access in the Production environment to the approved data group and products. Data Consumer Persona typically refers to a user role that is granted access to data to view, analyse, or utilize it, but not modify or manage it.
- Permission to query data that the user has access to via their consumer group.
- Permission to view metadata, data lineage, and data catalog.
Data Analyst
Role Definition
User(s) who need to access, analyse, and interpret data to support business decisions. Data Analysts often work with large datasets, create reports, and generate insights.
Note – Data Analysts collaborate with Data Engineers and Business Users to achieve the following:
They have the necessary data pipelines and infrastructure to perform their analyses.
To understand their data needs and translate those into actionable insights.
Use Cases:
Business Reporting: Data Analysts use tools like SQL, Excel, Power BI, or Tableau to create reports and dashboards that help stakeholders make informed decisions.
Data Exploration: They explore data to identify trends, patterns, and anomalies that can provide valuable business insights.
Permissions:
Read and Query Access: Data Analysts typically have read and query permissions on various data sources. This allows them to access and retrieve data without modifying the underlying data structures.
Limited Write Access: In some cases, Data Analysts may have limited write access to create temporary tables or store intermediate results, but they generally do not have permissions to alter or delete core data.
Technical:
Data Analyst Persona is designed to provide users with the necessary access to perform data analysis tasks while ensuring data security and compliance.
Same as Data Consumer +
- BigQuery Data Editor role in dev environment
- BigQuery Data Viewer role in test environment
- Viewer permission for cloud functions, cloud composer, pub/sub, logs, and reviewing IAM permissions
- data catalog admin role in dev environment
- storage admin role in dev environment, storage viewer in higher environments
Data Engineer
Role definition:
Users responsible for building, maintaining, and optimizing data pipelines and infrastructure. Data Engineers ensure that data flows smoothly from source to destination and is available for analysis and reporting.
Note – Data Engineers collaborate with Data Analysts to ensure they have the necessary data and tools to perform their analyses.
Use Cases:
- Data Pipeline Development: Data Engineers design and implement data pipelines that extract data from various sources, transform it into a usable format, and load it into data storage systems.
- Infrastructure Management: They manage and optimize data storage solutions, ensuring high availability, scalability, and performance. → This is more apt for Platform Engineer role.??
Permissions:
- Read and Write Access: Data Engineers typically have both read and write permissions on various data sources and systems. This allows them to create, modify, and delete?? data pipelines, databases, and other data-related resources.
- Administrative Access: They often have administrative permissions to configure and manage data infrastructure components such as databases, data warehouses, and ETL (Extract, Transform, Load) tools.
Technical
Data Engineer Persona is designed to provide users with the necessary access to manage and maintain data infrastructure while ensuring data security and compliance.
Same as Data Analyst +
- BigQuery Admin role in dev environment
- storage admin permission in ci/cd-projects and permission to view source repositories. cloud build editor in ci/cd-np
- permissions on certain storage buckets in test & production environment (this is needed for reading external tables, updating composer DAGS and manual files processes)
Platform Engineer
Role definition:
Users responsible for the design, implementation, and maintenance of the infrastructure and platforms that support development and operational activities. Platform Engineers ensure that the environment is stable, scalable, and secure.
Note – Platform Engineers collaborate with developers to ensure that the infrastructure meets the needs of the applications being developed and deployed.
Use Cases:
- Infrastructure Management: Platform Engineers manage and optimize the infrastructure to ensure high availability, scalability, and performance.
- Platform Services: They configure and maintain platform services that support development and operational activities, such as container orchestration, continuous integration, and continuous deployment (CI/CD) systems.
Permissions:
- Full Control: Platform Engineers typically have extensive permissions, including the ability to create, modify, and delete resources within the platform. This includes managing virtual machines, networks, storage, and other infrastructure components.
- Administrative Access: They often have administrative permissions to configure and manage platform services, such as Kubernetes clusters, CI/CD pipelines, and cloud services.
Platform Engineer Persona is designed to provide users with the necessary access to manage and maintain the underlying infrastructure and platforms that support various applications and services.
- Admin level permissions on all utilised GCP resources (list grows over time) in nonproduction environments.
- Viewer permissions on all utilised GCP resources in prod environment.
- View Billing and cost summaries in all projects.
Elevated Production Support
Role definition:
Users who are responsible for advanced operational support tasks. These tasks may include system troubleshooting, performance tuning, and emergency response to critical incidents.
Note – Elevated Operations Support persona collaborate with IT and Security Teams and Development teams to achieve following:
- Ensure that their actions align with organizational policies and do not compromise security.
- Address issues related to application performance or deployment.
Use Cases:
- Incident Response: Elevated Operations Support users respond to critical incidents, such as system outages or security breaches, and take necessary actions to restore normal operations.
- System Maintenance: They perform advanced maintenance tasks, such as applying patches, updating configurations, and optimizing system performance.
- Troubleshooting: These users diagnose and resolve complex technical issues that cannot be handled by standard support teams.
Permissions:
- Elevated Access: Users in this role typically have elevated permissions that go beyond standard operational roles. This includes the ability to access and modify system configurations, restart services, and perform other high-level administrative tasks.
- Temporary Privileges: Elevated access is often granted temporarily and on an as-needed basis to minimize security risks. This can be managed through just-in-time (JIT) access controls.
Elevated Operations Support Persona is designed to provide users with the necessary access to perform advanced operational tasks, troubleshoot issues, and ensure the smooth functioning of systems while maintaining security and compliance.
Admin Role on all utilised resources in PROD
**Note this is the only persona with admin roles in Production environments
| Persona/ Role | Production | Test Environment | Development |
|---|---|---|---|
| Data Consumer | Read Only | Read Only | Read Only |
| Data Analyst | Read, Limited Write | Read, Limited Write | Read, Write |
| Data Engineer | Read Only | Read Only | Read, Write |
| Platform Engineer | Read Only | Read Only | Read Only |
