# Permissions & Scope {% hint style="success" %} ### Communities, Permissions & Scope In this hands-on workshop, you'll learn how to configure Community permissions and data source scope restrictions to implement fine-grained access control in PDC. We'll walk through the process of limiting specific Communities to only the data sources and schemas relevant to their business domain, demonstrating how to create secure, business-aligned data governance boundaries that enforce the principle of least privilege. By the end of this workshop, you will be able to: * Configure Community scope restrictions to limit access to specific data sources * Implement domain-based data access controls that mirror organizational structure * Create business-aligned data boundaries using PDC's scope management features * Test and validate Community permission restrictions with user authentication * Understand how Communities enforce data governance policies at the asset level * Design scalable permission models that grow with organizational complexity * Apply the principle of least privilege to enterprise data governance **Workshop Process:** You'll configure the `AdventureWorks_Sales_Analytics` Community to only access sales-related data sources, then test the restriction by logging in as Sarah Johnson (Sales Analyst) to verify she can only see the data sources appropriate for her role. This workshop demonstrates how Data Catalog's Community scope features create the "WHAT" layer of your data governance framework—determining exactly which data assets each user can access based on their business function and organizational role. {% endhint %} *** {% hint style="info" %} #### Scope Configuration Let's implement domain-specific access controls for Adventure Works business areas: * **Sales Community** gets access to `mssql:adventureworks2022-Sales` (Sales + Person schemas only) * **HR Community** gets access to `mssql:adventureworks2022-HR` (HumanResources + Person schemas) * **Data Governance Council** gets cross-domain access for governance oversight * **System /Datasource Administrators** get access to the complete `mssql:adventureworks2022` database {% endhint %} 1. Log into Data Catalog: {% embed url="" %} Username: Password: Welcome123! {% tabs %} {% tab title="1. Sales Community" %} {% hint style="info" %} #### Sales Community Let's start defining our Sales Community .. {% endhint %} {% tabs %} {% tab title="1. Create AW Sales connection" %} {% hint style="info" %} #### AdventureWorks - Sales **Sales Schema Data Source Creation** When connecting to the AdventureWorks2022 database, administrators would create a dedicated "mssql:adventureworks2022-Sales" data source. During the "Ingest Schemas" process, click Ingest Schema, select the following schemas: * Sales - Orders, customers, territories, sales performance * Person - Contact information, addresses, demographics and then click Ingest Schemas. {% endhint %} 1. Click: Management in the left navigation menu. 2. Create a connection to: adventureworks2022 database with the following settings:

Field	Setting
Data Source Name	mssql:adventureworks2022-sales
Data Source ID	Leave Blank to autogenerate ID
Description	AW DW: Sales + Person schemas only.
Data Source Type	Microsoft SQL Server
Affinity	Default
Configuration Method	URI
Username	sa
Password	StrongPassword123
URI	jdbc:sqlserver://pdc.pentaho.lab:1433;databaseName=AdventureWorks2022;user=sa;password=StrongPassword123;encrypt=false
Driver	mssql-jdbc-13.2.0.jre11.jar*
Database Name	AdventureWorks2022

2. Select: Sales + Person schemas.

3. Save: Data Source. {% endtab %} {% tab title="2. AW Sales Community" %} {% hint style="info" %} #### AW Sales Community {% endhint %} 1. Click: Management in the left navigation menu.

3. Click: Communities (Users & Communities tile). 4. Select: **AdventureWorks\_Sales\_Analytics** > Edit

5. Scroll down to Scope.

6. Select: Data Sources & Click: + 7. Select: mssql:adventureworks2022-Sales & uncheck All

{% endtab %} {% tab title=" 3. Sales Analytics Community" %} {% hint style="info" %} #### Sales Analytics Community Let's review the Adventure Works organization to make sure the Sales business unit users have the required permissions & scope to access the Data Catalog assets: {% endhint %}

{% hint style="info" %} At the moment we have cross-domain teams managing the various business units assets. However, we need to start restricting the scope: When a Sales Analyst - Sarah.Johnson - in the AdventureWorks\_Sales\_Analyst Community logs into Data Catalog they just see a sales-focused environment. They can analyze customer purchase patterns using Sales.SalesOrderHeader and Sales.Customer tables, but cannot access employee salary data from HumanResources.Employee or manufacturing costs from Production.ProductCostHistory. When searching for "customer," they only see sales-related customer data, not HR employee records. When applying data classification, they see tags relevant to sales operations like "Customer PII," "Sales Sensitive," or "Territory Confidential," but not manufacturing tags like "Trade Secret" or "Production Cost." {% endhint %}

Community	Schema	PDC Default Role	Description	Users
AdventureWorks_Data_Governance_Council	All	Data Steward	Cross-domain data stewardship and governance oversight.	elena.rodriguez
AdventureWorks_System_Administrators	All	All the Roles	Full Data Catalog administrative capabilities for system management.	james.lock
AdventureWorks_Datasource_Administrators	All	Data Storage Administrator	Adventure Works data source administrators.	hugo.reilly david.park
AdventureWorks_Sales_Analytics	Sales + Person	Data User	Sales team data analysis and customer insights.	sarah.johnson
AdventureWorks_Compliance_Officers	All	Business Steward	Regulatory compliance monitoring and audit management.	david.park
AdventureWorks_HR_Specialist	HumanResources	Business User	HR Specialist	michael.chen

{% endtab %} {% endtabs %} {% endtab %} {% tab title="2. HR Community" %} {% hint style="info" %} #### HR Community Let's move and repeat the workflow to create a HR Community. {% endhint %} {% tabs %} {% tab title="1. Create AW HR connection" %} {% hint style="info" %} #### AdventureWorks - HR **Sales Schema Data Source Creation** When connecting to the AdventureWorks2022 database, administrators would create a dedicated "mssql:adventureworks2022-HR" data source. During the "Ingest Schemas" process, click Ingest Schema, select the following schemas: * HumanResources - Employee data, departments, payroll information * Person - Contact information, addresses, demographics and then click Ingest Schemas. {% endhint %} 1. Click: Management in the left navigation menu. 2. Create a connection to: adventureworks2022 database with the following settings:

Field	Setting
Data Source Name	mssql:adventureworks2022-HR
Data Source ID	Leave Blank to autogenerate ID
Description	AW DW: HumanResources + Person schemas only.
Data Source Type	Microsoft SQL Server
Affinity	Default
Configuration Method	URI
Username	sa
Password	StrongPassword123
URI	jdbc:sqlserver://pdc.pentaho.lab:1433;databaseName=AdventureWorks2022;user=sa;password=StrongPassword123;encrypt=false
Driver	mssql-jdbc-13.2.0.jre11.jar*
Database Name	AdventureWorks2022

2. Select: HumanResources + Person schemas.

3. Save: Data Source. {% endtab %} {% tab title="2. AW HR Community" %} {% hint style="info" %} #### AW HR Community {% endhint %} 1. Click: Management in the left navigation menu.

3. Click: Communities (Users & Communities tile). 4. Select: **AdventureWorks\_HR\_Spcialist** > Edit.

5. Scroll down to Scope.

6. Select: Data Sources & Click: + 7. Select: mssql:adventureworks2022-HR & uncheck All

8. Click: Done & Save. {% hint style="warning" %} While you're here .. Edit the Scope: Data Sources for AdventureWorks\_System\_Administrators from All to: mssql:adventureworks2022. We've now set the Data Sources Scope for the Sales Analysts .. we'll be back to set the others ..!! {% endhint %} 9. Finally .. test by logging in as: Username: Password: Welcome123! x x {% endtab %} {% endtabs %} {% endtab %} {% tab title="3. Other Communities" %} x {% hint style="info" %} #### Other Communities * **Production**: Products, inventory, manufacturing processes * **Purchasing**: Vendors, purchase orders, procurement data {% endhint %} x x {% endtab %} {% endtabs %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://academy.pentaho.com/pentaho-data-catalog-en/data-catalog/data-discovery/permissions-and-scope.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.