DFS Permissions
DFS access is controlled by tenant access, RBAC permissions, and package gates. Ask the tenant administrator or project administrator to grant the required access before starting connector or dataset work.
DFS permissions
| Permission | Enables |
|---|---|
dfs:read | View connectors, mappings, quality, sync history, datasets, methods, fusion tasks, review items, audit logs, and metrics. |
dfs:write | Create and update connectors, mappings, datasets, methods, fusion tasks, review actions, and reprocess actions. |
dfs:delete | Delete connectors, mappings, datasets, methods, and fusion tasks where deletion is allowed. |
Use the narrowest permission set that matches the user's role.
Typical role packages
| Role | Suggested access |
|---|---|
| Viewer | dfs:read |
| Connector operator | dfs:read, dfs:write |
| Data steward | dfs:read, dfs:write |
| Data administrator | dfs:read, dfs:write, dfs:delete |
| Reviewer | dfs:read, dfs:write for review actions |
DFS Pro package gate
DFS Pro pages are package-gated. The tenant needs the dfs-pro package enabled before users can access areas such as:
- Dataset Center;
- Method Library;
- Data Fusion;
- Governance Studio;
- Review Queue;
- Audit Trail;
- Metrics Dashboard.
If a user can open DFS Lite connectors but cannot open Dataset Center or Data Fusion, check the package gate before troubleshooting permissions.
DFS Pro BI permissions
DFS Pro BI has additional permissions.
| Permission | Enables |
|---|---|
bi.read | View report lists and reports. |
bi.write | Open designer and create or edit reports. |
bi.schedule | Manage report schedules. |
DFS Pro BI routes may also require the dfs-pro package.
Access troubleshooting
| Symptom | Check |
|---|---|
| Data Integration is hidden | Tenant access and navigation permissions. |
| Connectors are visible but Add Connector is blocked | dfs:write. |
| Delete action is hidden or rejected | dfs:delete. |
| Dataset Center is unavailable | dfs-pro package gate. |
| Review actions are blocked | dfs:write and reviewer role assignment. |
| BI report designer is unavailable | bi.write. |
| BI schedules are unavailable | bi.schedule. |
Security notes
- Grant write access only to users who can change source configuration, mappings, or reviewed data outputs.
- Grant delete access only to administrators or owners of the data integration workflow.
- Reviewers need enough source context to approve or reject data changes responsibly.
- Connector credentials should be handled through approved project secrets or credential management procedures.