Skip to main content

Documentation Index

Fetch the complete documentation index at: https://backstage.spotify.com/docs/llms.txt

Use this file to discover all available pages before exploring further.

What is Dataset Access?

The Dataset Access flow lets users request access to datasets directly from Portal, and lets dataset owners approve or deny those requests — all without leaving Portal.
Approving a request in Portal does not automatically grant permissions currently in the underlying data source (BigQuery, Snowflake, Redshift, etc.). The owner must grant access in the source system separately, and should do so before (or alongside) marking the request as approved in Portal.

Why Data Access?

The current state is meant to help users be able to streamline their data exploration and usage through a single point. Owners can be pinged directly through Portal so as to not require context switching Planned work will allow for owners to be able to also handle their data needs singularly through Portal

How it Works

The full flow looks like this:
  1. A user submits an access request from the dataset’s entity page in Portal.
  2. The dataset’s approver receives a Portal notification with request details.
  3. The approver approves or denies the request in Portal.
  4. The requester receives a Portal notification with the outcome.
  5. If approved, the owner grants access in the underlying data source manually.
The permissions granted are not standardized yet and are up to the owner and can be variable

Requesting Access

Any authenticated Portal user can request access to a dataset by navigating to the dataset’s entity page in the Software Catalog and clicking the Request Access link in the entity header. This opens the Request Dataset Access dialog where the submitter:
  1. Selects one or more users or groups who need access
  2. Provides a reason for access to help the dataset owner evaluate the request
A separate access request is created for each selected user or group. If a user or group already has a pending or approved request, that request will be skipped and the submitter is notified. Once submitted, the dataset’s approver (the owner by default) receives a Portal notification with the request details and a link to take action.

Approving or Denying a Request

The dataset owner receives a Portal notification containing:
  • The dataset name and source
  • Who submitted the request and who needs access
  • The justification provided
The notification includes an Open link that takes the owner directly to the dataset’s entity page with the approval dialog pre-loaded. From there, the owner selects Approved or Denied and optionally provides a reason. The requester then receives a Portal notification with the outcome.

Configuration

Disabling Access Requests for a Dataset

Access requests are enabled by default for all datasets that are in data registry and have a valid owner in the catalog. To disable the Request Access link for a specific dataset, add the following label to the entity: 
metadata:
  labels:
    data-registry/access-request-enabled: 'false'

Overriding the Approver

By default, access request notifications are sent to the dataset’s spec.owner. To route notifications to a different user or group, add the data-registry/override-approver label to the specific entity with the name (not the full entity ref) of a catalog User or Group entity: 
metadata:
  labels:
    data-registry/override-approver: my-data-platform-team
The override value is resolved first as a Group, then as a User. If no matching catalog entity is found for the override value, the system falls back to spec.owner.
If neither the owner nor the override approver resolves to a valid, existing catalog entity, the Request Access link is disabled for that dataset and users will not be able to submit requests.