hdygxsj commented on code in PR #9035: URL: https://github.com/apache/gravitino/pull/9035#discussion_r2501844155
########## docs/security/access-control.md: ########## @@ -264,6 +265,13 @@ DENY `WRITE_FILESET` won‘t deny the `READ_FILESET` operation if the user has t | CREATE_MODEL_VERSION | Metalake, Catalog, Schema, Model | Create a model version | | USE_MODEL | Metalake, Catalog, Schema, Model | View the metadata of the model and download all the model versions | +### Tag privileges + +| Name | Supports Securable Object | Operation | +|------------|---------------------------|--------------| +| CREATE_TAG | Metalake | Create a tag | +| APPLY_TAG | Metalake, Tag | Apply a tag | Review Comment: > > Do we need add a `BROWSE` privilege? > > That’s one approach, but it creates a challenge for managers or data governance personnel: if I want everyone to see certain tags—such as “No Modifications Allowed,” “No Access Allowed,” “Core Table,” or “Critical Table”—I’d have to grant permissions individually, which would be cumbersome and inefficient. Take that back—I forgot that this privilege can be assigned to a group or role. Maybe this is actually a good idea. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
