Script to set permissions

Has anyone got any python script they could share to set permissions on tables for specific groups automatically once they have been loaded via TQL? 

15replies Oldest first
  • Oldest first
  • Newest first
  • Active threads
  • Popular
  • You mean to sit on top of the community tools scripts? Those will set the membership, but you have to run them manually. I agree though, this is a prime automation opportunity to wrap around that - just haven't had the chance to do it yet!

    Like 1
  • Callie Cobbs yeah like an enhancement to the community tools 

    just an extra command you run after you run the create ddl scripts in TQL would be enough 

  • Gotcha. I was thinking a little broader - maybe an input to put in new users to onboard, select which groups to add/create new, generate the current user file, automatically update it, and then run the command to add.

    Like 1
  • Callie Cobbs I use AD Sync for users, which will create the user if they don't already exist and assigned them to an existing group, or create the group if it doesn't exist already. 

    Its just the granting of table access to groups that I need to automate. 

  • Marc Price Makes sense! I am waiting to do a full sync until we are rolled out to a broader (all employees) audience just so I don't clutter my user list for now. 

  • Callie Cobbs I have created specific AD groups for TS use-cases, so only add people who I want to give access to, but still authenticate with LDAP 

    Like 2
  • Hey Marc Price I think I might have a python script that can help you.  This script will allow you to share a single table with a group or an entire database of tables with a group.  The script requires quite a few arguments to work.  You can execute "python --help" to get the list of all required arguments.  But here is a sample usage of the script:

    python -i https://<ip> -u <user> -p <password> -g <group_name> -r <permission_type> -d <database_name> -t <table_name>

    the options for permission type are "view", "edit", or "remove"

    I also have a version of this script that uses a hardcoded encrypted username and password in case you have users that have TQL access but you don't want to also give them frontend admin access.  

    Like 1
  • Tyler Spencer , thank you very much for this, I will take a look into it! 

  • Tyler Spencer works perfectly. 

    you can leave the -t option out and it will share with all tables in the schema: 

    Table(s) successfully shared with group

  • sorry me again, could you send me a copy of the encrypted username/password version? 

  • Tyler Spencer do you think this could be tweaked to share at the worksheet level or even just the pinboard level? And what about for sharing with individuals vs groups? Just thinking through our options on how we are going to lay out our security automation.

  • Glad you like it Marc Price .  Yeah leaving out -t will share all tables in a given database.  Schema will be 'falcon_default_schema' if not otherwise specified using -s.  

    here's the version that uses an encrypted username and password.  It is used the same way except you don't need to give the -u and -p arguments.  

    you will initially need to set up the script by modifying the username and password variables on lines 24 and 25.  The values for your username and password can be encrypted using the script.  Copy/paste the outputs of that script into lines 24 and 25

    To use the encrypt script type: "python -i <text>".  Check out the image for examples.

    Let me know if you run into issues with this.

    Like 1
  • Callie Cobbs I do have a version of the script that will share specific object types with a group.  It would be relatively easy to modify that to share with a user instead if necessary.


    here is sample usage of that script:

    python -i https://<ip> -u <username> -p <password> -g <group> -o <object_type> -r <permission_type>


    to get a list of all possible values for object and permission type you can execute:

    python --help


    note that this script will share ALL of the objects in the specified class with the group.  I.e. if you type "-o pinboard" then every pinboard in the system (except for system pinboards) will be shared.

  • Tyler Spencer Thanks, Tyler! I was thinking something at a more granular level. Ex. I have a labor pinboard that I only want to share with certain people. Is it possible to interact at an answer/pinboard/worksheet level with the APIs? It's okay if you don't have an example, just trying to understand the art of the possible.

  • absolutely - we can get more granular and send single pinboards/worksheets/etc to a group or user.  My script looks up all the GUIDs of an object class but if you wanted to pass a single predefined GUID then thats doable.  I don't have an example though unfortunately.  

    Like 1
Like Follow
  • Status Answered
  • 6 mths agoLast active
  • 15Replies
  • 78Views
  • 3 Following