DFS Permissions
DFS access is controlled by tenant access, RBAC permissions, and package gates. Ask the tenant administrator or project administrator to grant the required access before starting connector or dataset work.
Permission selection flow
DFS permissions
| Permission | Enables |
|---|---|
dfs:read | View connectors, mappings, quality, sync history, datasets, methods, fusion tasks, review items, audit logs, and metrics. |
dfs:write | Create and update connectors, mappings, datasets, methods, fusion tasks, review actions, and reprocess actions. |
dfs:delete | Delete connectors, mappings, datasets, methods, and fusion tasks where deletion is allowed. |
Use the narrowest permission set that matches the user's role.
Access request package
When requesting access, include:
| Field | Example |
|---|---|
| User role | Viewer, connector operator, data steward, reviewer, or administrator. |
| Workflow | Connector setup, mapping review, dataset validation, BI report editing, or rejected-row review. |
| Tenant and project | The tenant, site, or project boundary where access is needed. |
| Package gate | Whether DFS Lite only, DFS Pro, or DFS Pro BI is required. |
| Approval owner | Project administrator, tenant administrator, data steward, or report owner. |
Typical role packages
| Role | Suggested access |
|---|---|
| Viewer | dfs:read |
| Connector operator | dfs:read, dfs:write |
| Data steward | dfs:read, dfs:write |
| Data administrator | dfs:read, dfs:write, dfs:delete |
| Reviewer | dfs:read, dfs:write for review actions |
DFS Pro package gate
DFS Pro pages are package-gated. The tenant needs the dfs-pro package enabled before users can access areas such as:
- Dataset Center;
- Method Library;
- Data Fusion;
- MDM Reference Data;
- MDM Master Entities;
- MDM Steward Queue;
- Governance Studio;
- Review Queue;
- Audit Trail;
- Metrics Dashboard.
If a user can open DFS Lite connectors but cannot open Dataset Center or Data Fusion, check the package gate before troubleshooting permissions.
DFS Pro BI permissions
DFS Pro BI has additional permissions.
| Permission | Enables |
|---|---|
bi.read | View report lists and reports. |
bi.write | Open designer and create or edit reports. |
bi.schedule | Manage report schedules. |
DFS Pro BI routes may also require the dfs-pro package.
Access troubleshooting
| Symptom | Check |
|---|---|
| Data Integration is hidden | Tenant access and navigation permissions. |
| Connectors are visible but Add Connector is blocked | dfs:write. |
| Delete action is hidden or rejected | dfs:delete. |
| Dataset Center is unavailable | dfs-pro package gate. |
| Review actions are blocked | dfs:write and reviewer role assignment. |
| MDM structural actions are blocked | dfs:delete and steward or administrator responsibility. |
| BI report designer is unavailable | bi.write. |
| BI schedules are unavailable | bi.schedule. |
Security notes
- Grant write access only to users who can change source configuration, mappings, or reviewed data outputs.
- Grant delete access only to administrators or owners of the data integration workflow.
- Reviewers need enough source context to approve or reject data changes responsibly.
- Connector credentials should be handled through approved project secrets or credential management procedures.
Validation checklist
- User can see only the DFS areas needed for the role.
- DFS Pro routes are visible only when the package gate is enabled.
- BI designer and schedules match BI permissions.
- Review actions are available only to users responsible for data decisions.
- Access changes are recorded with requester, approver, tenant, and reason.