Document Hub Permissions

Alation Cloud Service Applies to Alation Cloud Service instances of Alation

Customer Managed Applies to customer-managed instances of Alation

Available in public preview from Alation version 2024.1

Access and permissions for document hubs are determined by two factors:

To perform a given action, you must have a user role with rights to perform that action and you must have permission to perform that action on the specific object in question.

User Role

Your user role determines what actions you have rights to perform in general. In addition to having the required user role, you must also have permissions to each specific folder or document.

The table below explains which roles can perform which actions.


Viewer and Explorer

Steward, Composer, and Source Admin

Catalog Admin and Server Admin

View document hubs, folders, and documents

Create, edit, and delete documents

Modify document permissions

Add and remove documents from folders

Edit and delete folders

Modify folder permissions

Create folders

Create, edit, publish, and unpublish document hubs

Permissions for Individual Documents and Folders

The permission settings on individual documents and folders determine whether you can access a particular document or folder within a document hub. By default, documents and folders are accessible to everyone. Document hubs themselves are always visible to all users of the catalog, as long as they are published.

Permission Types

Documents and folders have two permission types:

  • View permission allows you to:

    • See the document or folder anywhere it appears in Alation.

  • Edit permission allows you to:

    • Edit title, description, and custom fields.

    • Modify permissions for the document or folder.

    • Delete the document or folder.

    • Add and remove documents from a folder.

In addition to having the required permissions, you must also have the required user role to perform an action. For example, you may be given edit permission to a folder, but if you only have the Viewer role, you still won’t be able to edit the folder.

Inherited Permissions

Documents inherit permissions from their parent folder by default. You can control access to a folder and all its documents by setting permissions on the folder. You can also set permissions on each document individually. Document permissions override folder permissions.

If a document belongs to more than one folder, and the document is set to inherit permissions from its parent folders, the document will use the permissions that are more restrictive for the user who’s attempting to access it.

For example, let’s say a document belongs to both Folder A and Folder B, and the document is set to inherit permissions. A user is granted edit permissions to Folder A and view permissions to Folder B. The user will only have view permissions to the document.

Custom Field Permissions

Permissions for custom fields are separate from permissions for documents and folders. Granting a user edit permissions to a document doesn’t necessarily mean they have edit permissions on a custom field that’s associated with the document template. The user must have edit permissions for both the document and the custom field in order to edit the custom field’s value. Similar logic applies to view permissions.

Permanent Permissions

Catalog Admins and Server Admins always have both view and edit permissions for all folders and documents.

The creator of a folder or document is considered its owner and always has both view and edit permissions to it.


The access settings dialog may not stop you from removing access from Catalog Admins, Server Admins, or the object’s creator. However, even though they appear to be removed, their access remains unchanged. Next time you open the access settings dialog, they will still be listed as having access.