User Management and Access Control
Complete guide to managing users, configuring access controls, and understanding permissions in Atlan.
How can I find all users in Atlan?
You must be an admin user to see the full user list. In the Admin centre open Users & Groups → Users to view, filter, and export all users in your workspace.
Can I change my access level as an admin to test member and guest permissions?
Changing your own admin role is risky because any background workflows or playbooks you own might fail. Instead, create separate member and guest test accounts (for example, with disposable email addresses) and use an incognito browser window to verify permissions.
How can a user with a member role query tables?
Give the member a persona or purpose that contains the necessary data access policies for the tables they need to query.
How do you become an admin for a connection?
Only an existing connection admin (or a workspace admin) can assign additional connection admins. Ask a current connection admin to add you via the connection sidebar or by editing the connector workflow.
Why do some assets have a lock or a request to get approval from an admin?
A member sees a lock icon when they're neither a connection admin nor part of any persona or purpose that permits asset changes. To gain edit rights, become a connection admin or be added to a suitable persona or purpose.
Which permissions take priority when policies have overlapping assets?
When more than one policy affects the same asset, Atlan applies the most restrictive rule. An explicit deny always overrides a permit. See How do I control access to metadata and data? for details.
Can I restrict business users to only view verified assets?
No. Access policies can currently target connections and tags but not certification status.
What's the default landing page for users with two or more personas?
After you set landing page preferences:
- If exactly one persona applies to the user, they land on that persona's configured page.
- If multiple personas apply and the "All assets" view is disabled, Atlan chooses the first persona alphabetically.
- If the "All assets" view is available, the default landing page is All assets.
Can I restrict metadata access to a subset of columns?
Yes. Create a metadata policy and, in the asset selector, drill down to choose only the columns that should be visible.
How's the atlan_user id used for authentication in Redshift?
Atlan connects via the Amazon Redshift JDBC driver, using the IAM credentials you configure. The atlan_user identifier is not used to log in; instead, Atlan attributes each query to the actual user in Redshift's logs.
Is the data for queries or sample preview masked in memory?
Yes. Atlan rewrites the SQL at run-time so that masked values (for example, via REPLACE) are returned directly from the source database; the unmasked data never reaches Atlan's memory.
Can users link terms to assets without glossary access?
Yes—provided their metadata policy allows them to add or remove terms. They can link terms from the asset sidebar even if they don't have edit rights on the glossary itself.
Why do I get permission denied when running an API request?
Add one or more personas to the API token so it can access the connection's assets. You can assign personas to a token in Admin → API authentication. For steps, see API authentication.
Does Atlan have a password policy?
Yes. Atlan enforces these minimum requirements:
- Minimum length: 12 characters
- Must include at least 1 digit
- Must include both lowercase and uppercase letters
- Must include at least 1 special character
Generated passwords expire after 90 days, and you can't reuse your last 5 passwords.
What assets can be transferred from a removed user and how?
Removing a user from Atlan and transferring ownership of their assets may entail one of the following actions or a combination thereof:
- Remove the user from a list of owners.
- Delete the associated asset.
- Transfer ownership of assets to a new user.
| Category | Condition | Action |
|---|---|---|
| Persona | User is present | Remove user from the persona |
| Purpose | User is present | Remove user from the purpose |
| Owner metadata | Sole owner | Transfer ownership to transferee |
| Multiple owners | Remove user from owner metadata attribute | |
| Connection admin | Sole connection admin | Transfer role to transferee |
| Multiple connection admins | Remove user from list of connection admins | |
| Query collection owner | If query collection is private | Delete query collection along with its folders and queries |
| If query collection is shared and user has view permissions | Remove user from query collection | |
| If query collection is shared and user is sole owner | Transfer query collection to transferee | |
| If query collection is shared and has multiple owners | Remove user from list of owners | |
| Query owner | If parent collection of the query is to be deleted | Delete the query |
| If parent collection of the query is not to be deleted and user is sole owner | Transfer ownership to transferee | |
| If parent collection of the query is not to be deleted and query has multiple owners | Remove user from owner metadata of the query | |
| Starred assets | User is present in the starredBy attribute of an asset | Remove user from starredBy attribute |
| API tokens | User has created API tokens | Delete all API tokens created by user |
| SCIM tokens | User has created SCIM tokens | Delete all SCIM tokens created by user |
| User-level integrations | User has created an integration with Jira, Slack, Teams, or more | Delete all user-level integrations |
| Requests | User has submitted requests | Delete all requests from user |
| Playbooks | One-time playbooks | No action |
| Scheduled playbooks | If user is the creator of the playbook and playbook schedule, transfer playbook and schedule to transferee | |
| Workflows | One-time workflows | No action |
| Scheduled workflows | If user is the creator of the workflow and workflow schedule, transfer workflow and cron to transferee | |
| Scheduled queries | If results are shared with other users | Remove user from the list of query result recipients, transfer the workflow, cron, and parent collection to transferee, and remove deleted user from owner metadata in queries |
| If results are not shared with other users | Delete the workflow |
Can I remove users if SSO or SCIM is enforced?
Yes, you can remove users irrespective of whether you're using basic authentication, SSO, or SCIM provisioning in Atlan.
Will the activity log include metadata updates made by a removed user?
The activity log will retain historical information on any metadata updates made by a removed user, logged under their username. This is crucial to maintain data integrity for auditing purposes.
Is it possible to reactivate a removed user?
No, it is not possible to reactivate a removed user. Since the user will be hard-deleted from Atlan, there will be no trace of the user in the identity system. Atlan maintains historical records of removed users for auditing purposes only. Whether you're using basic authentication, SSO, or SCIM provisioning, any returning user with the same username will be treated as a new user in Atlan.