Skip to main content
New

Improved access capabilities: separate delete from write/run

Related products:API and SDKsFunctionsAuthentication and Access ManagementAtlas AI
  • October 28, 2025
  • 3 replies
  • 32 views
Markus Pettersen
MVP

There are some instances were we would like to have greater control of deletes such as with functions, and Atlas AI agents. When a user gets access to create or run the access is global, but so is also the access to delete.

Sometimes we want to give a user access to create without giving them the access to delete everything that anyone else has worked on.

Take functions for example, the access to trigger a function is the “write” capability which is the same capability you need in order to delete, and when this is globally scoped it becomes a security concern. This again limits how we are able to work with these features as we would like to limit the impact an individual can have on parts of CDF they don’t work with.

 

Markus Pettersen
Aker BP - Data Platform Architect

3 replies

Jørgen Lund
Seasoned Practitioner
Forum|alt.badge.img
  • Jørgen Lund
  • Product Manager
  • October 29, 2025

Hi ​@Markus Pettersen!

Thank you for suggesting this product idea. This is a very understandable concern. 

In a scenario where you’d be able to: 

  • have a dedicated call access capability where meaningful (e.g. functions, transformations, agents, etc.), separating calling/running from creating/updating/deleting (write)
  • always scope access to instances, through a concept like data sets or similar, meaning you would be able to scope read/write/call access for a group of users to a specific set of instances

Do you still believe you’d require separate create/update and delete capabilites? 

    Markus Pettersen
    MVP

    A dedicated call where applicable would mitigate a lot of our concerns (it should be scoped to dataset/space etc.)

    If the write access was scoped and not global then having write and delete coupled would not be as much of a concern. The global scope is a bigger issue. Having them separate would still be nice, but not a necessity.

      Jørgen Lund
      Seasoned Practitioner
      Forum|alt.badge.img
      • Jørgen Lund
      • Product Manager
      • October 29, 2025

      Thanks ​@Markus Pettersen. We’re working on multiple initiatives that are relevant here. In general, what you’re describing sounds very aligned with what we’re planning. We can provide an update once our plans and timelines are more clear.

        Terms & ConditionsCookie SettingsAccessibility statement