From palantir-pack
Configure Palantir Foundry enterprise access control with project roles, markings, and service users. Use when implementing role-based access, configuring project permissions, or setting up service user accounts for Foundry integrations. Trigger with phrases like "palantir RBAC", "foundry roles", "palantir permissions", "foundry access control", "foundry service user".
npx claudepluginhub flight505/skill-forge --plugin palantir-packThis skill is limited to using the following tools:
Configure enterprise-grade access control in Foundry: project roles (Viewer/Editor/Owner), organization-level groups, service user accounts for integrations, and marking-based data classification.
Guides Next.js Cache Components and Partial Prerendering (PPR): 'use cache' directives, cacheLife(), cacheTag(), revalidateTag() for caching, invalidation, static/dynamic optimization. Auto-activates on cacheComponents: true.
Guides building MCP servers enabling LLMs to interact with external services via tools. Covers best practices, TypeScript/Node (MCP SDK), Python (FastMCP).
Share bugs, ideas, or general feedback.
Configure enterprise-grade access control in Foundry: project roles (Viewer/Editor/Owner), organization-level groups, service user accounts for integrations, and marking-based data classification.
palantir-security-basics| Role | Permissions | Use Case |
|---|---|---|
| Viewer | Read datasets, view Ontology objects | Analysts, stakeholders |
| Editor | Read/write datasets, run builds | Data engineers, developers |
| Owner | Full control, manage members, configure | Project leads, admins |
Developer Console > Applications > New Application:
1. Name: "order-sync-service" (descriptive of function)
2. Type: Server application (client credentials flow)
3. Scopes: api:read-data, api:ontology-read (minimum needed)
4. Project access: Add as Editor on specific projects only
Result: client_id + client_secret (store in secrets manager)
# Define per-application scopes
APP_SCOPES = {
"dashboard-reader": ["api:read-data", "api:ontology-read"],
"data-sync-service": ["api:read-data", "api:write-data"],
"admin-tool": ["api:read-data", "api:write-data", "api:ontology-read", "api:ontology-write"],
}
def create_client_for_app(app_name: str) -> foundry.FoundryClient:
scopes = APP_SCOPES[app_name]
auth = foundry.ConfidentialClientAuth(
client_id=os.environ[f"{app_name.upper().replace('-','_')}_CLIENT_ID"],
client_secret=os.environ[f"{app_name.upper().replace('-','_')}_CLIENT_SECRET"],
hostname=os.environ["FOUNDRY_HOSTNAME"],
scopes=scopes,
)
auth.sign_in_as_service_user()
return foundry.FoundryClient(auth=auth, hostname=os.environ["FOUNDRY_HOSTNAME"])
Organization Groups (manage in Foundry Admin):
├── data-engineering → Editor on pipeline projects
├── data-science → Viewer on pipeline, Editor on ML projects
├── business-analysts → Viewer on analytics projects
├── external-partners → Viewer on shared datasets only
└── platform-admins → Owner on all projects
Principle: Users inherit access from groups.
Never assign project roles to individual users.
def audit_service_user_access(client):
"""Check what the current service user can actually access."""
accessible = {"ontologies": [], "datasets": []}
try:
for ont in client.ontologies.Ontology.list():
accessible["ontologies"].append(ont.api_name)
except foundry.ApiError:
pass
print(f"Accessible ontologies: {accessible['ontologies']}")
return accessible
| Access Issue | Symptom | Fix |
|---|---|---|
| 403 on dataset read | Not a project member | Add user/group as Viewer |
| 403 on Ontology | Missing scope | Add api:ontology-read to app |
| Cannot see marked columns | Missing marking access | Grant marking to group |
| Service user sees everything | Over-scoped | Reduce to minimum scopes |
For incident response, see palantir-incident-runbook.