From palantir-pack
Configures Palantir Foundry RBAC with project roles, organization groups, service users, and data markings for enterprise access control.
npx claudepluginhub jeremylongshore/claude-code-plugins-plus-skills --plugin palantir-packThis skill is limited to using the following tools:
Configure enterprise-grade access control in Foundry: project roles (Viewer/Editor/Owner), organization-level groups, service user accounts for integrations, and marking-based data classification.
Applies Palantir Foundry security best practices for API credentials, OAuth scopes, least privilege access, secret storage, and rotation. For securing integrations and auditing configs.
Manages TrueFoundry roles, teams, and collaborators via Bash API scripts. Lists, creates, deletes custom roles and teams; grants/revokes access to workspaces, apps, and resources. Use for permission and team management.
Implements Role-Based Access Control (RBAC), permissions management, and authorization policies. Guides for Node.js, Python ABAC, Java Spring Security. Use for multi-tenant apps, APIs, admin dashboards.
Share bugs, ideas, or general feedback.
Configure enterprise-grade access control in Foundry: project roles (Viewer/Editor/Owner), organization-level groups, service user accounts for integrations, and marking-based data classification.
palantir-security-basics| Role | Permissions | Use Case |
|---|---|---|
| Viewer | Read datasets, view Ontology objects | Analysts, stakeholders |
| Editor | Read/write datasets, run builds | Data engineers, developers |
| Owner | Full control, manage members, configure | Project leads, admins |
Developer Console > Applications > New Application:
1. Name: "order-sync-service" (descriptive of function)
2. Type: Server application (client credentials flow)
3. Scopes: api:read-data, api:ontology-read (minimum needed)
4. Project access: Add as Editor on specific projects only
Result: client_id + client_secret (store in secrets manager)
# Define per-application scopes
APP_SCOPES = {
"dashboard-reader": ["api:read-data", "api:ontology-read"],
"data-sync-service": ["api:read-data", "api:write-data"],
"admin-tool": ["api:read-data", "api:write-data", "api:ontology-read", "api:ontology-write"],
}
def create_client_for_app(app_name: str) -> foundry.FoundryClient:
scopes = APP_SCOPES[app_name]
auth = foundry.ConfidentialClientAuth(
client_id=os.environ[f"{app_name.upper().replace('-','_')}_CLIENT_ID"],
client_secret=os.environ[f"{app_name.upper().replace('-','_')}_CLIENT_SECRET"],
hostname=os.environ["FOUNDRY_HOSTNAME"],
scopes=scopes,
)
auth.sign_in_as_service_user()
return foundry.FoundryClient(auth=auth, hostname=os.environ["FOUNDRY_HOSTNAME"])
Organization Groups (manage in Foundry Admin):
├── data-engineering → Editor on pipeline projects
├── data-science → Viewer on pipeline, Editor on ML projects
├── business-analysts → Viewer on analytics projects
├── external-partners → Viewer on shared datasets only
└── platform-admins → Owner on all projects
Principle: Users inherit access from groups.
Never assign project roles to individual users.
def audit_service_user_access(client):
"""Check what the current service user can actually access."""
accessible = {"ontologies": [], "datasets": []}
try:
for ont in client.ontologies.Ontology.list():
accessible["ontologies"].append(ont.api_name)
except foundry.ApiError:
pass
print(f"Accessible ontologies: {accessible['ontologies']}")
return accessible
| Access Issue | Symptom | Fix |
|---|---|---|
| 403 on dataset read | Not a project member | Add user/group as Viewer |
| 403 on Ontology | Missing scope | Add api:ontology-read to app |
| Cannot see marked columns | Missing marking access | Grant marking to group |
| Service user sees everything | Over-scoped | Reduce to minimum scopes |
For incident response, see palantir-incident-runbook.