Manage store permissions(管理商店权限)¶
Marketplace stores can be either local to your Foundry enrollment or remote. A local Marketplace store can be found in either a Project or folder and will inherit the permissions of the Project or folder in which it is situated. Remote stores are created on one Foundry enrollment and then made available on other enrollments. Permissions for remote stores are configured in Control Panel.
View permissions¶
To view a local Marketplace store in either DevOps or Marketplace, you need to have the marketplace:read-local-marketplace operation, which is normally granted with the Viewer role. Viewer permissions for a remote store are configured in Control Panel.
Install product permissions¶
To install products from either a local or remote store, you must be able to view the store and have the marketplace:install-from-local-marketplace operation, which is normally granted with the Viewer role.
For every resource selected as an input to this installation, you must have the marketplace:use-resource-as-input operation, which is also normally granted with the Viewer role.
Additionally, the locations where you can install, typically the Space and Ontology, require the marketplace:install-in operation, which is usually granted with the Editor role.
With each installation, Marketplace will either create a new Project in the selected Space or install into an existing Project. To do this, you will need the marketplace:install-in operation on the Space, chosen Project, or Folder. This permission is typically granted with the Editor role.
You must also have access to at least one Organization Marking present on the store. However, access to the Project containing the store already requires access to one of the Organization Markings.
Create store permissions¶
To create a local store, you must have the marketplace:create-local-marketplace operation in a Project or folder, which is usually granted with the Editor role.
Currently, remote stores can only be created by Palantir.
Edit product permissions¶
To create or edit products in a local store, you must have the marketplace:create-block, marketplace:edit-block-set, and marketplace:upload-attachment operations, which will usually be granted to the Editor role.
Remote stores are not editable in DevOps.
Export product permissions¶
To export products from a local store, a user must have the marketplace:export-block-set operation, which will usually be granted to the Owner role. Currently, a user cannot export products from a remote store.
Import product permissions¶
To import products to a local store, a user must have the marketplace:import-blockset-with-provenance operation, which will usually be granted to the Owner role. Currently, a user cannot import products to a remote store.
Edit store tags permissions¶
To edit tags on a local store, a user must have the marketplace:edit-local-marketplace operation, which will usually be granted to the Editor role. Currently, users cannot edit tags on a remote store.
Organization Markings applied to a product creation¶
All resources packaged in a Marketplace product are marked with one or multiple Organization Markings, usually inherited from the Project in which the resources are stored. Similarly, a Marketplace store is also marked with the Organization markings of the Project in which it is stored.
If the product resources do not have the same Organization Markings as the Marketplace store, you must obtain Expand access permissions for those Organization markings.
For example, let's say a Workshop application belongs to Organization A, and the store belongs to both Organization A and Organization B. The Expand access permission on Organization A is required to successfully package this Workshop application in the Marketplace store because you are extending the content from Organization A to Organization B.
If the product resources have Organization Markings that the Marketplace store does not have, you must obtain Remove permissions for those Organization Markings.
For example, imagine a Workshop application belongs to both Organization A and Organization B, and the store belongs only to Organization A. The Remove permission on Organization B is required to successfully package this Workshop application in the Marketplace store because you are removing (or unmarking) the Marking of Organization B.
:::callout{theme="neutral"} As a user, you might not be authorized to view all Organizations to which a resource belongs. :::
Organization Markings applied to a product installation¶
In general, a Marketplace store must include all relevant Organization Markings for the Spaces into which you want to install. This means that a local Marketplace store must be located in a Project with all relevant Organization Markings for the Spaces into which you want to install.
For instance, if a Marketplace store only has Organization A's Marking and you want to install products of the store into a Space containing both Organization A and Organization B, you must obtain Expand access permissions for Organization A at installation time because you are extending the content from Organization A to Organization B.
:::callout{theme="neutral"} During the installation, you can also opt to only apply Organization A's Markings to your product installation; this would eliminate the need for expanding access permissions. :::
Alternatively, you can add Organization B's Marking to the store, which would allow more users to install products from the store. For instance, if a Marketplace store has Markings from both Organization A and B, and you want to install products of the store into a Space containing only Organization A, no additional permissions are required. However, users with access to only Organization B will also be able to install products from this store.
Require approval for new product versions¶
Marketplace stores can be configured to require approval before new product versions are published. When enabled, an approver must review and approve each draft before a new release is finalized.
The approving user must be different from the author of the draft and must have the marketplace:finalize-block-set operation on the store. This operation is granted to store owners and editors by default. To customize the list of allowed approvers, use a custom role set.

Product creation and installation permissions¶
Multi-organization scenarios¶
In Foundry, you must have sufficient permission to move a resource from one Project to another by being the Owner of that resource, but you will also need additional permission on the Marking(s) involved if the move would expand the set of Organizations that can access the resources after the move.
For example, let's say a resource is in Project A, which belongs to Organization A, and you want to move the resource to Project B, which belongs to both Organization A and Organization B. You must have the Expand access permission on the Organization A Marking. Expand access is an elevated permission that allows you to expand the access of resources (belonging to Organization A in our example) to other Organizations (like Organization B).
If a resource has a Marking indicating PII other sensitive data, you must have the Remove Marking permission to remove that particular Marking.
If resources in Project A are packaged in a product stored in Project B, which is then installed in Project C, you must have sufficient permission(s) to both Expand Organization Markings and Remove additional Markings if any are present, since those Markings are removed during product movement.
Guidance on permission structure¶
To avoid friction during product creation, installation, and beyond we recommend the following:
- Resources should initially be located in a Project belonging to a single Organization dedicated to package resources, without additional Markings.
- The user packaging the resources into a product must have the sufficient permission listed above on this single Organization, which can be granted to a wider spectrum of users.
- Any Organizations expected to install products from a store should have access to the Space in which the Marketplace store Project is located. You can create a dedicated Space for this purpose and include the different Organizations that should have access to the store.
- The user installing the product will not require additional permission on the Organization Markings to perform installations.
This permission structure allows for any friction to occur at packaging time, allowing you to make necessary changes before the install process begins.
中文翻译¶
管理商店权限¶
Marketplace 商店可以是本地商店(local store),位于您的 Foundry 注册实例中,也可以是远程商店(remote store)。本地 Marketplace 商店可以位于项目(Project)或文件夹(Folder)中,并继承其所在项目或文件夹的权限。远程商店在一个 Foundry 注册实例上创建,然后在其他注册实例上可用。远程商店的权限在 Control Panel 中配置。
查看权限¶
要在 DevOps 或 Marketplace 中查看本地 Marketplace 商店,您需要拥有 marketplace:read-local-marketplace 操作权限,该权限通常通过 Viewer 角色授予。远程商店的 Viewer 权限在 Control Panel 中配置。
安装产品权限¶
要从本地或远程商店安装产品,您必须能够查看该商店,并拥有 marketplace:install-from-local-marketplace 操作权限,该权限通常通过 Viewer 角色授予。
对于被选为此安装输入的每个资源,您必须拥有 marketplace:use-resource-as-input 操作权限,该权限也通常通过 Viewer 角色授予。
此外,您可以安装的目标位置(通常是空间 Space 和本体 Ontology)需要 marketplace:install-in 操作权限,该权限通常通过 Editor 角色授予。
每次安装时,Marketplace 会在所选空间中创建一个新项目,或安装到现有项目中。为此,您需要在空间、所选项目或文件夹上拥有 marketplace:install-in 操作权限。此权限通常通过 Editor 角色授予。
您还必须至少拥有商店上存在的一个组织标记(Organization Marking)的访问权限。然而,访问包含商店的项目本身已经需要访问其中一个组织标记。
创建商店权限¶
要创建本地商店,您必须在项目或文件夹中拥有 marketplace:create-local-marketplace 操作权限,该权限通常通过 Editor 角色授予。
目前,远程商店只能由 Palantir 创建。
编辑产品权限¶
要在本地商店中创建或编辑产品,您必须拥有 marketplace:create-block、marketplace:edit-block-set 和 marketplace:upload-attachment 操作权限,这些权限通常授予 Editor 角色。
远程商店无法在 DevOps 中编辑。
导出产品权限¶
要从本地商店导出产品,用户必须拥有 marketplace:export-block-set 操作权限,该权限通常授予 Owner 角色。目前,用户无法从远程商店导出产品。
导入产品权限¶
要将产品导入本地商店,用户必须拥有 marketplace:import-blockset-with-provenance 操作权限,该权限通常授予 Owner 角色。目前,用户无法将产品导入远程商店。
编辑商店标签权限¶
要编辑本地商店的标签,用户必须拥有 marketplace:edit-local-marketplace 操作权限,该权限通常授予 Editor 角色。目前,用户无法编辑远程商店的标签。
产品创建时应用的组织标记¶
Marketplace 产品中打包的所有资源都带有一个或多个组织标记,这些标记通常继承自存储资源的项目。 同样,Marketplace 商店也带有其所在项目的组织标记。
如果产品资源与 Marketplace 商店的组织标记不同,您必须为这些组织标记获取 Expand access 权限。
例如,假设一个 Workshop 应用程序属于组织 A,而商店同时属于组织 A 和组织 B。要成功将此 Workshop 应用程序打包到 Marketplace 商店中,需要拥有组织 A 的 Expand access 权限,因为您正在将内容从组织 A 扩展到组织 B。
如果产品资源具有 Marketplace 商店没有的组织标记,您必须为这些组织标记获取 Remove 权限。
例如,假设一个 Workshop 应用程序同时属于组织 A 和组织 B,而商店仅属于组织 A。要成功将此 Workshop 应用程序打包到 Marketplace 商店中,需要拥有组织 B 的 Remove 权限,因为您正在移除(或取消标记)组织 B 的标记。
:::callout{theme="neutral"} 作为用户,您可能未被授权查看资源所属的所有组织。 :::
产品安装时应用的组织标记¶
通常,Marketplace 商店必须包含您要安装到的空间的所有相关组织标记。这意味着本地 Marketplace 商店必须位于一个项目中,该项目包含您要安装到的空间的所有相关组织标记。
例如,如果 Marketplace 商店只有组织 A 的标记,而您希望将商店的产品安装到同时包含组织 A 和组织 B 的空间中,则在安装时必须获取组织 A 的 Expand access 权限,因为您正在将内容从组织 A 扩展到组织 B。
:::callout{theme="neutral"} 在安装过程中,您也可以选择仅将组织 A 的标记应用于您的产品安装;这将消除扩展访问权限的需要。 :::
或者,您可以将组织 B 的标记添加到商店中,这将允许更多用户从该商店安装产品。例如,如果 Marketplace 商店同时具有组织 A 和组织 B 的标记,而您希望将商店的产品安装到仅包含组织 A 的空间中,则无需额外权限。但是,仅能访问组织 B 的用户也将能够从此商店安装产品。
要求审批新产品版本¶
Marketplace 商店可以配置为在发布新产品版本之前需要审批。启用后,审批人必须审查并批准每个草稿,然后才能最终确定新版本。
审批用户必须与草稿作者不同,并且必须对商店拥有 marketplace:finalize-block-set 操作权限。默认情况下,此操作权限授予商店所有者和编辑者。要自定义允许的审批人列表,请使用自定义角色集。

产品创建和安装权限¶
多组织场景¶
在 Foundry 中,您必须拥有足够的权限才能将资源从一个项目移动到另一个项目,这需要成为该资源的 Owner,但如果移动会扩大移动后可以访问资源的组织集合,您还需要对所涉及的组织标记拥有额外权限。
例如,假设一个资源位于项目 A(属于组织 A),而您希望将其移动到项目 B(同时属于组织 A 和组织 B)。您必须拥有组织 A 标记的 Expand access 权限。Expand access 是一种提升的权限,允许您将资源(在我们的示例中属于组织 A)的访问权限扩展到其他组织(如组织 B)。
如果资源带有指示 PII 或其他敏感数据的标记,您必须拥有 Remove Marking 权限才能移除该特定标记。
如果项目 A 中的资源被打包到存储在项目 B 中的产品中,然后安装到项目 C,您必须拥有足够的权限来同时 Expand 组织标记和 Remove 任何存在的额外标记,因为这些标记在产品移动过程中会被移除。
权限结构指南¶
为避免在产品创建、安装及后续过程中出现摩擦,我们建议如下:
- 资源最初应位于属于单个专用组织(用于打包资源)的项目中,且不带额外标记。
- 将资源打包成产品的用户必须对此单个组织拥有上述足够权限,该权限可以授予更广泛的用户群体。
- 任何预期要从商店安装产品的组织都应有权访问 Marketplace 商店项目所在的空间。您可以为此目的创建一个专用空间,并包含应有权访问该商店的不同组织。
- 安装产品的用户将不需要额外的组织标记权限即可执行安装。
这种权限结构允许任何摩擦发生在打包阶段,使您能够在安装过程开始之前进行必要的更改。