Apache Atlas in Cloudera
    uses Apache Ranger policies to control access to metadata that are managed by Atlas. Ranger
    policies also control access to Atlas administrative tasks.
    Ranger provides authorization to access the following metadata and operations:
    
      
        - Types
- Atlas "types" are the entity model definitions, whether provided in Atlas or added in
          your environment. Types include these "categories":
            - Entity
- Classification
- Relationship
- Business Metadata
- Struct
- Enum
 
- Ranger authorization allows you to configure access for users and groups to perform the
          following operations on types:
- 
          
            - Create
- Update
- Delete
- Read
 
-  The policies can be configured to apply to one or more types or all types. For example,
          the Atlas administrator user has access to create, update, and delete all type categories
            (type-category *).
      
        - Entities
- Atlas "entities" are instances of entity types: entities represent assets and processes
          on your cluster. Ranger authorization allows you to configure access to users and groups
          to perform the following operations on entities:
            - Read
- Create
- Update
- Delete
- Read classification
- Add classification
- Update classification
- Remove classification
- Add label
- Remove label
- Update Business Metadata
 
- Note that the classification operations are those that involve associating a
          classification to an entity; operations on a classification definition are controlled by
          authorization on the classification category of type described previously. Use the
            entity authorization to give a user the ability to associate an existing
          classification with any entity (entity-type *); use the type
          authorization to give a user the ability to create new classifications
            (type-category classification).
- Policies for labels and business metadata work similarly to classifications: you can
          control whether users can add labels or business metadata to specific entity types,
          individual entities, or entities marked with specific classifications. For example, a
          default policy allows any authenticated user to update all business metadata for any
          entity types with any classifications and on any instances of entities
            (entity-type *, entity-classification *, entity-id *, entity-business-metadata
            *).
- Some Atlas features, such as saved searches, are modeled as entities. You can control
          access to these features using entity policies. For example, a default policy
          allows any authenticated user to save Atlas searches (entity-type
            __AtlasUserProfile, __AtlasUserSavedSearch).
      
        - Relationships
- Atlas "relationships" describe connections between two entities, including, but not
          limited to, the input and output relationships that are used to build lineage graphs.
          Ranger authorization allows you to configure access to users and groups to perform the
          following operations on relationships:
- 
          
            - Add relationship
- Update relationship
- Remove relationship
 
- These operations are required to build rich models among entities and are granted to
          administrative users and system users. Relationships cannot be updated by users through
          the Atlas UI. 
      
        - Admin operations
- Atlas administrative operations include:
            - Import entities
- Export entities
 
- These operations encompass all the privileges needed to create new and update existing
          entities. Typically, this access is granted to administrative users and system users such
          as RangerLookup and the Data Plane profiler user (DPProfiler).