Dear DataHub Team. I have a question about RBAC/fine-based access control. Demo above ^^^ shows some UI scenarios of denied access and Authorizer component, explained here . The question is: are GMS REST and GraphQL calls also filtered by access policies, or it is only applied to UI part?

GraphQL - Yes GMS Rest.li - TBD, but currently no. This is because going forward we will be trying to treat GraphQL as the official public API of DataHub. Ideally, we'll get to a state where the GMS REST.LI APIs are no longer necessary and can be system internal. So to answer your final question directly: The idea is that it applies beyond the UI to the API layer itself

Thanks @big-carpet-38439, it explains ideally. As a side note, as long as we are talking about GraphQL main API, if allowed, just want to advice: the issue with doc here https://datahubproject.io/docs/datahub-gms-graphql-service#query-dataset is that it does not exemplifies how to achieve the things like

/relationships

and versioned aspects (https://datahubproject.io/docs/metadata-service#get-a-versioned-aspect). Do you have a plans to update doc in this case?

Yes - this doc is unfortunately quite out of date. We do have plans to add much richer documentation