Privileges: Global Settings¶
In this tab, you can configure several aspects related to privileges granted to privileges.
The FILE Privilege¶
Some dialogs of the administration tool list the files of the host where the Virtual DataPort server runs. For example,
- In JDBC data source dialog, when you click Browse to select the jar files of the JDBC driver.
- In data sources DF, Excel JSON and XML, when you select a Local path and click Browse to select the file. This is the file that the Server will process when querying base views of this data source.
In these dialogs, the Tool lists the files of the Server - not the local ones - because they have to be files that the Server has access to.
The folders and files listed by these dialogs are limited by the file system permissions. That is, the Server and therefore, the Tool, can only list files that the user account with which you launch the Server has read privileges over.
The FILE privilege is a privilege you can grant to non-administrator users. This privilege provides a more fine-grained control over the files that the administration tool lists when creating/modifying data sources.
This privilege is disabled by default so you need to enable it before being able to grant it to any user. Follow these steps:
- Click the menu Administration > Server configuration.
- Click the tab Privileges
- In the tab File Privilege, select Enable FILE privilege.
Before clicking Ok, decide if you want:
- Allow users with the FILE privilege to create data sources over any file: select Any directory of the file system.
- Or allow users with the FILE privilege to create data sources over files located only on certain directories: clear Any directory of the file system, click Add new directory and select the directory you want to allow access. You can add as many directories you want.
- Or prevent all non-administrator users from creating data sources over local files: clear the check box Any directory of the file system and do not add any directory.
When you enable this feature, only users with the privilege FILE will be able to browse through the file system of the host where you are connected.
Consider the following when enabling this feature:
- Non-administrator users that do not have this privilege will not be able to create any data source that involves accessing a file. That is: - Data sources configured to process files from the local file system. I.e. Excel, DF, JSON or XML data sources configured to use a file in the local file system. - JDBC data sources whose JDBC driver is not included with the Denodo Platform. The reason is that you have to provide its path and without the FILE privilege you do not have access to it. - Web service data sources whose WSDL file is in the local file system. - Custom wrappers with an input parameter of type “ROUTE” that points to a local file.
- This privilege does not affect the execution of the query. That is, a user can create and query base views over existing data sources, regardless of where the data is coming from and whether they have the FILE privilege or not.
- As with the other privileges (READ, WRITE, etc.), this one does not affect administrators either. Administrators can still browse through all the files that the user account of the Server allows.
- A user with the privilege FILE cannot create a DF, JSON or XML data source that points to a local path with an interpolation variable (e.g.
/opt/denodo/customer_data/@VARIABLE/customer.xmlis forbidden), unless the check box Any directory of the file system is selected.
Privileges of Users with the Role “serveradmin”¶
This section explains how to modify the behavior regarding the privileges of the users that connect to Virtual DataPort using:
- Kerberos authentication from a JDBC client or the administration tool
- Or login/password authentication and that connect to a database with LDAP authentication and this user is not a local user (i.e. it is only registered on the Active Directory).
In these two cases, by default, the users with the role “serveradmin” can grant/revoke privileges to users and roles, including themselves. If you want to forbid this, clear the check box Allow LDAP roles with ‘admin’ credentials to manage privileges.