Authorization

The authorization system in the Data Catalog is based on roles, which represent a set of privileges granted to a user. Instead of assigning privileges directly to users, you assign privileges to roles and roles to users. This way, users with the same privileges will share the same role. When you want to change their privileges, you do not need to go user by user. You only change the privileges on the role they share and this change will affect all these users.

Although it may seem simple, using roles for modeling privileges is a powerful tool. You can assign several roles to a user, and she will be granted with the union of all the privileges assigned to the roles. In the same way, you can define a role by composition of the privileges assigned to other roles. Just assign a set of roles to another role and it will inherit their privileges.

In practice, to configure the privileges of your users, you have to follow these steps:

  1. Configure the set of roles assigned to a user in the system that manages your user accounts. The specifics of this configuration depends on your authentication method. Take into account that, when you configure the authentication in the Data Catalog, you need to specify how to validate the user credentials and how to extract the roles of an authenticated user. The roles may be retrieved by a search in an LDAP server, in a field of an SAML assertion, etc.

  2. Create the roles in the Virtual DataPort server you are going to connect to.

  3. Assign privileges to the roles, both in Virtual DataPort and in Data Catalog:

    • In Virtual DataPort you define which privileges a role has to access databases, views and web services. Data Catalog respects these privileges, so a user has the same access from Data Catalog as she has from every other Denodo product, like the Design Studio, the driver JDBC, etc.

      Note

      Take into account that the role inheritance is also configured in Virtual DataPort.

    • Any authenticated user in Data Catalog can browse, search and execute views or web services according to her privileges in Virtual DataPort. But there are other tasks a user can do in Data Catalog, like editing a view description, writing an endorsement or assigning a tag to a web service, for example. In the Configure the Permissions dialog you can define which tasks a role can do in Data Catalog.

Privileges on the Data Catalog

The privileges of a user determine which tasks she can do in the Data Catalog. They are classified in three major groups: catalog management, administration and collaboration.

The privileges you can assign from the catalog management group are:

  • Create/Delete categories. It allows a user to:

    • Create categories.

    • Delete categories.

    In addition, it implies the privileges Edit categories and Assign categories.

  • Edit categories. It allows a user to:

    • Edit the name of a category.

    • Edit the description of a category.

    • Edit the parent category of a category.

    In addition, it implies the privilege Assign categories.

  • Assign categories. It allows a user to assign categories to views or web services.

  • Create/Delete tags. It allows a user to

    • Create tags.

    • Delete tags.

    In addition, it implies the privileges Edit tags and Assign tags.

  • Edit tags. It allows a user to:

    • Edit the name of a tag.

    • Edit the description of a tag.

    In addition, it implies the privilege Assign tags.

  • Assign tags. It allows a user to assign tags to views or web services.

  • Create/Delete custom elements. It allows a user to:

    • Create property groups.

    • Delete property groups.

    In addition, it implies the privileges Edit custom elements and Assign custom elements.

  • Edit custom elements. It allows a user to:

    • Edit the name, description and place to show of a property group.

    • Edit the name, description, type and default value of its properties.

    • Add and remove properties to the property group.

    In addition, it implies the privilege Assign custom elements.

  • Assign custom elements. It allows a user to assign property groups to databases, views or web services.

  • Edit elements. It allows a user to:

    • Edit the description of a database.

    • Edit the description of a view and its fields.

    • Edit the description of a web service and its fields.

    • Change the value of the custom properties assigned to databases, views and web services.

The privileges you can assign from the administration group are:

  • Synchronize. It allows a user to launch the synchronization with the Virtual DataPort server.

  • Import/Export. It allows a user to:

    • Import or export the metadata and settings of the Data Catalog.

    • Import or export the saved queries of all the users for the current Virtual DataPort server.

  • Servers. It allows a user to:

    • Create Virtual DataPort servers.

    • Edit the connection settings of the queries on Virtual DataPort servers.

    • Edit the authentication configuration for enabling single sign-on with Kerberos.

    • Edit the database where the Data Catalog stores its metadata.

    • Create index servers and assign them to Virtual DataPort servers.

  • Personalize. It allows a user access to all the personalization settings: informative message, export query results, usage statistics, theme, etc.

  • Content. It allows a user to configure the following settings of the search by content:

    • Default number of fields in a search results summary.

    • Maximum number of results per entity in a search results summary.

    • Search snippets of an index server assigned to a Virtual DataPort server.

  • Permissions. It allows a user to assign privileges to roles.

The privileges you can assign from the collaboration group are:

  • Create endorsements. It allows a user to create endorsements.

  • Edit endorsements. It allows a user to edit endorsements.

  • Delete endorsements. It allows a user to delete endorsements.

  • Create warnings. It allows a user to create warnings.

  • Edit warnings. It allows a user to edit warnings.

  • Delete warnings. It allows a user to delete warnings.

  • Create deprecations. It allows a user to create deprecations.

  • Edit deprecations. It allows a user to edit deprecations.

  • Delete deprecations. It allows a user to delete deprecations.

Note

The collaboration group is only available with the Semantics Feature Pack. To find out the subscription bundle you have, open the About dialog of the Data Catalog.

Users with predefined privileges

Data Catalog considers a set of users with predefined privileges assigned to them. They are characterized by its authentication method, its user type or a specific role. Let us see the full list of privileged users.

Note

In Data Catalog 7.0 the authorization system was based in a specific set of predefined and immutable roles that, when assigned, automatically granted privileges to a user. These roles are kept in Data Catalog 8.0, but redefined in terms of the privileges explained above. Since there is no exact match between the privileges granted in 7.0 and the current privileges, most of them are no longer immutable. You can modify their definition to suit your needs.

Data Catalog Editor

Data Catalog editors are users with the data_catalog_editor role. They are granted with the following list of privileges, but it is not immutable, you can change it:

  • Edit categories

  • Assign categories

  • Edit tags

  • Assign tags

  • Edit custom elements

  • Assign custom elements

  • Edit elements

  • Edit endorsements

  • Edit warnings

Data Catalog Classifier

Data Catalog classifiers are users with the data_catalog_classifier role. They are granted with the following list of privileges, but it is not immutable, you can change it:

  • Assign categories

  • Assign tags

  • Assign custom elements

Data Catalog Manager

Data Catalog manager are users with the data_catalog_manager role. They are granted with the following list of privileges, but it is not immutable, you can change it:

  • Create/Delete categories

  • Edit categories

  • Assign categories

  • Create/Delete tags

  • Edit tags

  • Assign tags

  • Create/Delete custom elements

  • Edit custom elements

  • Assign custom elements

  • Edit elements

  • Create endorsements

  • Edit endorsements

  • Delete endorsements

  • Create warnings

  • Edit warnings

  • Delete warnings

  • Create deprecations

  • Edit deprecations

  • Delete deprecations

Data Catalog Content Administrator

Data Catalog content administrators are users with the data_catalog_content_admin role. They are granted with the following list of privileges, but it is not immutable, you can change it:

  • Personalize

  • Content

Data Catalog Administrator

Data Catalog administrators are users with the role data_catalog_admin or selfserviceadmin. They are granted with the following list of privileges:

  • Create/Delete categories

  • Edit categories

  • Assign categories

  • Create/Delete tags

  • Edit tags

  • Assign tags

  • Create/Delete custom elements

  • Edit custom elements

  • Assign custom elements

  • Edit elements

  • Synchronize

  • Import/Export

  • Servers

  • Personalize

  • Content

  • Permissions

  • Create endorsements

  • Edit endorsements

  • Delete endorsements

  • Create warnings

  • Edit warnings

  • Delete warnings

  • Create deprecations

  • Edit deprecations

  • Delete deprecations

Note

This list of privileges is immutable. You cannot change it.

Data Catalog Exporter

Data Catalog exporters are users with the role data_catalog_exporter or selfserviceexporter. In the Export dialog you can configure that these users are the only ones authorized to export the query results to specific formats.

Data Catalog Global Administrator

Data Catalog global administrators are users of type administrator in Virtual DataPort or with the severadmin role. These users are granted with all the privileges in the Data Catalog. They can do any task.

Data Catalog Local User

Data Catalog local users are users that access the Data Catalog through the local authentication method. They are allowed to perform the following tasks:

  • Create Virtual DataPort servers.

  • Edit the connection settings of the queries on Virtual DataPort servers.

  • Edit the authentication configuration for enabling single sign-on with Kerberos.

  • Edit the database where the Data Catalog stores its metadata.

Important

The roles selfserviceadmin and selfserviceexporter exist in Denodo 8.0 to keep backward compatibility with Denodo 6.0 but you should not grant them to users anymore. They are deprecated and will be removed in the next major version of Denodo. Use the roles data_catalog_admin and data_catalog_exporter instead.