Authorization¶
Once the Solution Manager authenticates a user, it authorizes this user. That is, it determines what tasks this user is allowed to perform on the Solution Manager.
There are two types of privileges:
The following sections explain what kind of users the Solution Manager considers and what privileges they have.
Global Privileges¶
Global privileges are privileges that you grant to a user or a role over all the environments or over all the environments of a certain type. If you need a more fine-grained control of what users are allowed to do, see the section Privileges Granted to a Role For an Environment below.
List of global privileges
Global Administrator (global_admin)¶
Global administrators are users that have the role global_admin. These users can do any operation on the Solution Manager.
Solution Manager Administrator (solution_manager_admin)¶
The administrators of the Solution Manager are users that have the role solution_manager_admin. Grant this role to the users that are going to be in charge of administering the Solution Manager and manage the Denodo licenses of the organization.
Users with this role can do these tasks:
Create, edit and remove environments, clusters and servers.
Set the Version Control System configuration.
Set the Solution Manager Database configuration.
Set the Informative Message configuration.
Set the Automated Mode configuration.
Manage licenses.
For AWS-managed environments, start and stop its clusters and check cluster events.
For AWS-managed environments, install Denodo updates.
but cannot:
Manage deployment configurations.
Manage load balancing variables.
Set Virtual DataPort nor Scheduler properties in environments and clusters.
Create, edit nor remove revisions.
Access revisions nor deployments.
Validate and deploy revisions.
Execute monitoring operations.
Change the logging level of Virtual DataPort servers.
Import and export catalog elements.
From My applications, users will not be able to connect to the Design Studio, Data Catalog, Scheduler and Diagnostic & Monitoring tool of this environments.
Promotion Administrator (solution_manager_promotion_admin)¶
Promotion administrators are users that have the role solution_manager_promotion_admin. Grant this role to the users that are going to be in charge of creating revisions and promoting them from the development environment to testing, from testing to production, etc.
Users with this role can do these tasks:
Access the main information of the elements of the catalog in read only mode.
Manage deployment configurations.
Manage load balancing variables.
Set Virtual DataPort and Scheduler properties in environments and clusters.
Create, edit and remove her own revisions.
Create revisions by loading a VQL file.
Access the revisions from other users in read only mode.
Validate and deploy revisions.
Remove any deployment.
but cannot:
Create, edit nor remove environments, clusters and servers.
Set the Version Control System configuration.
Set the Solution Manager Database configuration.
Set the Informative Message configuration.
Set the Automated Mode configuration.
Manage licenses.
Edit nor remove revisions from other users.
Execute monitoring operations.
Change the logging level of Virtual DataPort servers.
Import nor export catalog elements.
From My applications, users will not be able to connect to the Design Studio, Data Catalog, Scheduler and Diagnostic & Monitoring tool of this environments.
For AWS-managed environments, start and stop its clusters and check cluster events.
For AWS-managed environments, install Denodo updates.
Promotion Administrator for Specific Environments (solution_manager_promotion_admin_*)¶
Promotion administrators for certain environments are users that have one or more of these roles:
solution_manager_promotion_admin_development
solution_manager_promotion_admin_staging
solution_manager_promotion_admin_production
The users with these roles can do the same tasks as the promotion administrators but only on specific target environments. For example, the users with the role solution_manager_promotion_admin_production can only validate and deploy revisions on the environments whose license scenario is production.
The table Solution manager promotion roles below shows an overview of the different Solution Manager promotion administrator roles with their privileges to promote revisions created by users to different environment types.
Promotion (solution_manager_promotion)¶
Promotion users are users that have the role solution_manager_promotion. Grant this role to the users that are going to be responsible of creating revisions, validating this revisions and deploying them.
Users with this role can do these tasks:
Access the main information of the elements of the catalog in read only mode.
Create, edit and remove her own revisions.
Validate her own revisions.
Deploy her own revisions.
Remove her own deployments.
but cannot:
Create, edit nor remove environments, clusters and servers.
Create revisions loading a VQL file.
Manage deployment configurations.
Manage load balancing variables.
Set Virtual DataPort nor Scheduler properties in environments and clusters.
Set the Version Control System configuration.
Set the Solution Manager Database configuration.
Set the Informative Message configuration.
Set the Automated Mode configuration.
Manage licenses.
Access, validate nor deploy revisions from other users.
Execute monitoring operations.
Change the logging level of Virtual DataPort servers.
Import nor export catalog elements.
From My applications, users will not be able to connect to the Design Studio, Data Catalog, Scheduler and Diagnostic & Monitoring tool of this environments.
For AWS-managed environments, start and stop its clusters and check cluster events.
For AWS-managed environments, install Denodo updates.
Promotion for Specific Environments (solution_manager_promotion_*)¶
Promotion users for certain environments are users that have one or more of these roles:
solution_manager_promotion_development
solution_manager_promotion_production
solution_manager_promotion_staging
Grant this role to the users that are going to be responsible of creating revisions, validating this revisions and deploying them.
This user is interpreted from the Solution Manager point of view as a promotion user
with the difference that she can only validate and deploy her own revisions in the target
environments that have the specific scenario assigned. For example, a user with role
solution_manager_promotion_staging
can only validate and deploy any of her revisions
in any staging environment.
Overview of the Promotion Roles
The following table shows an overview of the different Solution Manager promotion roles with their privileges to promote revisions created by users to different environment types:
Role |
User |
Environment Type |
|||
---|---|---|---|---|---|
other user |
own user |
deployment |
staging |
production |
|
solution_manager_promotion_development |
|||||
solution_manager_promotion_staging |
|||||
solution_manager_promotion_production |
|||||
solution_manager_promotion |
|||||
solution_manager_promotion_admin_development |
|||||
solution_manager_promotion_admin_staging |
|||||
solution_manager_promotion_admin_production |
|||||
solution_manager_promotion_admin |
For example, a user with role solution_manager_promotion_deployment can only promote revisions created by herself in any deployment environment. A user with role solution_manager_promotion_admin_production can only promote revisions created by the own user and other users in any production environment.
Monitor Administrators¶
Monitor administrators are users that have the role monitor_admin. Grant this role to the users that are going to be in charge of monitoring the Denodo servers and diagnose issues in them.
Users with this role can do these tasks:
Access the main information of the elements of the catalog in read only mode.
Change the logging level of Virtual DataPort servers.
Execute Denodo Monitor to gather the execution logs of the Virtual DataPort servers.
Configure the template of the Denodo Monitor template (globally or for each environment), using the Solution Manager.
From My applications, users will be able to connect to the Diagnostic & Monitoring tool of this environments.
but cannot:
Create, edit nor remove environments, clusters and servers.
Manage deployment configurations.
Manage load balancing variables.
Set Virtual DataPort nor Scheduler properties in environments and clusters.
Set the Version Control System configuration.
Set the Solution Manager Database configuration.
Set the Informative Message configuration.
Set the Automated Mode configuration.
Manage licenses.
Create, edit nor remove revisions.
Access revisions nor deployments.
Validate and deploy revisions.
Import nor export catalog elements.
For AWS-managed environments, start and stop its clusters and check cluster events.
For AWS-managed environments, install Denodo updates.
From My applications, users will not be able to connect to the Design Studio, Data Catalog and Scheduler of this environments.
Privileges Granted to a Role For an Environment¶
This section explains how to grant privileges to users over specific a environment. These privileges are more fine grained that the ones explained in the section above. You cannot grant these privileges directly to users, only to roles.
Only users with the role globaladmin can use this feature.
To grant a privilege to a role over a specific environment, follow these steps:
Click the menu Configuration > Permissions. This page lists all the environments.
Click the button in the row of the environment. This will open a new tab: Permissions by environment.
In this tab, click New, select the role and click Add role.
Select one or more privileges.
Click .
The following list explains what each privilege allows the user to do over an environment:
CONNECT¶
Grant the Connect privilege to the users over the development environments in which they participate. That way, they will be able to use the Solution Manager as a single point of entry to the applications of Denodo.
Users with this privilege over an environment have access to the following:
From My applications, users will be able to connect to the Design Studio, Data Catalog and Scheduler of this environments. To access the Diagnostic & Monitoring tool you need the privilege MONITOR.
Users will have access to basic information of this environment, its clusters and servers, in read-only mode.
Create, edit and remove her own revisions.
Users with this privilege cannot do these tasks:
Create, edit nor remove environments, clusters and servers.
Set the Version Control System configuration.
Set the Solution Manager Database configuration.
Set the Informative Message configuration.
Set the Automated Mode configuration.
Manage licenses.
Manage the deployments configuration.
Manage the load balancing variables.
Set the Virtual DataPort properties nor the Scheduler properties in environments and clusters.
Create revisions loading a VQL file.
Access revisions created by other users.
Validate and deploy revisions.
Execute monitoring operations.
Change the logging level of Virtual DataPort servers.
Import nor export catalog elements.
For AWS-managed environments, start and stop its clusters and check cluster events.
For AWS-managed environments, install Denodo updates.
METADATA¶
Users with the METADATA privilege over an environment have access to all the configuration of this environment, its clusters and servers, in read-only mode, including:
Information about the license assigned to this environment.
If this is a AWS-managed environment, its status.
Deployment configuration of the environment and the deployment scripts.
The load balancing variables of the environment, not to the menu Promotions > Load balancing variables.
Virtual DataPort properties of the environment and the Scheduler properties of its clusters.
Users with this privilege cannot do these tasks:
Create, edit nor remove environments, clusters and servers.
Set the Version Control System configuration.
Set the Solution Manager Database configuration
Set the Informative Message configuration.
Set the Automated Mode configuration.
Manage licenses.
Manage the deployments configuration.
Manage the load balancing variables.
Create, edit nor remove revisions.
Access revisions nor deployments.
Validate and deploy revisions.
Execute monitoring operations.
Change the logging level of Virtual DataPort servers.
Import nor export catalog elements.
For AWS-managed environments, start and stop its clusters and check cluster events.
For AWS-managed environments, install Denodo updates.
From My applications, users will not be able to connect to the Design Studio, Data Catalog, Scheduler and Diagnostic & Monitoring tool of this environments.
WRITE¶
Users with the Write privilege over an environment can create, configure and delete clusters on that environment. More specifically:
Edit and delete the environment.
Create, edit and delete clusters and servers of these environments.
Manage the deployment configuration of the environment.
Manage the load balancing variables of the environment. This does not include creating or deleting load balancing variables, only allows the users with this role to assign values to clusters and servers.
Set the Virtual DataPort properties of the environment and the Scheduler properties of its clusters.
Configuring the Deployment Scripts of the environment.
Users with this privilege cannot do these tasks:
Create environments.
Set the Version Control System configuration.
Set the Solution Manager Database configuration
Set the Informative Message configuration.
Set the Automated Mode configuration.
Manage licenses.
Create, edit nor remove revisions.
Access revisions nor deployments.
Validate and deploy revisions.
Execute monitoring operations.
Change the logging level of Virtual DataPort servers.
Import nor export catalog elements.
For AWS-managed environments, start and stop its clusters and check cluster events.
For AWS-managed environments, install Denodo updates. You need the privileges WRITE and EXECUTION to execute this operation.
From My applications, users will not be able to connect to the Design Studio, Data Catalog, Scheduler and Diagnostic & Monitoring tool of this environments.
EXECUTION¶
Users with the Execution privilege over an environment can do the following:
Access to basic information of this environment, its clusters and servers, in read-only mode, including:
Information about the license assigned to this environment.
If this is a AWS-managed environment, its status.
For AWS-managed environments, start and stop its clusters.
Change the logging level of the Virtual DataPort servers of the environment.
Users with this privilege cannot do these tasks:
Create, edit nor remove environments, clusters and servers.
Set the Version Control System configuration.
Set the Solution Manager Database configuration.
Set the Informative Message configuration.
Set the Automated Mode configuration.
Manage licenses.
Manage the deployments configuration.
Manage the load balancing variables.
Set the Virtual DataPort properties nor the Scheduler properties in environments and clusters.
Create, edit nor remove revisions.
Access revisions nor deployments.
Validate and deploy revisions.
Execute monitoring operations.
Import nor export catalog elements.
For AWS-managed environments, install Denodo updates. You need the privileges WRITE and EXECUTION to execute this operation.
From My applications, users will not be able to connect to the Design Studio, Data Catalog, Scheduler and Diagnostic & Monitoring tool of this environments.
MONITOR¶
Users with the Monitor privilege over an environment can do the following:
Access to basic information of this environment, its clusters and servers, in read-only mode.
Open the Diagnostic & Monitoring tool.
Start and stop monitoring the servers of the environment.
Configure the template of the Denodo Monitor of each environment, using the Solution Manager.
Change the logging level of Virtual DataPort servers.
Users with this privilege cannot do these tasks:
Create, edit nor remove environments, clusters and servers.
Set the Version Control System configuration.
Set the Solution Manager Database configuration.
Set the Informative Message configuration.
Set the Automated Mode configuration.
Manage licenses.
Manage the deployments configuration.
Manage the load balancing variables.
Set the Virtual DataPort properties nor the Scheduler properties in environments and clusters.
Create, edit nor remove revisions.
Access revisions nor deployments.
Validate and deploy revisions.
Import nor export catalog elements.
For AWS-managed environments, start and stop its clusters and check cluster events.
For AWS-managed environments, install Denodo updates.
From My applications, users will not be able to connect to the Design Studio, Data Catalog and Scheduler of this environments.
Configure the global template of the Denodo Monitor, using the Solution Manager.
DEPLOY¶
Users with the Deploy privilege over an environment can do the following:
Access to basic information of this environment, its clusters and servers, in read-only mode.
Create a revision to be deployed and validated on this environment.
Edit or remove her own revisions.
Remove her own deployments.
Users with this privilege cannot do these tasks:
Create, edit nor remove environments, clusters and servers.
Set the Version Control System configuration.
Set the Solution Manager Database configuration.
Set the Informative Message configuration.
Set the Automated Mode configuration.
Manage licenses.
Manage the deployments configuration.
Manage the load balancing variables.
Set the Virtual DataPort properties nor the Scheduler properties in environments and clusters.
Create revisions loading a VQL file.
Access, validate and deploy the revisions created by other users.
Execute monitoring operations.
Change the logging level of Virtual DataPort servers.
Import nor export catalog elements.
For AWS-managed environments, start and stop its clusters and check cluster events.
For AWS-managed environments, install Denodo updates.
From My applications, users will not be able to connect to the Design Studio, Data Catalog, Scheduler and Diagnostic & Monitoring tool of this environments.
DEPLOY ADMIN¶
Users with the Deploy Admin privilege over an environment can do the following:
Access to basic information of this environment, its clusters and servers, in read-only mode.
Manage the deployments configuration.
Manage the load balancing variables. Users that have this privilege over one or more environments, can open the dialog of the menu Promotions > Load balancing variables to assign values to clusters and servers but not to create or delete variables.
Set the Virtual DataPort properties and the Scheduler properties in environments and clusters.
Create revisions.
Create revisions loading a VQL file.
Edit and remove her own revisions.
Access the revisions created by any user in read-only mode.
Validate and deploy revisions to this environment.
Remove any deployment from this environment.
Users with this privilege cannot do these tasks:
Create, edit nor remove environments, clusters and servers.
Set the Version Control System configuration.
Set the Solution Manager Database configuration.
Set the Informative Message configuration.
Set the Automated Mode configuration.
Manage licenses.
Edit and remove revisions from other users.
Execute monitoring operations.
Change the logging level of Virtual DataPort servers.
Import nor export catalog elements.
For AWS-managed environments, start and stop its clusters and check cluster events.
For AWS-managed environments, install Denodo updates.
From My applications, users will not be able to connect to the Design Studio, Data Catalog, Scheduler and Diagnostic & Monitoring tool of this environments.