Creating Roles¶
Note
Creation, modification and deletion of roles is disabled when accessing Design Studio from Agora. This is because role management is done through Agora.
A role is a set of access rights that we can grant to users.
To create a new role, click Role management on the Administration menu. In this dialog, click New role. In this dialog, you have to provide the following:
The name of the new role.
A description.
Then click Ok. After creating the role, you have to assign privileges to these roles. To do this, select the role and click Assign privileges.
In this dialog, you can select the access privileges assigned to this role. The access privileges that you can assign to a role and to a user are the same and work in the same way. The section Modifying the Privileges of a User explains how to assign these privileges.
Note
As explained in the section Roles, if you assign two roles to a user, the “effective permissions” of this user will be the union of the privileges of both roles.
You can also assign a role to another role (Role Inheritance) as explained in the section Roles, by clicking on Assign roles. Then, for each role you want to assign, select it in the list and click on .
In the figure below, you can see that the role “denodo_developer” has the roles “data_catalog_developer” and “vdp_developer”. The users that have the role “denodo_developer” will have the privileges assigned to the roles “data_catalog_developer”, “vdp_developer” and “denodo_developer”.
Instead of creating the roles manually, you can import them from an LDAP server. Before importing them, you need to do one of these tasks:
Create a database with LDAP authentication that to authentication users, uses the LDAP server from which you want to obtain the list of roles.
Or create an LDAP data source that points to the LDAP server from which you want to obtain the list of roles. Create this data source in a database without LDAP authentication. The section LDAP Sources explains how to create an LDAP data source.
After this, click on Import roles from LDAP to display the “Import Roles from LDAP” wizard.
Wizard “Import Roles from LDAP”¶
The wizard “Import Roles from LDAP” imports the names and descriptions of roles from an LDAP data sources (usually, Active Directory). Then, you have to grant them the appropriate privileges.
You have to provide the following data:
Database: select a database that is configured with LDAP authentication or the database that contains the LDAP data source.
If you select a database with LDAP authentication, the Tool will copy the LDAP configuration of the database to the boxes below. The Tool will disable the box LDAP data source because the wizard will use the LDAP data source of the selected database.
Alternatively, select a database that contains the LDAP data source that points to the LDAP server from which you want to obtain the list of roles and select the source in the LDAP data source box below.
Role base: node of the LDAP server that is used as scope to search nodes that represent roles.
You can enter more than one “Role base” by clicking on the button beside the “Role base” box.
Attribute with role name: name of the attribute that contains the name of the role, in the nodes that represent roles.
Attribute with role description: name of the attribute that contains the description of the role, in the nodes that represent roles.
Role search pattern: pattern used to generate the LDAP queries that will be executed to obtain the nodes that represent the roles you want to import into Virtual DataPort.
Then, click Ok. The Tool will display the roles found in the LDAP server. In this list, select the roles you want to import and click Ok.
Use the text field at the top to search roles by their name.
This dialog does not list the roles serveradmin
or monitor_admin
even
if they are returned by the LDAP query. The reason is that these roles
are automatically defined during the installation of Virtual DataPort so
they already exist. See more about these roles in the section Roles.
Default Roles¶
Virtual DataPort defines the following default roles. They cannot be modified nor deleted.
allusers
: granted by default to new local users. Additionally, you can automatically grant it to all users that connect to Virtual DataPort using Kerberos authentication, SAML 2.0 or to a database with LDAP authentication.assign_all_privileges
: grants the privilege of assign all privileges over all metadata elements to all the users and roles except to herself.assign_all_roles
: grants the privilege of assign roles to all users/roles. It cannot assign roles to users with assign_all_roles role.assign_tags
: grants the privilege of assigning tags to views. The user needs to have the METADATA privilege on the affected views.configure_database
: grants the privilege of manage configuration for databases.configure_resource_manager
: grants the privilege of manage resource manager rules.configure_server
: grants the privilege of manage all the server configuration except resource manager rules and resources (jars / libraries).create_database
: grants the privilege of create/modify databases.create_resource
: grants the privilege of create/modify server resources.create_temporary_table
: grants the privilege of creating temporary tables. This is useful to allow a user account to create temporary tables but do not want to grant the privilegeCREATE
norCREATE VIEW
because it would allow the user to create other types of elements.drop_database
: grants the privilege of drop databases.drop_resource
: grants the privilege of drop server resources (jars / libraries).diagnostic_monitoring_tool_admin
anddiagnostic_monitoring_tool_create_diagnostic
: each of these roles grants different privileges over the Diagnostic & Monitoring Tool. The section Authorization of the Diagnostic & Monitoring Tool Guide explains what privileges these roles grant.data_catalog_admin
,data_catalog_assisted_query
,data_catalog_classifier
,data_catalog_content_admin
,data_catalog_data_preparation
,data_catalog_editor
,data_catalog_exporter
anddata_catalog_manager
: each of these roles grants different privileges over the Data Catalog. The section Authorization of the Data Catalog Guide explains what privileges each of these roles grant.The roles
selfserviceadmin
andselfserviceexporter
are deprecated and should not be granted to users anymore. These roles exist to keep backward compatibility with Denodo 6.0 but you should not grant them to users anymore. Instead, grant the rolesdata_catalog_admin
anddata_catalog_exporter
, which are equivalent toselfserviceadmin
andselfserviceexporter
respectively.The section Features Deprecated in Denodo Platform lists all the features that are deprecated.
disable_cache_query
: grants the privilege to execute queries disabling the cache of views over which the user does not have WRITE privileges. The cache can be disabled using the context clause ‘cache’=’off’.impersonator
: when users with this role publish REST web services, these services can impersonate other users (see Impersonating a User in the section “Web Services Authentication”).import_tags
: grants the privilege of import tags.metadata_export
: allows to users withMETADATA
privilege on elements to get the VQL of those elements without the environment specific properties (see “Exporting with ‘metadata_export’ role” in the section Export to a File with Properties).manage_policies
: grants the privilege of creating, editing, dropping, enabling and disabling Global Security Policies.manage_tags
: grants the privilege of creating, editing and dropping tags on Virtual DataPort.manage_summaries
: grants the privilege of manage summaries.manage_listeners
: grants the privilege of manage listeners (jms + kafka).manage_metadata_tables
: grants the privilege of manage metadata tables.monitor_admin
: grants the privilege of connecting to the monitoring interface of Virtual DataPort. This interface uses the JMX protocol (Java Management Extensions).You need this privilege to monitor Virtual DataPort with the Diagnostic & Monitoring Tool, the Denodo Monitor, Oracle VisualVM, Oracle Java Mission Control, Nagios, etc.
In previous versions of Denodo, the name of this role is
jmxadmin
; this name is kept for backward compatibility.scheduler_admin
: used by the Scheduler Administration Tool. The users that have this role assigned can perform any task in the Scheduler Administration Tool.See more about this in the section Permissions of the Scheduler Administration Guide.
serveradmin
: equivalent to being an administrator user of Virtual DataPort, except that it does not grant the privilege of connecting to Virtual DataPort via JMX. That is, a user with this role can manage databases, change settings of the Server, etc. A user with this role also needs the role “assignprivileges” (see below) to manage the privileges of users and roles.assignprivileges
: grants the privilege of granting/revoking privileges to other users.Note
With this role:
A standard user can grant/revoke it’s own privileges to users/roles.
A local administrator can grant/revoke any privilege on the administrated database (or any element on the database) to any user/role.
A global administrator can grant/revoke any privilege to any user/role.
Take the following into account:
New administrator users have this role by default but you can revoke it from them.
You cannot grant privileges or roles to it. This is why it is not listed in the “Role Management” panel, but it is listed in the “Assign roles” dialogs.
create_user
andcreate_role
: grant the privilege of creating users and roles.Take the following into account:
A user with
create_user
role only will be able to create normal users (administrators cannot be created with this role).
drop_user
anddrop_role
: grant the privilege of dropping users and roles.