Creating Users¶
Note
Creation, modification and deletion of users is disabled when accessing Design Studio from Agora. This is because user management is done through Agora.
To create a user, click User management on the Administration menu. In this dialog, click New user.
In this dialog, you have to provide the following data (see Creating a normal user):
Login and password of the new user.
When the identifiers charset option of Virtual DataPort (Server Configuration) is restricted, the login can only contain letters, numbers and underscores; if it is Unicode, you can use any character.
The password has to meet the Password Policies in the Denodo Platform and Solution Manager.
Description of the new user (optional)
User type: users can be of the type “Administrator” or “Normal” (user without administration privileges).
Note
Administrator users can perform any action on any database of the Server.
Note
You cannot assign privileges to “Normal” users over databases with “Authentication type” “LDAP”. That is because for these databases, the Server obtains the names of the roles of the users from the LDAP server.
Authentication type. Users can be authenticated with a regular user and password (Normal option) or against an LDAP server registered in Virtual DataPort (see the section LDAP Sources for information on how to register an LDAP server). The data to be completed is different, depending on the selected option:
Normal: you have to provide a password for the new user.
LDAP: you have to provide the following (see Creating a normal user):
LDAP data source. Select the database where the LDAP server required has been registered using the selectable “Database”. Once this has been done, select the LDAP data source using the drop-down “Data source”.
LDAP user. The name of the user in the LDAP server. For example, the value
cn=test,ou=People,dc=denodo,dc=com
identifies thetest
user in an organizational unitPeople
for the domaindenodo.com
.
Considerations¶
We recommend creating local users only for the administrators of the Denodo Platform. Then, enable LDAP authentication in Virtual DataPort for a specific database so the credentials of almost all the users of Denodo are checked against the Active Directory of your organization. That is because:
It simplifies the management of users and their privileges. For example, when new employees join your organization, they will probably be added to the same groups of Active Directory as their colleagues. These new users will automatically have access to the Denodo Platform without you having to create an account in Virtual DataPort.
For security purposes: generally, Active Directory is set up to enforce a minimum length of password, forces users to rotate their password periodically, etc. When employees are no longer part of the organization, their accounts will be disabled in Active Directory so they will not be able to access the Denodo Platform servers either.
A local user with LDAP authentication is different from enabling LDAP authentication in Virtual DataPort or for a specific database.
When the “Authentication type” of a user is “LDAP”, the LDAP server is only used to check that the password provided by the user is correct. You still have to manually assign roles to this user. When you enable LDAP authentication in Virtual DataPort or in a database, Virtual DataPort obtains the roles of the user from Active Directory and the privileges of the user are those assigned to its roles.
Do not delete the LDAP data source assigned to local users with “Authentication type” set to “LDAP”. If you do it, the user will also be deleted automatically. Only administrators can delete LDAP data sources that are linked to local users.