Authorization¶
The authorization system in the Data Catalog is based on roles, which represent a set of privileges granted to a user. Instead of assigning privileges directly to users, you assign privileges to roles and roles to users. This way, users with the same privileges will share the same role. When you want to change their privileges, you do not need to go user by user. You only change the privileges on the role they share and this change will affect all these users.
Although it may seem simple, using roles for modeling privileges is a powerful tool. You can assign several roles to a user, and she will be granted with the union of all the privileges assigned to the roles. In the same way, you can define a role by composition of the privileges assigned to other roles. Just assign a set of roles to another role and it will inherit their privileges.
In practice, to configure the privileges of your users, you have to follow these steps:
Configure the set of roles assigned to a user in the system that manages your user accounts. The specifics of this configuration depends on your authentication method. Take into account that, when you configure the authentication in the Data Catalog, you need to specify how to validate the user credentials and how to extract the roles of an authenticated user. The roles may be retrieved by a search in an LDAP server, in a field of an SAML assertion, etc.
Create the roles in the Virtual DataPort server you are going to connect to.
Assign privileges to the roles, both in Virtual DataPort and in Data Catalog:
In Virtual DataPort you define which privileges a role has to access databases, views and web services. Data Catalog respects these privileges, so a user has the same access from Data Catalog as she has from every other Denodo product, like the Design Studio, the driver JDBC, etc.
Note
Role inheritance is also configured in Virtual DataPort.
Any authenticated user in Data Catalog can browse, search and execute views or web services according to her privileges in Virtual DataPort. But there are other tasks a user can do in Data Catalog, like editing a view description, writing an endorsement or assigning a tag to a web service, for example. In the Configure the Permissions dialog you can define which tasks a role can do in Data Catalog.
Privileges on the Data Catalog¶
The privileges of a user determine which tasks she can do in the Data Catalog. They are classified in four major groups: catalog management, administration, collaboration and user.
Catalog Management¶
The privileges you can assign from the catalog management group are:
Create/Delete categories. It allows a user to:
Create categories.
Delete categories.
In addition, it implies the privileges Edit categories and Assign categories.
Edit categories. It allows a user to:
Edit the name of a category.
Edit the description of a category.
Edit the parent category of a category.
In addition, it implies the privilege Assign categories.
Assign categories. It allows a user to assign categories to views or web services.
Create/Delete tags. It allows a user to
Create tags.
Delete tags.
In addition, it implies the privileges Edit tags and Assign tags.
Edit tags. It allows a user to:
Edit the name of a tag.
Edit the description of a tag.
In addition, it implies the privilege Assign tags.
Assign tags. It allows a user to assign tags to views or web services.
Create/Delete property groups. It allows a user to:
Create property groups.
Delete property groups.
In addition, it implies the privileges Edit property groups and Assign property groups.
Edit property groups. It allows a user to:
Edit the name, description and place to show of a property group.
Edit the name, description, type and default value of its properties.
Add and remove properties to the property group.
Modify the order in which properties and property groups are displayed.
In addition, it implies the privilege Assign property groups.
Assign property groups. It allows a user to assign property groups to databases, views or web services.
Edit elements. It allows a user to:
Edit the description of a database.
Edit the description of a view and its fields.
Edit the logical field names of a view.
Edit the description of a web service and its fields.
Change the value of the custom properties assigned to databases, views and web services.
Administration¶
The privileges you can assign from the administration group are:
Synchronize. It allows a user to launch the synchronization with the Virtual DataPort server.
Import/Export. It allows a user to:
Import or export the metadata and settings of the Data Catalog.
Import or export the saved queries of all the users for the current Virtual DataPort server.
Servers. It allows a user to:
Create Virtual DataPort servers.
Edit the connection settings of the queries on Virtual DataPort servers.
Edit the authentication configuration for enabling single sign-on with Kerberos.
Edit the database where the Data Catalog stores its metadata.
Create index servers and assign them to Virtual DataPort servers.
Personalize. It allows a user access to all the personalization settings: informative message, export query results, usage statistics, theme, etc.
Content. It allows a user to configure the following settings of the search by content:
Default number of fields in a search results summary.
Maximum number of results per entity in a search results summary.
Search snippets of an index server assigned to a Virtual DataPort server.
Permissions. It allows a user to assign privileges to roles.
Collaboration¶
The privileges you can assign from the collaboration group are:
Create endorsements. It allows a user to create endorsements.
Edit endorsements. It allows a user to edit endorsements.
Delete endorsements. It allows a user to delete endorsements.
Create warnings. It allows a user to create warnings.
Edit warnings. It allows a user to edit warnings.
Delete warnings. It allows a user to delete warnings.
Create deprecations. It allows a user to create deprecations.
Edit deprecations. It allows a user to edit deprecations.
Delete deprecations. It allows a user to delete deprecations.
User¶
The privileges you can assign from the user group are:
VQL Shell. It allows a user to access the VQL Shell feature.
Users with Predefined Privileges¶
Data Catalog considers a set of users with predefined privileges assigned to them. They are characterized by its authentication method, its user type or a specific role. Let us see the full list of privileged users.
Note
In Data Catalog 7.0 the authorization system was based in a specific set of predefined and immutable roles that, when assigned, automatically granted privileges to a user. These roles are kept in Data Catalog 8.0, but redefined in terms of the privileges explained above. Since there is no exact match between the privileges granted in 7.0 and the current privileges, most of them are no longer immutable. You can modify their definition to suit your needs.
Data Catalog Editor¶
Data Catalog editors are users with the data_catalog_editor
role. They are
granted with the following list of privileges, but it is not immutable, you can
change it:
Edit categories
Assign categories
Edit tags
Assign tags
Edit property groups
Assign property groups
Edit elements
Edit endorsements
Edit warnings
Data Catalog Classifier¶
Data Catalog classifiers are users with the data_catalog_classifier
role.
They are granted with the following list of privileges, but it is not immutable,
you can change it:
Assign categories
Assign tags
Assign property groups
Data Catalog Manager¶
Data Catalog manager are users with the data_catalog_manager
role. They are
granted with the following list of privileges, but it is not immutable, you can
change it:
Create/Delete categories
Edit categories
Assign categories
Create/Delete tags
Edit tags
Assign tags
Create/Delete property groups
Edit property groups
Assign property groups
Edit elements
Create endorsements
Edit endorsements
Delete endorsements
Create warnings
Edit warnings
Delete warnings
Create deprecations
Edit deprecations
Delete deprecations
Data Preparation¶
There is not a privilege needed for the Data Preparation feature.
The Data Preparation feature is available for those users with the data_catalog_data_preparation
role.
Data Catalog Content Administrator¶
Data Catalog content administrators are users with the data_catalog_content_admin
role. They are granted with the following list of privileges, but it is not
immutable, you can change it:
Personalize
Content
Data Catalog Administrator¶
Data Catalog administrators are users with the role data_catalog_admin
or
selfserviceadmin
. They are granted with the following list of privileges:
Create/Delete categories
Edit categories
Assign categories
Create/Delete tags
Edit tags
Assign tags
Create/Delete property groups
Edit property groups
Assign property groups
Edit elements
Synchronize
Import/Export
Servers
Personalize
Content
Permissions
Create endorsements
Edit endorsements
Delete endorsements
Create warnings
Edit warnings
Delete warnings
Create deprecations
Edit deprecations
Delete deprecations
Assisted query
Note
This list of privileges is immutable. You cannot change it.
Data Catalog Exporter¶
Data Catalog exporters are users with the role data_catalog_exporter
or
selfserviceexporter
. In the Export dialog you can
configure that these users are the only ones authorized to export the query
results to specific formats.
Data Catalog Global Administrator¶
Data Catalog global administrators are users of type administrator
in Virtual DataPort or with the severadmin
role. These users are granted
with all the privileges in the Data Catalog. They can do any task.
Data Catalog Local User¶
Data Catalog local users are users that access the Data Catalog through the local authentication method. They are allowed to perform the following tasks:
Create Virtual DataPort servers.
Edit the connection settings of the queries on Virtual DataPort servers.
Edit the authentication configuration for enabling single sign-on with Kerberos.
Edit the database where the Data Catalog stores its metadata.
Important
The roles selfserviceadmin
and selfserviceexporter
exist
in Denodo 9 to keep backward compatibility with Denodo 6.0 but you should
not grant them to users anymore. They are deprecated and will be removed in
the next major version of Denodo. Use the roles data_catalog_admin
and
data_catalog_exporter
instead.
Data Catalog Assisted Query User¶
Data Catalog assisted query users are users with the role data_catalog_assisted_query
.
They are granted with the following list of privileges:
Execute all actions of the Assisted Query feature.