Authorization¶
The authorization system in the Data Catalog is based on roles, which represent a set of privileges granted to a user. Instead of assigning privileges directly to users, you assign privileges to roles and roles to users. This way, users with the same privileges will share the same role. When you want to change their privileges, you do not need to go user by user. You only change the privileges on the role they share and this change will affect all these users.
Although it may seem simple, using roles for modeling privileges is a powerful tool. You can assign several roles to a user, and she will be granted the union of all the privileges assigned to the roles. In the same way, you can define a role by composition of the privileges assigned to other roles. Just assign a set of roles to another role and it will inherit their privileges.
In practice, to configure the privileges of your users, you have to follow these steps:
Configure the set of roles assigned to a user in the system that manages your user accounts. The specifics of this configuration depends on your authentication method. Take into account that, when you configure the authentication in the Data Catalog, you need to specify how to validate the user credentials and how to extract the roles of an authenticated user. The roles may be retrieved by a search in an LDAP server, in a field of an SAML assertion, etc.
Create the roles in the Virtual DataPort server you are going to connect to.
Assign privileges to the roles, both in Virtual DataPort and in Data Catalog:
In Virtual DataPort you define which privileges a role has to access databases, views and web services. Data Catalog respects these privileges, so a user has the same access from Data Catalog as she has from every other Denodo product, like Design Studio, the driver JDBC, etc.
Note
Role inheritance is also configured in Virtual DataPort.
Any authenticated user in Data Catalog can browse, search and execute views or web services according to her privileges in Virtual DataPort. But there are other tasks a user can do in Data Catalog, like editing a view description, writing an endorsement or assigning a tag to a web service, for example. In the Permissions dialog you can define which tasks a role can do in Data Catalog by granting privileges to it.
In addition to the roles you can create, Virtual DataPort comes with a set of predefined roles. Some of these roles are configured with a list of privileges by default that you can adapt according to your needs. Other predefined roles implicitly represent a privilege, so only those users with the role will be able to perform some task.
Finally, Data Catalog also supports some special users that are authorized to perform specific tasks. Instead of roles, these users are characterized by how they are defined in Virtual DataPort or how they are authenticated in Data Catalog.
Privileges on the Data Catalog¶
The privileges of a user determine which tasks she can do in the Data Catalog. They are classified in five major groups: catalog management, administration, collaboration, user and request.
Catalog Management¶
The privileges you can assign from the catalog management group are:
Create/Delete categories. It allows a user to:
Create categories.
Delete categories.
In addition, it implies the privileges Edit categories and Assign categories.
Edit categories. It allows a user to:
Edit the name of a category.
Edit the description of a category.
Edit the parent category of a category.
In addition, it implies the privilege Assign categories.
Assign categories. It allows a user to assign categories to views or web services.
Create/Delete tags. It allows a user to
Create tags.
Delete tags.
In addition, it implies the privileges Edit tags and Assign tags.
Edit tags. It allows a user to:
Edit the name of a tag.
Edit the description of a tag.
In addition, it implies the privilege Assign tags.
Assign tags. It allows a user to assign tags to views or web services.
Create/Delete property groups. It allows a user to:
Create property groups.
Delete property groups.
In addition, it implies the privileges Edit property groups and Assign property groups.
Edit property groups. It allows a user to:
Edit the name, description and place to show of a property group.
Edit the name, description, type and default value of its properties.
Add and remove properties to the property group.
Modify the order in which properties and property groups are displayed.
In addition, it implies the privilege Assign property groups.
Assign property groups. It allows a user to assign property groups to databases, views or web services.
Edit elements. It allows a user to:
Edit the description of a database.
Edit the description of a view and its fields.
Edit the logical field names of a view.
Edit the description of a web service and its fields.
Change the value of the custom properties assigned to databases, views and web services.
Administration¶
The privileges you can assign from the administration group are:
Synchronize. It allows a user to launch the synchronization with the Virtual DataPort server.
Import/Export. It allows a user to:
Import or export the metadata and settings of the Data Catalog.
Import or export the saved queries of all the users for the current Virtual DataPort server.
Servers. It allows a user to:
Create Virtual DataPort servers.
Edit the connection settings of the queries on Virtual DataPort servers.
Edit the authentication configuration for enabling single sign-on with Kerberos.
Edit the database where the Data Catalog stores its metadata.
Edit the LLM configuration for enabling the AI features of the Data Catalog.
Create index servers and assign them to Virtual DataPort servers.
Edit the LLM configuration for enabling the AI features of the Data Catalog.
Personalize. It allows a user access to all the personalization settings: informative message, export query results, usage statistics, theme, etc.
Content. It allows a user to configure the following settings of the search by content:
Default number of fields in a search results summary.
Maximum number of results per entity in a search results summary.
Search snippets of an index server assigned to a Virtual DataPort server.
Permissions. It allows a user to assign privileges to roles.
Collaboration¶
The privileges you can assign from the collaboration group are:
Create endorsements. It allows a user to create endorsements.
Edit endorsements. It allows a user to edit endorsements.
Delete endorsements. It allows a user to delete endorsements.
Create warnings. It allows a user to create warnings.
Edit warnings. It allows a user to edit warnings.
Delete warnings. It allows a user to delete warnings.
Create deprecations. It allows a user to create deprecations.
Edit deprecations. It allows a user to edit deprecations.
Delete deprecations. It allows a user to delete deprecations.
User¶
The privileges you can assign from the user group are:
VQL Shell. It allows a user to execute VQL queries using the VQL Shell.
Request¶
The privileges you can assign from the request group are:
Create access. It allows a user to create an access request.
Manage access. It allows a user to manage access requests.
Create change. It allows a user to create a change request.
Manage change. It allows a user to manage change requests.
Create data quality. It allows a user to create a data quality request.
Manage data quality. It allows a user to manage data quality requests.
Create question. It allows a user to create a question request.
Manage question. It allows a user to manage question requests.
Configure requests. It allows a user to:
Configure the email notifications for request-related events.
Read and update the request-related privileges.
Roles with Predefined Privileges¶
In Data Catalog 7.0 the authorization system was based on a specific set of predefined and immutable roles that, when assigned, automatically granted privileges to a user. These roles are kept in newer versions of Data Catalog, but redefined in terms of the privileges explained above. Since there is no exact match between the privileges granted in 7.0 and the current privileges, they are no longer immutable. You can modify their definition to suit your needs. Let us see the full list of predefined roles with privileges assigned by default.
data_catalog_editor¶
The data_catalog_editor
role grants the following list of privileges by
default:
Edit categories
Assign categories
Edit tags
Assign tags
Edit property groups
Assign property groups
Edit elements
Edit endorsements
Edit warnings
data_catalog_classifier¶
The data_catalog_classifier
role grants the following list of privileges by
default:
Assign categories
Assign tags
Assign property groups
data_catalog_manager¶
The data_catalog_manager
role grants the following list of privileges by
default:
Create/Delete categories
Edit categories
Assign categories
Create/Delete tags
Edit tags
Assign tags
Create/Delete property groups
Edit property groups
Assign property groups
Edit elements
Create endorsements
Edit endorsements
Delete endorsements
Create warnings
Edit warnings
Delete warnings
Create deprecations
Edit deprecations
Delete deprecations
data_catalog_content_admin¶
The data_catalog_content_admin
role grants the following list of privileges
by default:
Personalize
Content
Roles with Implicit Privileges¶
There are some privileges that cannot be assigned to a role through the Permissions dialog. Instead, they are automatically granted when a specific role is assigned to a user. Let us see the list of predefined roles that implicitly grant privileges in Data Catalog.
data_catalog_exporter¶
To configure how users can export the results of a query Data Catalog provides
the Export dialog. Among the available options, you can
restrict the set of authorized users to Data Catalog exporters. These are the
users with the data_catalog_exporter
role or, for backward compatibility,
the selfserviceexporter
role.
data_catalog_data_preparation¶
Data Catalog offers several methods to retrieve data from views. One of them is
data preparation. This feature is only
available for those users with the data_catalog_data_preparation
role.
data_catalog_assisted_query¶
Data Catalog allows you to retrieve data from views using natural language
through assisted queries. This feature is only
available for those users with the data_catalog_assisted_query
role.
data_catalog_admin¶
Data Catalog administrators are users with the data_catalog_admin
role or,
for backward compatibility, the selfserviceadmin
role. They are authorized
to do anything in Data Catalog.
Important
The roles selfserviceadmin
and selfserviceexporter
exist
in Denodo 9 to keep backward compatibility with Denodo 6.0 but you should
not grant them to users anymore. They are deprecated and will be removed in
the next major version of Denodo. Use the roles data_catalog_admin
and
data_catalog_exporter
instead.
Users with Implicit Privileges¶
Data Catalog supports some special users whose privileges are not based on roles, but on how they are defined in Virtual DataPort or on the authentication used to connect to Data Catalog. Let us see these users in more detail.
Data Catalog Local User¶
Data Catalog local users are users that access the Data Catalog through the local authentication method. They are allowed to perform the following tasks:
Create Virtual DataPort servers.
Edit the connection settings of the queries on Virtual DataPort servers.
Edit the authentication configuration for enabling single sign-on with Kerberos.
Edit the database where the Data Catalog stores its metadata.
Denodo Global Administrator¶
Users of type administrator in Virtual DataPort are considered global administrators in the Denodo Platform and can act as administrators for every Denodo product. Therefore, as Data Catalog administrators, they are authorized to do anything.
Note that users with the serveradmin
role or the saas_server_admin
role
are also considered global administrators.
Data Catalog Assisted Query User¶
Data Catalog assisted query users are users with the role data_catalog_assisted_query
.
They are granted with the following list of privileges:
Execute all actions of the Assisted Query feature.
Note
This role does not have permission to configure the Assisted Query feature. To enable or configure this feature, a role with the “personalize” privilege is required.