USER MANUALS


Authorization

The authorization system in the Data Catalog is based on roles, which represent a set of privileges granted to a user. Instead of assigning privileges directly to users, you assign privileges to roles and roles to users. This way, users with the same privileges will share the same role. When you want to change their privileges, you do not need to go user by user. You only change the privileges on the role they share and this change will affect all these users.

Although it may seem simple, using roles for modeling privileges is a powerful tool. You can assign several roles to a user, and she will be granted the union of all the privileges assigned to the roles. In the same way, you can define a role by composition of the privileges assigned to other roles. Just assign a set of roles to another role and it will inherit their privileges.

In practice, to configure the privileges of your users, you have to follow these steps:

  1. Configure the set of roles assigned to a user in the system that manages your user accounts. The specifics of this configuration depends on your authentication method. Take into account that, when you configure the authentication in the Data Catalog, you need to specify how to validate the user credentials and how to extract the roles of an authenticated user. The roles may be retrieved by a search in an LDAP server, in a field of an SAML assertion, etc.

  2. Create the roles in the Virtual DataPort server you are going to connect to.

  3. Assign privileges to the roles, both in Virtual DataPort and in Data Catalog:

    • In Virtual DataPort you define which privileges a role has to access databases, views and web services. Data Catalog respects these privileges, so a user has the same access from Data Catalog as she has from every other Denodo product, like Design Studio, the driver JDBC, etc.

      Note

      Role inheritance is also configured in Virtual DataPort.

    • Any authenticated user in Data Catalog can browse, search and execute views or web services according to her privileges in Virtual DataPort. But there are other tasks a user can do in Data Catalog, like editing a view description, writing an endorsement or assigning a tag to a web service, for example. In the Permissions dialog you can define which tasks a role can do in Data Catalog by granting privileges to it.

In addition to the roles you can create, Virtual DataPort comes with a set of predefined roles. Some of these roles are configured with a list of privileges by default that you can adapt according to your needs. Other predefined roles implicitly represent a privilege, so only those users with the role will be able to perform some task.

Finally, Data Catalog also supports some special users that are authorized to perform specific tasks. Instead of roles, these users are characterized by how they are defined in Virtual DataPort or how they are authenticated in Data Catalog.

Privileges on the Data Catalog

The privileges of a user determine which tasks she can do in the Data Catalog. They are classified in five major groups: catalog management, administration, collaboration, user and request.

Catalog Management

The privileges you can assign from the catalog management group are:

  • Create/Delete categories. It allows a user to:

    • Create categories.

    • Delete categories.

    In addition, it implies the privileges Edit categories and Assign categories.

  • Edit categories. It allows a user to:

    • Edit the name of a category.

    • Edit the description of a category.

    • Edit the parent category of a category.

    In addition, it implies the privilege Assign categories.

  • Assign categories. It allows a user to assign categories to views or web services.

  • Create/Delete tags. It allows a user to

    • Create tags.

    • Delete tags.

    In addition, it implies the privileges Edit tags and Assign tags.

  • Edit tags. It allows a user to:

    • Edit the name of a tag.

    • Edit the description of a tag.

    In addition, it implies the privilege Assign tags.

  • Assign tags. It allows a user to assign tags to views or web services.

  • Create/Delete property groups. It allows a user to:

    • Create property groups.

    • Delete property groups.

    In addition, it implies the privileges Edit property groups and Assign property groups.

  • Edit property groups. It allows a user to:

    • Edit the name, description and place to show of a property group.

    • Edit the name, description, type and default value of its properties.

    • Add and remove properties to the property group.

    • Modify the order in which properties and property groups are displayed.

    In addition, it implies the privilege Assign property groups.

  • Assign property groups. It allows a user to assign property groups to databases, views or web services.

  • Edit elements. It allows a user to:

    • Edit the description of a database.

    • Edit the description of a view and its fields.

    • Edit the logical field names of a view.

    • Edit the description of a web service and its fields.

    • Change the value of the custom properties assigned to databases, views and web services.

Administration

The privileges you can assign from the administration group are:

  • Synchronize. It allows a user to launch the synchronization with the Virtual DataPort server.

  • Import/Export. It allows a user to:

    • Import or export the metadata and settings of the Data Catalog.

    • Import or export the saved queries of all the users for the current Virtual DataPort server.

  • Servers. It allows a user to:

    • Create Virtual DataPort servers.

    • Edit the connection settings of the queries on Virtual DataPort servers.

    • Edit the authentication configuration for enabling single sign-on with Kerberos.

    • Edit the database where the Data Catalog stores its metadata.

    • Edit the LLM configuration for enabling the AI features of the Data Catalog.

    • Create index servers and assign them to Virtual DataPort servers.

    • Edit the LLM configuration for enabling the AI features of the Data Catalog.

  • Personalize. It allows a user access to all the personalization settings: informative message, export query results, usage statistics, theme, etc.

  • Content. It allows a user to configure the following settings of the search by content:

    • Default number of fields in a search results summary.

    • Maximum number of results per entity in a search results summary.

    • Search snippets of an index server assigned to a Virtual DataPort server.

  • Permissions. It allows a user to assign privileges to roles.

Collaboration

The privileges you can assign from the collaboration group are:

  • Create endorsements. It allows a user to create endorsements.

  • Edit endorsements. It allows a user to edit endorsements.

  • Delete endorsements. It allows a user to delete endorsements.

  • Create warnings. It allows a user to create warnings.

  • Edit warnings. It allows a user to edit warnings.

  • Delete warnings. It allows a user to delete warnings.

  • Create deprecations. It allows a user to create deprecations.

  • Edit deprecations. It allows a user to edit deprecations.

  • Delete deprecations. It allows a user to delete deprecations.

User

The privileges you can assign from the user group are:

  • VQL Shell. It allows a user to execute VQL queries using the VQL Shell.

Request

The privileges you can assign from the request group are:

  • Create access. It allows a user to create an access request.

  • Manage access. It allows a user to manage access requests.

  • Create change. It allows a user to create a change request.

  • Manage change. It allows a user to manage change requests.

  • Create data quality. It allows a user to create a data quality request.

  • Manage data quality. It allows a user to manage data quality requests.

  • Create question. It allows a user to create a question request.

  • Manage question. It allows a user to manage question requests.

  • Configure requests. It allows a user to:

    • Configure the email notifications for request-related events.

    • Read and update the request-related privileges.

Roles with Predefined Privileges

In Data Catalog 7.0 the authorization system was based on a specific set of predefined and immutable roles that, when assigned, automatically granted privileges to a user. These roles are kept in newer versions of Data Catalog, but redefined in terms of the privileges explained above. Since there is no exact match between the privileges granted in 7.0 and the current privileges, they are no longer immutable. You can modify their definition to suit your needs. Let us see the full list of predefined roles with privileges assigned by default.

data_catalog_editor

The data_catalog_editor role grants the following list of privileges by default:

  • Edit categories

  • Assign categories

  • Edit tags

  • Assign tags

  • Edit property groups

  • Assign property groups

  • Edit elements

  • Edit endorsements

  • Edit warnings

data_catalog_classifier

The data_catalog_classifier role grants the following list of privileges by default:

  • Assign categories

  • Assign tags

  • Assign property groups

data_catalog_manager

The data_catalog_manager role grants the following list of privileges by default:

  • Create/Delete categories

  • Edit categories

  • Assign categories

  • Create/Delete tags

  • Edit tags

  • Assign tags

  • Create/Delete property groups

  • Edit property groups

  • Assign property groups

  • Edit elements

  • Create endorsements

  • Edit endorsements

  • Delete endorsements

  • Create warnings

  • Edit warnings

  • Delete warnings

  • Create deprecations

  • Edit deprecations

  • Delete deprecations

data_catalog_content_admin

The data_catalog_content_admin role grants the following list of privileges by default:

  • Personalize

  • Content

Roles with Implicit Privileges

There are some privileges that cannot be assigned to a role through the Permissions dialog. Instead, they are automatically granted when a specific role is assigned to a user. Let us see the list of predefined roles that implicitly grant privileges in Data Catalog.

data_catalog_exporter

To configure how users can export the results of a query Data Catalog provides the Export dialog. Among the available options, you can restrict the set of authorized users to Data Catalog exporters. These are the users with the data_catalog_exporter role or, for backward compatibility, the selfserviceexporter role.

data_catalog_data_preparation

Data Catalog offers several methods to retrieve data from views. One of them is data preparation. This feature is only available for those users with the data_catalog_data_preparation role.

data_catalog_assisted_query

Data Catalog allows you to retrieve data from views using natural language through assisted queries. This feature is only available for those users with the data_catalog_assisted_query role.

data_catalog_admin

Data Catalog administrators are users with the data_catalog_admin role or, for backward compatibility, the selfserviceadmin role. They are authorized to do anything in Data Catalog.

Important

The roles selfserviceadmin and selfserviceexporter exist in Denodo 9 to keep backward compatibility with Denodo 6.0 but you should not grant them to users anymore. They are deprecated and will be removed in the next major version of Denodo. Use the roles data_catalog_admin and data_catalog_exporter instead.

Users with Implicit Privileges

Data Catalog supports some special users whose privileges are not based on roles, but on how they are defined in Virtual DataPort or on the authentication used to connect to Data Catalog. Let us see these users in more detail.

Data Catalog Local User

Data Catalog local users are users that access the Data Catalog through the local authentication method. They are allowed to perform the following tasks:

  • Create Virtual DataPort servers.

  • Edit the connection settings of the queries on Virtual DataPort servers.

  • Edit the authentication configuration for enabling single sign-on with Kerberos.

  • Edit the database where the Data Catalog stores its metadata.

Denodo Global Administrator

Users of type administrator in Virtual DataPort are considered global administrators in the Denodo Platform and can act as administrators for every Denodo product. Therefore, as Data Catalog administrators, they are authorized to do anything.

Note that users with the serveradmin role or the saas_server_admin role are also considered global administrators.

Data Catalog Assisted Query User

Data Catalog assisted query users are users with the role data_catalog_assisted_query.

They are granted with the following list of privileges:

  • Execute all actions of the Assisted Query feature.

Note

This role does not have permission to configure the Assisted Query feature. To enable or configure this feature, a role with the “personalize” privilege is required.

Add feedback