Creating Roles

A role is a set of access rights that we can grant to users.

To create a new role, click Role management on the Administration menu. In this dialog, click New role. In this dialog, you have to provide the following:

  • The name of the new role.

  • A description.

Then click Ok. After creating the role, you have to assign privileges to these roles. To do this, select the role and click Assign privileges.

In this dialog, you can select the access privileges assigned to this role. The access privileges that you can assign to a role and to a user are the same and work in the same way. The section Modifying the Privileges of a User explains how to assign these privileges.

Note

As explained in the section Roles, if you assign two roles to a user, the “effective permissions” of this user will be the union of the privileges of both roles.

Assigning privileges to a role

Assigning privileges to a role

You can also assign a role to another role (Role Inheritance) as explained in the section Roles, by clicking on Assign roles. Then, for each role you want to assign, select it in the list and click on image1.

In the figure below, you can see that the role “denodo_developer” has the roles “itpilot_developer” and “vdp_developer”. The users that have the role “denodo_developer” will have the privileges assigned to the roles “itpilot_developer”, “vdp_developer” and “denodo_developer”.

Assigning roles to another role (Role inheritance)

Assigning roles to another role (Role inheritance)

Instead of creating the roles manually, you can import them from an LDAP server. Before importing them, you need to do one of these tasks:

  1. Create a database with LDAP authentication that to authentication users, uses the LDAP server from which you want to obtain the list of roles.

  2. Or create an LDAP data source that points to the LDAP server from which you want to obtain the list of roles. Create this data source in a database without LDAP authentication. The section LDAP Sources explains how to create an LDAP data source.

After this, click on Import roles from LDAP to display the “Import Roles from LDAP” wizard.

Wizard “Import Roles from LDAP”

The wizard “Import Roles from LDAP” imports the names and descriptions of roles from an LDAP data sources (usually, Active Directory). Then, you have to grant them the appropriate privileges.

Import roles from LDAP wizard (1)

Import roles from LDAP wizard (1)

You have to provide the following data:

  • Database: select a database that is configured with LDAP authentication or the database that contains the LDAP data source.

    If you select a database with LDAP authentication, the Tool will copy the LDAP configuration of the database to the boxes below. The Tool will disable the box LDAP data source because the wizard will use the LDAP data source of the selected database.

    Alternatively, select a database that contains the LDAP data source that points to the LDAP server from which you want to obtain the list of roles and select the source in the LDAP data source box below.

  • Role base: node of the LDAP server that is used as scope to search nodes that represent roles.

    You can enter more than one “Role base” by clicking on the button image1 beside the “Role base” box.

  • Attribute with role name: name of the attribute that contains the name of the role, in the nodes that represent roles.

  • Attribute with role description: name of the attribute that contains the description of the role, in the nodes that represent roles.

  • Role search pattern: pattern used to generate the LDAP queries that will be executed to obtain the nodes that represent the roles you want to import into Virtual DataPort.

Then, click Ok. The Tool will display the roles found in the LDAP server. In this list, select the roles you want to import and click Ok.

Import roles from LDAP wizard (2)

Import roles from LDAP wizard (2)

Use the text field at the top to search roles by their name.

This dialog does not list the roles serveradmin or monitor_admin even if they are returned by the LDAP query. The reason is that these roles are automatically defined during the installation of Virtual DataPort so they already exist. See more about these roles in the section Roles.

Default Roles

Virtual DataPort defines the following default roles. They cannot be modified nor deleted.

  • allusers: granted by default to new local users. Additionally, you can automatically grant it to all users that connect to Virtual DataPort using Kerberos authentication, SAML 2.0 or to a database with LDAP authentication.

  • assign_tags: grants the privilege of assigning tags to views. The user needs to have the METADATA privilege on the affected views.

  • create_temporary_table: grants the privilege of creating temporary tables. This is useful to allow a user account to create temporary tables but do not want to grant the privilege CREATE nor CREATE VIEW because it would allow the user to create other types of elements.

  • diagnostic_monitoring_tool_admin and diagnostic_monitoring_tool_create_diagnostic: each of these roles grants different privileges over the Diagnostic & Monitoring Tool. The section Authorization of the Diagnostic & Monitoring Tool Guide explains what privileges these roles grant.

  • data_catalog_admin, data_catalog_classifier, data_catalog_content_admin, data_catalog_editor, data_catalog_exporter and data_catalog_manager: each of these roles grants different privileges over the Data Catalog. The section Authorization of the Data Catalog Guide explains what privileges each of these roles grant.

    The roles selfserviceadmin and selfserviceexporter are deprecated and should not be granted to users anymore. These roles exist to keep backward compatibility with Denodo 6.0 but you should not grant them to users anymore. Instead, grant the roles data_catalog_admin and data_catalog_exporter, which are equivalent to selfserviceadmin and selfserviceexporter respectively.

    The section Features Deprecated in Denodo Platform 8.0 lists all the features that are deprecated.

  • disable_cache_query: grants the privilege to execute queries disabling the cache of views over which the user does not have WRITE privleges. The cache can be disabled using the context clause ‘cache’=’off’.

  • impersonator: when users with this role publish REST web services, these services can impersonate other users (see Impersonating a User in the section “Web Services Authentication”).

  • manage_tags: grants the privilege of creating, editing and dropping tags on Virtual DataPort.

  • monitor_admin: grants the privilege of connecting to the monitoring interface of Virtual DataPort. This interface uses the JMX protocol (Java Management Extensions).

    You need this privilege to monitor Virtual DataPort with the Diagnostic & Monitoring Tool, the Denodo Monitor, Oracle VisualVM, Oracle Java Mission Control, Nagios, etc.

    In previous versions of Denodo, the name of this role is jmxadmin; this name is kept for backward compatibility.

  • scheduler_admin: used by the Scheduler Administration Tool. The users that have this role assigned can perform any task in the Scheduler Administration Tool.

    See more about this in the section Permissions of the Scheduler Administration Guide.

  • serveradmin: equivalent to being an administrator user of Virtual DataPort, except that it does not grant the privilege of connecting to Virtual DataPort via JMX. That is, a user with this role can manage databases, change settings of the Server, etc. A user with this role also needs the role “assignprivileges” (see below) to manage the privileges of users and roles.

  • assignprivileges: grants the privilege of granting/revoking privileges to other users.

    Note

    Without this role, a user cannot grant/revoke privileges to the users/roles, not even an administrator.

    Take the following into account:

    • New administrator users have this role by default but you can revoke it from them.

    • You cannot grant privileges or roles to it. This is why it is not listed in the “Role Management” panel, but it is listed in the “Assign roles” dialogs.

    • You can only assign it to administrators or to users that are administrators of at least one database.

    • A non-administrator user with this role can only modify the privileges of the databases for which it is an administrator.

    • Only administrators with this role can grant/revoke roles to users or other roles.

    • Only administrators with this role can modify the description of a role.

  • create_user and create_role: grant the privilege of creating users and roles.

    Take the following into account for both roles:

    • These roles can only be assigned to users or roles that have the privilege ADMIN over one or more databases.

    • These roles can only be assigned to users or roles that have the assignprivileges role.

    • If the assignprivileges role is revoked, these two roles will be revoked automatically.

    • If all the ADMIN privileges are revoked, these two roles will be revoked automatically.