Creating the Roles of the Virtual DataPort Users

Kerberos is an authentication mechanism. That is, it verifies “who you are”. However, you also need an authorization mechanism to verify what each user can do, once it has been authenticated. Virtual DataPort provides an authorization mechanism based on the groups that each user belongs to in the Active Directory or any other LDAP server.

At runtime, when a user connects to a Virtual DataPort server with Kerberos authentication, the Server will obtain the names of the roles assigned to this user. The actions that the user will be authorized to do will be defined by the privileges assigned to the roles defined in Virtual DataPort. Therefore, you have to create the roles of the users that match the name of the roles of these users in the Active Directory. Then, assign privileges to these roles in Virtual DataPort.

The process to create these roles is the same described for databases with LDAP authentication. The section LDAP Authentication explains how to do this.

Before any user can connect to Virtual DataPort using Kerberos authentication, you have to do this:

  1. Create roles in Virtual DataPort and grant them the appropriate privileges.

    Create a role for each type of user you want to have. For example: administrators of Denodo, administrators of project X, administrators of project Y, developers, etc. Grant the role “serveradmin” to the role for the administrators of Denodo, grant the privilege ADMIN over the database of the project X to the role for the administrators of this project, etc.

  2. In the Active Directory of your organization, create groups with the same name as the roles you have created and add the users to the appropriate groups.

For example:

  1. In Virtual DataPort, create the role “denodo_administrator_production” and in the production servers, grant the role “serveradmin” to this role.

  2. In the Active Directory, create the group “denodo_administrator_production” if it does not exist and add the appropriate users to this group.

To grant a user the role “serveradmin”, “assignprivileges” or any of the default roles, you cannot create groups in the Active Directory with these names and add users to these groups.

For example, if in the Active Directory you create a group called “serveradmin” and add users to this group, when these users log in to Virtual DataPort, they will not have this role. That is because when a user logs in, Virtual DataPort ignores the groups assigned in the Active Directory that have the same name as the “default roles”.

The goal of this behavior is to ensure that only the administrators of Denodo grant administrative privileges to users. Otherwise, the administrators of the Active Directory could grant special privileges to users without going through the approval of the administrators of Denodo.