Authorization

Once the Solution Manager authenticates a user, it authorizes this user. That is, it determines what tasks this user is allowed to perform on the Solution Manager.

There are two types of privileges:

  1. Global privileges (see below).

  2. Privileges granted to a role for a specific environment (see below).

The following sections explain what kind of users the Solution Manager considers and what privileges they have.

Global Privileges

Global privileges are privileges that you grant to a user or a role over all the environments or over all the environments of a certain type. If you need a more fine-grained control of what users are allowed to do, see the section Privileges Granted to a Role For an Environment below.

Global Administrator (global_admin)

Global administrators are users that have the role global_admin. These users can do any operation on the Solution Manager.

Solution Manager Administrator (solution_manager_admin)

The administrators of the Solution Manager are users that have the role solution_manager_admin. Grant this role to the users that are going to be in charge of administering the Solution Manager and manage the Denodo licenses of the organization.

Users with this role can do these tasks:

yes Create, edit and remove environments, clusters and servers.

yes Set the Version Control System configuration.

yes Set the Solution Manager Database configuration.

yes Set the Informative Message configuration.

yes Manage licenses.

yes For AWS-managed environments, start and stop its clusters and check cluster events.

yes For AWS-managed environments, install Denodo updates.

but cannot:

no Manage deployment configurations.

no Manage load balancing variables.

no Set Virtual DataPort nor Scheduler properties in environments and clusters.

no Create, edit nor remove revisions.

no Access revisions nor deployments.

no Validate and deploy revisions.

no Execute diagnostic and monitoring operations.

no Change the logging level of Virtual DataPort servers.

no Import and export catalog elements.

no From My applications, users will not be able to connect to the Design Studio, Data Catalog, Scheduler and Diagnostic & Monitoring tool of this environments.

Promotion Administrator (solution_manager_promotion_admin)

Promotion administrators are users that have the role solution_manager_promotion_admin. Grant this role to the users that are going to be in charge of creating revisions and promoting them from the development environment to testing, from testing to production, etc.

Users with this role can do these tasks:

yes Access the main information of the elements of the catalog in read only mode.

yes Manage deployment configurations.

yes Manage load balancing variables.

yes Set Virtual DataPort and Scheduler properties in environments and clusters.

yes Create, edit and remove her own revisions.

yes Create revisions by loading a VQL file.

yes Access the revisions from other users in read only mode.

yes Validate and deploy revisions.

but cannot:

no Create, edit nor remove environments, clusters and servers.

no Set the Version Control System configuration.

no Set the Solution Manager Database configuration.

no Set the Informative Message configuration.

no Manage licenses.

no Edit nor remove revisions from other users.

no Execute diagnostic and monitoring operations.

no Change the logging level of Virtual DataPort servers.

no Import nor export catalog elements.

no From My applications, users will not be able to connect to the Design Studio, Data Catalog, Scheduler and Diagnostic & Monitoring tool of this environments.

no For AWS-managed environments, start and stop its clusters and check cluster events.

no For AWS-managed environments, install Denodo updates.

Promotion Administrator for Specific Environments (solution_manager_promotion_admin_*)

Promotion administrators for certain environments are users that have one or more of these roles:

  • solution_manager_promotion_admin_development

  • solution_manager_promotion_admin_staging

  • solution_manager_promotion_admin_production

The users with these roles can do the same tasks as the promotion administrators but only on specific target environments. For example, the users with the role solution_manager_promotion_admin_production can only validate and deploy revisions on the environments whose license scenario is production.

The table Solution manager promotion roles below shows an overview of the different Solution Manager promotion administrator roles with their privileges to promote revisions created by users to different environment types.

Promotion (solution_manager_promotion)

Promotion users are users that have the role solution_manager_promotion. Grant this role to the users that are going to be responsible of creating revisions, validating this revisions and deploying them.

Users with this role can do these tasks:

yes Access the main information of the elements of the catalog in read only mode.

yes Create, edit and remove her own revisions.

yes Validate her own revisions.

yes Deploy her own revisions.

but cannot:

no Create, edit nor remove environments, clusters and servers.

no Create revisions loading a VQL file.

no Manage deployment configurations.

no Manage load balancing variables.

no Set Virtual DataPort nor Scheduler properties in environments and clusters.

no Set the Version Control System configuration.

no Set the Solution Manager Database configuration.

no Set the Informative Message configuration.

no Manage licenses.

no Access, validate nor deploy revisions from other users.

no Execute diagnostic and monitoring operations.

no Change the logging level of Virtual DataPort servers.

no Import nor export catalog elements.

no From My applications, users will not be able to connect to the Design Studio, Data Catalog, Scheduler and Diagnostic & Monitoring tool of this environments.

no For AWS-managed environments, start and stop its clusters and check cluster events.

no For AWS-managed environments, install Denodo updates.

Promotion for Specific Environments (solution_manager_promotion_*)

Promotion users for certain environments are users that have one or more of these roles:

  • solution_manager_promotion_development

  • solution_manager_promotion_production

  • solution_manager_promotion_staging

Grant this role to the users that are going to be responsible of creating revisions, validating this revisions and deploying them.

This user is interpreted from the Solution Manager point of view as a promotion user with the difference that she can only validate and deploy her own revisions in the target environments that have the specific scenario assigned. For example, a user with role solution_manager_promotion_staging can only validate and deploy any of her revisions in any staging environment.

Overview of the Promotion Roles

The following table shows an overview of the different Solution Manager promotion roles with their privileges to promote revisions created by users to different environment types:

Solution manager promotion roles

Role

User

Environment Type

other user

own user

deployment

staging

production

solution_manager_promotion_development

dot

dot

solution_manager_promotion_staging

dot

dot

solution_manager_promotion_production

dot

dot

dot

dot

solution_manager_promotion

dot

dot

dot

dot

solution_manager_promotion_admin_development

dot

dot

dot

solution_manager_promotion_admin_staging

dot

dot

dot

solution_manager_promotion_admin_production

dot

dot

dot

solution_manager_promotion_admin

dot

dot

dot

dot

dot

For example, a user with role solution_manager_promotion_deployment can only promote revisions created by herself in any deployment environment. A user with role solution_manager_promotion_admin_production can only promote revisions created by the own user and other users in any production environment.

Monitor Administrators

Monitor administrators are users that have the role monitor_admin. Grant this role to the users that are going to be in charge of monitoring the Denodo servers and diagnosticing issues in them.

Users with this role can do these tasks:

yes Access the main information of the elements of the catalog in read only mode.

yes Change the logging level of Virtual DataPort servers.

yes Execute Denodo Monitor to gather the execution logs of the Virtual DataPort servers.

yes From My applications, users will not be able to connect to the Diagnostic & Monitoring tool of this environments.

but cannot:

no Create, edit nor remove environments, clusters and servers.

no Manage deployment configurations.

no Manage load balancing variables.

no Set Virtual DataPort nor Scheduler properties in environments and clusters.

no Set the Version Control System configuration.

no Set the Solution Manager Database configuration.

no Set the Informative Message configuration.

no Manage licenses.

no Create, edit nor remove revisions.

no Access revisions nor deployments.

no Validate and deploy revisions.

no Import nor export catalog elements.

no For AWS-managed environments, start and stop its clusters and check cluster events.

no For AWS-managed environments, install Denodo updates.

no From My applications, users will not be able to connect to the Design Studio, Data Catalog and Scheduler of this environments.

Privileges Granted to a Role For an Environment

This section explains how to grant privileges to users over specific a environment. These privileges are more fine grained that the ones explained in the section above. You cannot grant these privileges directly to users, only to roles.

To grant a privilege to a role over a specific environment, follow these steps:

  1. Click the menu Configuration > Permissions. This page lists all the environments.

  2. Click the button key in the row of the environment. This will open a new tab: Permissions by environment.

  3. In this tab, click New, select the role and click Add role.

  4. Select one or more privileges.

  5. Click save.

Permissions by environment tab

Permissions by environment tab

The following list explains what each privilege allows the user to do over an environment:

CONNECT

Grant the Connect privilege to the users over the development environments in which they participate. That way, they will be able to use the Solution Manager as a single point of entry to the applications of Denodo.

Users with this privilege over an environment have access to the following:

yes From My applications, users will be able to connect to the Design Studio and Scheduler of this environments. To access the Diagnostic & Monitoring tool you need the privilege MONITOR.

yes Users will have access to basic information of this environment, its clusters and servers, in read-only mode.

yes Create, edit and remove her own revisions.

Users with this privilege cannot do these tasks:

no Create, edit nor remove environments, clusters and servers.

no Set the Version Control System configuration.

no Set the Solution Manager Database configuration.

no Set the Informative Message configuration.

no Manage licenses.

no Manage the deployments configuration.

no Manage the load balancing variables.

no Set the Virtual DataPort properties nor the Scheduler properties in environments and clusters.

no Create revisions loading a VQL file.

no Access revisions created by other users.

no Validate and deploy revisions.

no Execute diagnostic and monitoring operations.

no Change the logging level of Virtual DataPort servers.

no Import nor export catalog elements.

no For AWS-managed environments, start and stop its clusters and check cluster events.

no For AWS-managed environments, install Denodo updates.

METADATA

Users with the METADATA privilege over an environment have access to all the configuration of this environment, its clusters and servers, in read-only mode, including:

yes Information about the license assigned to this environment.

yes If this is a AWS-managed environment, its status.

yes Deployment configuration of the environment and the deployment scripts.

yes The load balancing variables of the environment, not to the menu Promotions > Load balancing variables.

yes Virtual DataPort properties of the environment and the Scheduler properties of its clusters.

Users with this privilege cannot do these tasks:

no Create, edit nor remove environments, clusters and servers.

no Set the Version Control System configuration.

no Set the Solution Manager Database configuration

no Set the Informative Message configuration.

no Manage licenses.

no Manage the deployments configuration.

no Manage the load balancing variables.

no Create, edit nor remove revisions.

no Access revisions nor deployments.

no Validate and deploy revisions.

no Execute diagnostic and monitoring operations.

no Change the logging level of Virtual DataPort servers.

no Import nor export catalog elements.

no For AWS-managed environments, start and stop its clusters and check cluster events.

no For AWS-managed environments, install Denodo updates.

no From My applications, users will not be able to connect to the Design Studio, Data Catalog, Scheduler and Diagnostic & Monitoring tool of this environments.

WRITE

Users with the Write privilege over an environment can create, configure and delete clusters on that environment. More specifically:

yes Edit and delete the environment.

yes Create, edit and delete clusters and servers of these environments.

yes Manage the deployment configuration of the environment.

yes Manage the load balancing variables of the environment. This does not include creating or deleting load balancing variables, only allows the users with this role to assign values to clusters and servers.

yes Set the Virtual DataPort properties of the environment and the Scheduler properties of its clusters.

yes Configuring the Deployment Scripts of the environment.

Users with this privilege cannot do these tasks:

no Create environments.

no Set the Version Control System configuration.

no Set the Solution Manager Database configuration

no Set the Informative Message configuration.

no Manage licenses.

no Create, edit nor remove revisions.

no Access revisions nor deployments.

no Validate and deploy revisions.

no Execute diagnostic and monitoring operations.

no Change the logging level of Virtual DataPort servers.

no Import nor export catalog elements.

no For AWS-managed environments, start and stop its clusters and check cluster events.

no For AWS-managed environments, install Denodo updates. You need the privileges WRITE and EXECUTION to execute this operation.

no From My applications, users will not be able to connect to the Design Studio, Data Catalog, Scheduler and Diagnostic & Monitoring tool of this environments.

EXECUTION

Users with the Execution privilege over an environment can do the following:

yes Access to basic information of this environment, its clusters and servers, in read-only mode, including:

  • Information about the license assigned to this environment.

  • If this is a AWS-managed environment, its status.

yes For AWS-managed environments, start and stop its clusters.

yes Change the logging level of the Virtual DataPort servers of the environment.

Users with this privilege cannot do these tasks:

no Create, edit nor remove environments, clusters and servers.

no Set the Version Control System configuration.

no Set the Solution Manager Database configuration.

no Set the Informative Message configuration.

no Manage licenses.

no Manage the deployments configuration.

no Manage the load balancing variables.

no Set the Virtual DataPort properties nor the Scheduler properties in environments and clusters.

no Create, edit nor remove revisions.

no Access revisions nor deployments.

no Validate and deploy revisions.

no Execute diagnostic and monitoring operations.

no Import nor export catalog elements.

no For AWS-managed environments, install Denodo updates. You need the privileges WRITE and EXECUTION to execute this operation.

no From My applications, users will not be able to connect to the Design Studio, Data Catalog, Scheduler and Diagnostic & Monitoring tool of this environments.

MONITOR

Users with the Monitor privilege over an environment can do the following:

yes Access to basic information of this environment, its clusters and servers, in read-only mode.

yes Open the Diagnostic & Monitoring tool.

yes Start and stop monitoring the servers of the environment.

yes Change the logging level of Virtual DataPort servers.

Users with this privilege cannot do these tasks:

no Create, edit nor remove environments, clusters and servers.

no Set the Version Control System configuration.

no Set the Solution Manager Database configuration.

no Set the Informative Message configuration.

no Manage licenses.

no Manage the deployments configuration.

no Manage the load balancing variables.

no Set the Virtual DataPort properties nor the Scheduler properties in environments and clusters.

no Create, edit nor remove revisions.

no Access revisions nor deployments.

no Validate and deploy revisions.

no Import nor export catalog elements.

no For AWS-managed environments, start and stop its clusters and check cluster events.

no For AWS-managed environments, install Denodo updates.

no From My applications, users will not be able to connect to the Design Studio, Data Catalog and Scheduler of this environments.

DEPLOY

Users with the Deploy privilege over an environment can do the following:

yes Access to basic information of this environment, its clusters and servers, in read-only mode.

yes Create a revision to be deployed and validated on this environment.

yes Edit or remove her own revisions.

Users with this privilege cannot do these tasks:

no Create, edit nor remove environments, clusters and servers.

no Set the Version Control System configuration.

no Set the Solution Manager Database configuration.

no Set the Informative Message configuration.

no Manage licenses.

no Manage the deployments configuration.

no Manage the load balancing variables.

no Set the Virtual DataPort properties nor the Scheduler properties in environments and clusters.

no Create revisions loading a VQL file.

no Access, validate and deploy the revisions created by other users.

no Execute diagnostic and monitoring operations.

no Change the logging level of Virtual DataPort servers.

no Import nor export catalog elements.

no For AWS-managed environments, start and stop its clusters and check cluster events.

no For AWS-managed environments, install Denodo updates.

no From My applications, users will not be able to connect to the Design Studio, Data Catalog, Scheduler and Diagnostic & Monitoring tool of this environments.

DEPLOY ADMIN

Users with the Deploy Admin privilege over an environment can do the following:

yes Access to basic information of this environment, its clusters and servers, in read-only mode.

yes Manage the deployments configuration.

yes Manage the load balancing variables. Users that have this privilege over one or more environments, can open the dialog of the menu Promotions > Load balancing variables to assign values to clusters and servers but not to create or delete variables.

yes Set the Virtual DataPort properties and the Scheduler properties in environments and clusters.

yes Create revisions.

yes Create revisions loading a VQL file.

yes Edit and remove her own revisions.

yes Access the revisions created by any user in read-only mode.

yes Validate and deploy revisions to this environment.

Users with this privilege cannot do these tasks:

no Create, edit nor remove environments, clusters and servers.

no Set the Version Control System configuration.

no Set the Solution Manager Database configuration.

no Set the Informative Message configuration.

no Manage licenses.

no Edit and remove revisions from other users.

no Execute diagnostic and monitoring operations.

no Change the logging level of Virtual DataPort servers.

no Import nor export catalog elements.

no For AWS-managed environments, start and stop its clusters and check cluster events.

no For AWS-managed environments, install Denodo updates.

no From My applications, users will not be able to connect to the Design Studio, Data Catalog, Scheduler and Diagnostic & Monitoring tool of this environments.