Skip to main content

Pentaho+ documentation has moved!

The new product documentation portal is here. Check it out now at docs.hitachivantara.com

 

Hitachi Vantara Lumada and Pentaho Documentation

Managing roles

Parent article

Lumada Data Catalog provides roles to organize user access to data curation activities. Additionally, role-based access control (RBAC) governs user access to Data Catalog assets, like access to virtual folder and tag domains, their activity permissions, such as job execution and lineage curation, and their resource-read access permissions.

With the right combination of privileges and settings, users within the same role group can:

  • Have access to the same set of assets (Virtual Folders and Tag Domains)
  • Have the same activity permissions (Job execution, Tag/Lineage curation)
  • Have access to at least the metadata of the same resources regardless of the native system permissions set for the resource (Resource Read Access Control)

To manage roles, click Manage, then click Roles.

NoteThis menu is available only to roles assigned the Manage Roles permission.

Add a new role

Before you add new roles to your system, it is recommended that you plan and create your data sources and tag domains.

To add a new role, you must be assigned the Manage Roles permission. This task is usually performed by a site administrator.

Perform the following steps to add a new role:

Procedure

  1. Navigate to Manage, then click Roles.

  2. Click Add a new Role.

    Add a new role dialog box The Add a new role dialog box displays.
  3. In the ROLE NAME field, enter a name for the role.

    Note that the role name must start with a letter, and must contain only letters, digits, hyphens, or underscores. Spaces in names are not allowed. Make sure that the name strings do not match any Data Catalog Reserved Names.
  4. In the METADATA ACCESS field, select the resource metadata read access for this role.

    • With the NATIVE setting, the system user permissions dictate the metadata read access for an individual resource. With METADATA ACCESS set to NATIVE, the DATA ACCESS field is automatically set to NATIVE.
    • With the YES setting, Data Catalog overrides the native system permissions to make just the resource metadata visible to all users with this role, even if they do not have native access to the resource.
    METADATA ACCESS entry
  5. Specify the DATA ACCESS.

    With DATA ACCESS set to NO, the METADATA ONLY mode for resource read access is enabled where Data Catalog skips permission checks for data access and only displays the resource metadata. DATA ACCESS entry
  6. In the DESCRIPTION field, enter information to describe the purpose of the role.

  7. Click Create.

Results

The role is created.

Set a role as default

When you set a Lumada Data Catalog role as default, any new user you create automatically receives the default role permissions. A user with the Manage Roles permission can set any role to be the default role.

  • You can set more than one role as default.
  • If a user inherits more than one role, the role with the highest permission level governs the user access permissions.
  • The Data Catalog Guest role is the default role assigned to a new user if no other role is set as default.

Follow the steps below to set a role as default:

Procedure

  1. Navigate to Manage, then click Roles.

  2. Select the role you want to set as default.

  3. Click MAKE DEFAULT ROLE to set the role as a default role.

    MAKE DEFAULT ROLE switch
  4. Click Save.

Results

Your settings are saved.

Assigning multiple roles to a user

You can assign multiple roles to one user. The role with most unrestricted access dictates the access permissions.

For example, user sam_admin has been assigned the role of Admin and the custom roles of Data_Steward and Business_Analyst. The user sam_admin will get the Admin permissions which have the most unrestricted access.

If you assign a user a MarketingAdmin role with NATIVE read level access and a SalesSteward role with METADATA level access, the most trusted read level access prevails. In this example, the user can view METADATA of all the resources within the virtual folders assigned to the role.

NoteYour software license determines user-based entitlement. Contact your sale representative if you have questions about this feature.

See Assign a role for detailed assignment instructions.

Dynamic group to role mapping

In Lumada Data Catalog, you can retrieve group information from LDAP and dynamically assign user roles based on group name to role name mapping. Dynamic group roles are assigned in the group-to-role-map.json file in the <WLD App-Server Dir>/conf path.

A sample group-to-role-map.json file is shown below.

{
  "firstName": "givenName",
  "lastName": "sn",
  "email": "mail",
  "userGroupAttributes": [
    {"attributeName": "memberOf", "subAttributeName": "cn"}
  ],
  "groupToRoleMap": {
    "Finance": ["FinanceBA", "Marketing_Admin"],
    "Marketing": ["Marketing_Analyst"],
    "Automation": ["QA_Steward"]
  }
}
  • When new users with no roles assigned log in, they are automatically assigned the designated default Data Catalog role (such as the default Guest role) by the SYSTEM.
  • If another admin role assigns this user a role (default or custom), that assignee's name is listed in the ASSIGNED BY column.
  • Any LDAP roles that are set in the group-to-role-map.json file will have LDAP listed in the ASSIGNED BY column in the Roles tab.
  • You cannot delete or revoke LDAP roles in the Data Catalog user interface. You can revoke the LDAP roles only by altering the group-to-role-map.json file. Any changes to the group-to-role-map.json file require a server restart.

The roles defined by LDAP are reflected in the Manage Roles feature. The screen below shows the Marketing_Admin and FinanceBA roles assigned to the lara_analyst user. The page also shows that the assigner of the dynamic roles is LDAP in the ASSIGNED BY column.Dynamic role assignment

You can also see these dynamic roles if you hover over the User icon or go to the User Profile page as shown below.

Dynamic role user

NoteDepending on the LDAP authentication mode selected during Data Catalog installation, make sure that the properties in the login.properties file in the <WLD App-Server Dir>/conf path are set applicably, specifically the ldc.web.pam.property.ldapGroupClass property. See Mapping LDAP users to Data Catalog roles and LDAP Authentication modes for details. Additionally:
  • Any roles mentioned in the group-to-role-map.json file need to already exist in Data Catalog.
  • Any changes to the group-to-role-map.json file require a server restart.

Duplicate a role

You can duplicate any role. When you duplicate a role, you make an exact copy of the role such that the duplicated role inherits its job execution setting and its functional, metadata, and data access levels from the copied role. The duplicated role displays the original role's name with an appended suffix and you can rename the role by editing it.

Follow the steps below to duplicate a role.

Procedure

  1. Navigate to Manage, then click Roles.

  2. Click the role you want to duplicate.

  3. On the Settings tab, click the More actions icon, and then select Duplicate this role.

    Duplicating a role A note displays indicating role duplication.

Results

The duplicated role appears in Roles with a numbered suffix appended to the original role name. If a numbered version of the role name already exists, then the appended number is incremented.

Delete a role

You can delete a role that is no longer in use. However, you cannot delete the predefined Guest role.

NoteYou cannot delete a role in Lumada Data Catalog when users are assigned to that role. When deleting a role, make sure that any user assigned to that role has been assigned another role or has been deleted.

You can delete a role from the list of roles or from the role's Settings tab. Follow the steps below to delete a role.

Procedure

  1. Navigate to Manage, then click Roles.

  2. Click the role you want to delete.

  3. On the Settings tab, click the More actions icon, and then select Delete.

    Deleting a role A confirmation dialog box displays.

    Delete confirmation

  4. Click Confirm.

    If no dependencies are found, the role is deleted. If the role being deleted is the only role assigned to a user, the role is not deleted.

Manage role settings

You can redefine the role's access level, resource read access levels, and job execution permissions.

NoteFor predefined Lumada Data Catalog roles, the only updates permitted are on the role's Settings tab.

Follow the steps below to manage role settings:

Procedure

  1. Navigate to Manage, then click Roles.

  2. Select the role you want to edit.

    Edit role settings
  3. On the Settings tab, update the fields and controls.

  4. You can update role access level definitions by making changes in the permission group assignments.

    NoteAssigning permissions from a group that is a higher level than the user's current permission group can impact product pricing. For information about how to purchase additional permission groups, contact your sales representative.
  5. Click Save.

Results

The role settings are updated.

Assign a virtual folder to a role

Follow the steps below to assign a virtual folder to a role:

Procedure

  1. Navigate to Manage, then click Roles.

  2. Select the role to which you want to assign a virtual folder.

  3. Click the Virtual Folders tab, then click Choose a Virtual Folder.

    Choose virtual folder
  4. Select the virtual folders the role can access.

    You can choose All to allow this role to access all tag domains.

Results

The virtual folder is assigned for the role.

If the role has more than one virtual folder assigned, you can sort the virtual folders by Name (ascending or descending), Time of creation (ascending or descending), or Time of last change (ascending or descending).Sort virtual folders

Remove an assigned virtual folder from a role

Follow the steps below to remove an assigned virtual folder from a role:

Procedure

  1. Navigate to Manage, then click Roles.

  2. Select the role you want to edit.

  3. Click the Virtual Folders tab.

  4. On the row of the virtual folder to remove, click the More actions icon and select Remove from role.

    Remove virtual folder from role

Results

The virtual folder is removed from the role.

Assign a tag domain to a role

Follow the steps below to assign a tag domain to a role:

Procedure

  1. Navigate to Manage, then click Roles.

  2. Select the role to which you want to assign a tag domain.

  3. Click the Tag Domains tab, then click Choose a Tag Domain.

    Choose tag domain
  4. Select the tag domains the role should access.

    You can choose All to allow this role to access all tag domains.

Results

The tag domain is assigned to the role.

Remove an assigned tag domain from a role

Follow the steps below to remove an assigned tag domain from a role:

Procedure

  1. Navigate to Manage, then click Roles.

  2. Select the role from which you want to remove a tag domain.

  3. Click the Tag Domains tab.

  4. On the row of the tag domain to remove, click the More actions icon and select Remove from role.

    Remove tag domain from role

Results

The tag domain is removed from the role.