Managing roles
Lumada Data Catalog provides roles to organize user access to data curation activities. Additionally, role-based access control (RBAC) governs user access to Data Catalog assets, like access to virtual folder and tag domains, their activity permissions, such as job execution and lineage curation, and their resource-read access permissions.
With the right combination of privileges and settings, users within the same role group can:
- Have access to the same set of assets (Virtual Folders and Tag Domains)
- Have the same activity permissions (Job execution, Tag/Lineage curation)
- Have access to at least the metadata of the same resources regardless of the native system permissions set for the resource (Resource Read Access Control)
To manage roles, click Manage, then click Roles.
Add a new role
To add a new role, you must be assigned the Manage Roles permission. This task is usually performed by a site administrator.
Perform the following steps to add a new role:
Procedure
Navigate to Manage, then click Roles.
Click Add a new Role.
The Add a new role dialog box displays.
In the ROLE NAME field, enter a name for the role.
Note that the role name must start with a letter, and must contain only letters, digits, hyphens, or underscores. Spaces in names are not allowed. Make sure that the name strings do not match any Data Catalog Reserved Names.In the METADATA ACCESS field, select the resource metadata read access for this role.
- With the NATIVE setting, the system user permissions dictate the metadata read access for an individual resource. With METADATA ACCESS set to NATIVE, the DATA ACCESS field is automatically set to NATIVE.
- With the YES setting, Data Catalog overrides the native system permissions to make just the resource metadata visible to all users with this role, even if they do not have native access to the resource.
Specify the DATA ACCESS.
With DATA ACCESS set to NO, the METADATA ONLY mode for resource read access is enabled where Data Catalog skips permission checks for data access and only displays the resource metadata.In the DESCRIPTION field, enter information to describe the purpose of the role.
Click Create.
Results
Set a role as default
When you set a Lumada Data Catalog role as default, any new user you create automatically receives the default role permissions. A user with the Manage Roles permission can set any role to be the default role.
- You can set more than one role as default.
- If a user inherits more than one role, the role with the highest permission level governs the user access permissions.
- The Data Catalog Guest role is the default role assigned to a new user if no other role is set as default.
Follow the steps below to set a role as default:
Procedure
Navigate to Manage, then click Roles.
Select the role you want to set as default.
Click MAKE DEFAULT ROLE to set the role as a default role.
Click Save.
Results
Assigning multiple roles to a user
You can assign multiple roles to one user. The role with most unrestricted access dictates the access permissions.
For example, user sam_admin
has been assigned the role of Admin and the custom roles of Data_Steward and Business_Analyst. The user sam_admin
will get the Admin permissions which have the most unrestricted access.
If you assign a user a MarketingAdmin role with NATIVE read level access and a SalesSteward role with METADATA level access, the most trusted read level access prevails. In this example, the user can view METADATA of all the resources within the virtual folders assigned to the role.
See Assign a role for detailed assignment instructions.
Dynamic group to role mapping
In Lumada Data Catalog, you can retrieve group information from LDAP and dynamically assign user roles based on group name to role name mapping. Dynamic group roles are assigned in the group-to-role-map.json file in the <WLD App-Server Dir>/conf path.
A sample group-to-role-map.json file is shown below.
{ "firstName": "givenName", "lastName": "sn", "email": "mail", "userGroupAttributes": [ {"attributeName": "memberOf", "subAttributeName": "cn"} ], "groupToRoleMap": { "Finance": ["FinanceBA", "Marketing_Admin"], "Marketing": ["Marketing_Analyst"], "Automation": ["QA_Steward"] } }
- When new users with no roles assigned log in, they are automatically assigned the designated default Data Catalog role (such as the default Guest role) by the SYSTEM.
- If another admin role assigns this user a role (default or custom), that assignee's name is listed in the ASSIGNED BY column.
- Any LDAP roles that are set in the group-to-role-map.json file will have
LDAP
listed in the ASSIGNED BY column in the Roles tab. - You cannot delete or revoke LDAP roles in the Data Catalog user interface. You can revoke the LDAP roles only by altering the group-to-role-map.json file. Any changes to the group-to-role-map.json file require a server restart.
The roles defined by LDAP are reflected in the Manage Roles feature. The screen below shows the Marketing_Admin and FinanceBA roles assigned to the lara_analyst
user. The page also shows that the assigner of the dynamic roles is LDAP
in the ASSIGNED BY column.
You can also see these dynamic roles if you hover over the User icon or go to the User Profile page as shown below.
ldc.web.pam.property.ldapGroupClass
property. See Mapping LDAP users to Data Catalog roles and LDAP Authentication modes for details. Additionally: - Any roles mentioned in the group-to-role-map.json file need to already exist in Data Catalog.
- Any changes to the group-to-role-map.json file require a server restart.
Duplicate a role
Follow the steps below to duplicate a role.
Procedure
Navigate to Manage, then click Roles.
Click the role you want to duplicate.
On the Settings tab, click the More actions icon, and then select Duplicate this role.
A note displays indicating role duplication.
Results
Delete a role
You can delete a role from the list of roles or from the role's Settings tab. Follow the steps below to delete a role.
Procedure
Navigate to Manage, then click Roles.
Click the role you want to delete.
On the Settings tab, click the More actions icon, and then select Delete.
A confirmation dialog box displays.
Click Confirm.
If no dependencies are found, the role is deleted. If the role being deleted is the only role assigned to a user, the role is not deleted.
Manage role settings
Follow the steps below to manage role settings:
Procedure
Navigate to Manage, then click Roles.
Select the role you want to edit.
On the Settings tab, update the fields and controls.
You can update role access level definitions by making changes in the permission group assignments.
NoteAssigning permissions from a group that is a higher level than the user's current permission group can impact product pricing. For information about how to purchase additional permission groups, contact your sales representative.Click Save.
Results
Assign a virtual folder to a role
Procedure
Navigate to Manage, then click Roles.
Select the role to which you want to assign a virtual folder.
Click the Virtual Folders tab, then click Choose a Virtual Folder.
Select the virtual folders the role can access.
You can choose All to allow this role to access all tag domains.
Results
If the role has more than one virtual folder assigned, you can sort the virtual folders by Name (ascending or descending), Time of creation (ascending or descending), or Time of last change (ascending or descending).
Remove an assigned virtual folder from a role
Procedure
Navigate to Manage, then click Roles.
Select the role you want to edit.
Click the Virtual Folders tab.
On the row of the virtual folder to remove, click the More actions icon and select Remove from role.
Results
Assign a tag domain to a role
Procedure
Navigate to Manage, then click Roles.
Select the role to which you want to assign a tag domain.
Click the Tag Domains tab, then click Choose a Tag Domain.
Select the tag domains the role should access.
You can choose All to allow this role to access all tag domains.
Results
Remove an assigned tag domain from a role
Procedure
Navigate to Manage, then click Roles.
Select the role from which you want to remove a tag domain.
Click the Tag Domains tab.
On the row of the tag domain to remove, click the More actions icon and select Remove from role.
Results