This section provides an overview of the default assignments for users and roles, the permissions included, and the management of users and roles in the Pentaho User Console (PUC). You must login to PUC as an administrator (or be assigned to a role that has Administer Security permission) to manage users and roles for Pentaho Security.
Here is how you can manage users:
Here is how you can manage roles:
Before changing security settings, play it safe and back up these relevant files:
- If you installed Pentaho using the Installation Wizard, back up the Pentaho Business Analytics and the Pentaho Server directories.
- If you installed Pentaho using the manual process, back up the Pentaho Business Analytics, the Pentaho Server directories, and the Pentaho.war files and solutions.
You can control users and roles in PUC with a point-and-click user interface. The Users & Roles page allows you to switch between user and role settings. You can add, delete, and edit users and roles from this page.
Access to files or folders can also be refined using the Browse Files perspective in PUC. Each file or folder can use the default permissions or permissions can be customized for specific users and roles. For more information, see Restrict or Share Files and Folders.
Sample Users, Default Roles, and Permissions
By viewing the sample user and default role examples you can get ideas about ways to define actual users and specific roles.
- Login to PUC. Click Home > Administration. The Administration perspective opens the Users & Roles page with the Manage Users tab selected.
- Highlight a user in the users list to display which roles are available for that user, as well as which role is currently defined for that user.
- Select the Manage Roles tab to display the Operation Permissions for the user's role, as defined by the checked boxes. These roles, added for your convenience, can be removed or altered based on your needs (see Table 1). Each default role and sample user comes with a standard set of permissions, which provides for a specific set of capabilities when using Pentaho tools and the Pentaho Server (see Table 2).
- Select the System Roles tab to display the user's system role. System Roles are built-in roles used to control default behaviors and permissions in PUC, handled implicitly or through system configuration, with automatic assignments. The default system role for all users is Authenticated. If you want to restrict permissions, the Authenticated role must be restricted or removed from the user.
|Default Role||Sample User||Default Operation Permissions|
|Administer Security||The default Administrator role automatically conveys all operation permissions to users assigned to that role, even if the check box next to it is cleared. These permissions include the Read and Create Content permissions, which are required for accessing the Administration perspective.
|Publish Content||This permission includes tools such as Report Designer, Schema Workbench, and Metadata Editor.
|Manage Data Sources||
Operation permission does not include Metadata data sources. This Metadata Security article gives specific information on how to give permissions to manage Metadata data sources.
- With the Manage Users tab selected, click the plus (+) sign. The New User dialog box appears.
- Enter a new User Name and Password, then Confirm Password and click OK. The new user account is active and displays in the Users list.
Change User Passwords
- With the Manage Users tab selected, click the user for whose password you want to edit. The user's information populates to the right of the Users field.
- Click Edit. Enter the New Password and Confirm Password then click OK. The password is changed and the user is able to login with the new password.
After you have logged into PUC for the first time, it is a best practice to change the default administrator password.
- With the Manage Users tab selected, click the user or users in the Users list that you want to delete.
- Click the X to delete the user or users. The Delete User confirmation dialog box appears.
- Click Yes, Delete to delete the user(s) and refresh the user list. The selected user accounts are deleted and the users are no longer able to login to the Pentaho Server.
Set the Authentication Method
By choosing the authentication method, you can choose where the users and their login credentials will be managed.
- Click Authentication.
- Select the associated radio button for the desired method:
- Local to use Pentaho authentication, or
- External to use an LDAP / Active Directory server.
Assign Users to Roles
- With the Manage Users tab selected, click to highlight the user from the Users list that you want to associate with a role.
- In the Available list, click to highlight the role that you want to associate with the selected user.
- Click the right arrow (>) to move the role to the Selected list.
- You can remove a role from the Selected list by highlighting that role and clicking on the left arrow (<). The role moves from the Selected to Available list, and the user no longer has the associated permissions. The user now has all of the permissions associated with the role in the Selected list.
- With the Manage Roles tab selected, click the plus (+) sign. The New Role dialog box appears.
- Enter a new Name for the role, then click OK. The new role is created, and appears in the Available roles list. After adding a new role, you need to assign operation permissions to it, see Assign Permissions to Roles, below, for details.
Assign Permissions to Roles
- Make sure that the role is highlighted in the Roles list.
- Click in the check boxes in the Operation Permissions list. The role has permissions assigned to it, and users associated with that role have those permissions.
- With the Manage Roles tab selected, click the role or roles you want to delete.
- Click the x to delete the role(s). The Delete Role confirmation dialog box appears.
- Click Yes to delete the role(s) and refresh the role list. The selected role is deleted and is no longer available on the server. The users who were associated with that role are no longer associated with it. Other roles assigned to users are not affected. If users have only one role assigned to them and that role is deleted, then the users have no role assigned to them. The default role is Authenticated and all users have that role unless you remove it.
Assign Roles to Users
- Make sure the Manage Roles tab is selected, then click the role in Roles list that you want to associate with a user or users.
- In the Available list, click the user or users that you want to associate with that role.
- Click the right arrow (>) to move the users to the Selected list. You can click the double-right arrow (>>) to move all users from the Available list to the Selected list.
- You can remove users from the Selected list by highlighting that user and clicking on the left arrow (<). The user moves from the Selected list to the Available list, and no longer has the permissions associated with that role. The users that appear in the Selected list are now tied to the highlighted role and have all of the permissions associated with that role.