Managing rights

Rights are managed through three objects: permissions, roles, and users. Permissions are granted to roles and roles are granted to users. This means rights are not managed on a per-user basis.

An easy way to manage rights on the deployment is to:

  1. Identify usages of the deployment (see the concept of persona) and create roles for each usage.
  2. Grant the required permissions to each role.
  3. Grant users with the roles according to their usage of the deployment.

Permissions

Permissions represent the ability to do something on the deployment, whether on the deployment itself or on objects contained in the deployment. You have three kinds of permissions:

Administration permissions

An administration permission represents the ability to do something on the deployment as a whole. Administration permissions are independent of spaces and the application.

Permission Description
Bypass Security

Ability to perform any operations on the deployment, grants full rights on any objects.

(warning) When this permission is granted, all permission checks are ignored.

Manage users and roles Ability to manage users, roles, and deployment permissions.
Manage the application

Ability to create the application, update application properties, import and export the application, manage application perspectives and manage applications logos.

(warning) if this permission is granted without the import data integration libraries permission, application import will be rejected if it contains data integration libraries.

Access monitoring tools Ability to read-only access to the monitoring tools and JMX (REST API only)
Access administration tools Ability to access to the monitoring tools, the node shell  and JMX (both REST API and JSR160 connector)
Access debugging tools Ability to access the node data through the URL <base URL>/private/explorer
Access data integration libraries (UI/Import)
Ability to import jar files in the deployment through data integration libraries
REMOTE
Access data integration API
Ability to get information or invoke operations via the Web services API
Access platform logs Ability to access the node logs through the URL <base URL>/logs

Application permissions

An application permission represents the ability to do something on the application.

Permission Dependencies Description
Access the application

Ability to access the application. When no other application permission is granted, the user can only see the dashboards in read-only view.

This permission is required to know that the application exists.

Also provides the ability to execute queries via the Web service API

Data exploration Access the application Ability to use the data exploration tool. The Data visualization permission is required to save the exploration result as a dashboard.
Data visualization Access the application

Ability to create, modify and delete:

  • dashboards
  • images
  • icon sets
Data action Access the application Ability to acknowledge data through the acknowledge mashlet and to execute actions through the action mashlet.
Data analysis Access the application

Ability to create, modify and delete:

  • indicators
  • manual thresholds and manual constants
  • classifiers
  • rhythms
  • spaces
Data modeling Access the application

Ability to create and modify:

  • entities
  • keys
  • members (attributes, relations)
  • rhythms
  • spaces
  • calendars
Data collection Access the application

Ability to:

Data integration

Access the application

Data collection

Ability to create, modify and delete:

  • Mappings
  • Events
  • Queries
  • Routes
  • Resources
  • Properties
System integration

Access the application

Data collection,

Data integration

Ability to create, modify and delete:

  • Connectors
  • Libraries

(warning) To create and upload libraries, the Import libraries into the platform permission is also required

For information about how to configure permissions, see Roles and permissions.

Permission dependencies

Tip: Some application permissions are dependent on other application permissions. For example, granting the Data exploration permission also grants the Access the application permission. In the same way, removing the Access the application permission also removes all other application permissions. The deployment automatically enforces dependencies rules.


Space permissions

A space permission represents the ability to do something on a specific space or on objects contained in this space.

Permission Dependencies Description
Access

Ability to view the space and objects contained in this space.

Edit  Access Ability to modify the objects contained in the space (e.g. dashboards, indicators, ...). The space itself cannot be modified with only this permission.
Admin  Access, Edit Ability to modify the details of the space and the permissions defined on it. Ability to export objects of this space, import objects into this space.


For information about how to configure space permissions, see Space permissions.

Note: Some space permissions are dependent on other space permissions. For example, granting the Edit permission also grants the Access permission. In the same way, removing the Access permission will also revoke the Edit and Admin permissions. The dependencies rules are automatically enforced by the user interface.

Roles

A role defines how the deployment can be used. A role should have a name and a description, but most importantly, a role defines a set of permissions.

The deployment provides two built-in roles:

  • Super administrator:
    • Perform any operations on the deployment and full rights on all objects.
    • Automatically granted to the built-in Admin user and cannot be revoked.
    • Its configuration cannot be modified.
  • User:
    • Default role of users.
    • Used to grant default permissions.
    • Automatically granted to all users and cannot be revoked.


Except for built-in roles, roles can be created, modified and deleted at will.

When the deployment is configured with an external user base, such as LDAP, a mapping is configured between the rights managed in the external user base and the roles managed in the deployment. For example, see the groupRolesMap  property in Configuring User Directories (LDAP).

For information about how to configure role permissions, see Roles and permissions

Users

A user represents an actor of the deployment, most usually a person. It has a collection of roles. By transitivity through roles,  a user has a collection of permissions.

Application menus & associated permissions

This table list all application menu and their associated permissions. The user must have at least one of the permissions to have access to the menu.

Icon
Menu Permissions

Home


All Dashboards


Favorites


Explore

Data exploration

Configuration

Manage users and roles

Manage the application

Access administration tools

Data analysis

Data visualization

Data modeling

Data integration


Administration


Application

Manage the application

Logo

Manage the application

Roles

Manage users and roles

Spaces

Data visualization

Data analysis

Data modeling

Model


Entities

Data modeling

Attributes

Data visualization

Data analysis

Data modeling

Data integration

Diagram

Data visualization

Data analysis

Data modeling

Data integration

Rhythms

Data analysis

Data modeling

Classifiers

Data analysis

Calendars

Data modeling

Dashboards


Perspectives

Manage the application


Images Data visualization

Icon sets Data visualization

Style Templates Data visualization

Pagelets Data visualization
Runtime Settings

Purge

Data modeling


Computing Access administration tools

Data integration


Data collection

Data integration

System integration


Endpoints


Connectors  System integration

Mappings

 Data integration


Libraries  System integration

Events  Data integration

Queries

Data integration


Transformations



Routes  Data collection

States  Data integration

Resources  Data integration

Properties  Data integration

Runtime




Logs  Data collection

Security & Monitoring


Manage users and roles

Access administration tools

Access monitoring tools


Security


Users

Manage users and roles

Monitoring


Current Activity

Access monitoring tools

Activity Report Access monitoring tools
Computing Access monitoring tools
Precomputing Access monitoring tools

Support


About
Support tools Access administration tools
Shell Access administration tools


Configuration

Roles and deployment permissions

To configure roles and permissions, you must have the Manage users and roles deployment permission.

To configure roles and deployment permissions, click the Configuration  icon. On the left menu, click Roles.

Notes:

When you create a role:

  • The Name field must be filed in.
  • The Description is optional.

You can delete any role except for built-in roles, provided the role you want to delete is not currently assigned to any user.

Space permissions

To configure the permissions on a space, you must have the Admin space permission on this space.

To configure space permissions, on the main menu, click Configuration  icon. On the left menu, click Spaces in the Administration section.


If you do not have the Bypass Security permission, ensure at least one of your roles is granted the Admin space permission. Otherwise, you will no longer be able to configure this space afterward.

Users

In order to configure the users, you must have the Manage users and roles permission.

To configure user permissions, on the main menu, click the Security & Monitoring  icon. On the left menu, click Users.

Notes:

  • You cannot remove the Super administrator role from the built-in admin user.
  • You cannot remove the User role from any of the users.

If no role has the Bypass Security permission, ensure at least one of your roles is granted the Manage users and roles permission. Otherwise, you will no longer be able to configure this user afterward.

Specific operations

Creating and importing applications

When an application is created or imported, the User role is automatically granted all application permissions on this application. When a space is created during the import of an application, the User role is also automatically granted all space permissions on this space.

The application administrator should modify the permissions of the User role afterward if they are not happy with the automatic settings.

Creating spaces

When a space is created, the User role is automatically granted all space permissions for this space.

The application administrator should modify the permissions on the User role if they are not happy with the automatic settings.

Caveats

The deployment always checks the rights before building a screen and before processing an operation. If the rights are modified between the building of the screen and the processing of the operation, the operation may fail and an error message is displayed in the on the user interface.

The deployment always checks the rights before processing an operation and aborts it if the rights are not valid.

Related Links