Decision Insight 20210329 Save PDF Selected topic Selected topic and subtopics All content Managing rights Rights are managed through three objects: permissions, roles, and users. Permissions are granted to roles and roles are granted to users. This means rights are not managed on a per-user basis. An easy way to manage rights on the deployment is to: Identify usages of the deployment (see the concept of persona) and create roles for each usage. Grant the required permissions to each role. Grant users with the roles according to their usage of the deployment. Permissions Permissions represent the ability to do something on the deployment, whether on the deployment itself or on objects contained in the deployment. You have three kinds of permissions: Administration permissions Application permissions Space permissions For information about how to configure permissions, see Roles and permissions. Permission dependencies Tip: Some application permissions are dependent on other application permissions. For example, granting the Data exploration permission also grants the Access the application permission. In the same way, removing the Access the application permission also removes all other application permissions. The deployment automatically enforces dependencies rules. Administration permissions An administration permission represents the ability to do something on the deployment as a whole. Administration permissions are independent of spaces and the application. Permission Dependencies Description Bypass Security Ability to perform any operations on the deployment, grants full rights on any objects. When this permission is granted, all permission checks are ignored. Access Flex application Ability to access the Flex user interface. If not granted, a user trying to access the Flex user interface will be redirected to the HTML one. For more information, see HTML Guide. Manage users and roles Ability to manage users, roles, and deployment permissions. Manage the application Ability to create the application, update application properties, import and export the application, manage application perspectives and manage applications logos. if this permission is granted without the import data integration libraries permission, application import will be rejected if it contains data integration libraries. Access monitoring tools Ability to read-only access to the monitoring tools and JMX (REST API only) Access administration tools Access monitoring tools Ability to access to the monitoring tools, the node shell and JMX (both REST API and JSR160 connector) Access debugging tools Ability to access the node data through the URL <base URL>/private/explorer The access to this URL is disabled by default. See Manage access to debugging tool and logs Access data integration libraries (UI/Import) Ability to import jar files in the deployment through data integration libraries REMOTE Access data integration API Ability to get information or invoke operations via the Web services API Access cluster logs Ability to access the node logs through the URL <base URL>/logs The access to this URL is disabled by default. See Manage access to debugging tool and logs Application permissions An application permission represents the ability to do something on the application. Permission Dependencies Description Access the application Ability to access the application. When no other application permission is granted, the user can only see the dashboards in read-only view.This permission is required to know that the application exists.Also provides the ability to execute queries via the Web service API Data exploration Access the application Ability to use the data exploration tool. The Data visualization permission is required to save the exploration result as a dashboard. Data visualization Access the application Ability to create, modify and delete: dashboards images icon sets Ability to access the HTML UI from the dashboard menu. Data action Access the application Ability to acknowledge data through the acknowledge mashlet and to execute actions through the action mashlet. Data analysis Access the application Ability to create, modify and delete: indicators manual thresholds and manual constants classifiers rhythms spaces Data modeling Access the application Ability to create and modify: entities keys members (attributes, relations) rhythms spaces calendars Data collection Access the application Ability to: view the content of routes start, stop and kill routes view logs associates to routes invoke a mapping via the Web service API Data integration Access the applicationData collection Ability to create, modify and delete: Mappings Events Queries States Notifiers Routes Resources Properties Notification Access the application Ability to create, update, delete, start and stop notifications. System integration Access the applicationData collection,Data integration Ability to create, modify and delete: Triggers Connectors Libraries To create and upload libraries, the Access data integration libraries right is also required Space permissions A space permission represents the ability to do something on a specific space or on objects contained in this space. Permission Dependencies Description Access Ability to view the space and objects contained in this space. Edit Access Ability to modify the objects contained in the space (e.g. dashboards, indicators, ...). The space itself cannot be modified with only this permission. Admin Access, Edit Ability to modify the details of the space and the permissions defined on it. Ability to export objects of this space, import objects into this space. For information about how to configure space permissions, see Space permissions. Note: Some space permissions are dependent on other space permissions. For example, granting the Edit permission also grants the Access permission. In the same way, removing the Access permission will also revoke the Edit and Admin permissions. The dependencies rules are automatically enforced by the user interface. Roles A role defines how the deployment can be used. A role should have a name and a description, but most importantly, a role defines a set of permissions. The deployment provides two built-in roles: Super administrator: Perform any operations on the deployment and full rights on all objects. Automatically granted to the built-in Admin user and cannot be revoked. Its configuration cannot be modified. User: Default role of users. Used to grant default permissions. Automatically granted to all users and cannot be revoked. Except for built-in roles, roles can be created, modified and deleted at will. When the deployment is configured with an external user base, such as LDAP, a mapping is configured between the rights managed in the external user base and the roles managed in the deployment. For example, see the groupRolesMap property in Configuring User Directories (LDAP). For information about how to configure role permissions, see Roles and permissions Users A user represents an actor of the deployment, most usually a person. It has a collection of roles. By transitivity through roles, a user has a collection of permissions. Application menus & associated permissions This table list all application menu and their associated permissions. The user must have at least one of the permissions to have access to the menu. Important: Menu buttons marked with an asterisk (*) in the table below require a user to have the Access flex application permission in order to be visible. Icon Menu Permissions Home All Dashboards Favorites * Explore * Data exploration Configuration * Manage users and rolesManage the applicationAccess administration toolsData analysisData visualizationData modelingData integration Administration * Application Manage the application Logo Manage the application Roles Manage users and roles Spaces Data visualizationData analysisData modeling Model * Entities Data modeling Attributes Data visualizationData analysisData modelingData integration Diagram Data visualizationData analysisData modelingData integration Rhythms Data analysisData modeling Classifiers Data analysis Calendars Data modeling Dashboards * Perspectives Manage the application Images Data visualization Icon sets Data visualization Style Templates Data visualization Pagelets Data visualization Runtime Settings * Purge Data modeling Computing Access administration tools Data integration * Data collectionData integrationSystem integration Endpoints * Connectors System integration Mappings Data integration Libraries System integration Events Data integration Queries Data integration Notifiers Data integration Automation * Triggers System integration Transformations * Routes Data collection States Data integration Resources Data integration Properties Data integration Runtime * Logs Data collection Security & Monitoring * Manage users and rolesAccess administration toolsAccess monitoring tools Security * Users * Manage users and roles Monitoring * Current Activity Access monitoring tools Activity Report Access monitoring tools Computing Access monitoring tools Precomputing Access monitoring tools Support * About Support tools Access administration tools Shell Access administration tools Configuration Roles and deployment permissions To configure roles and permissions, you must have the Manage users and roles deployment permission. To configure roles and deployment permissions, click the Configuration icon. On the left menu, click Roles. Notes: When you create a role: The Name field must be filed in. The Description is optional. You can delete any role except for built-in roles, provided the role you want to delete is not currently assigned to any user. Space permissions To configure the permissions on a space, you must have the Admin space permission on this space. To configure space permissions, on the main menu, click Configuration icon. On the left menu, click Spaces in the Administration section. If you do not have the Bypass Security permission, ensure at least one of your roles is granted the Admin space permission. Otherwise, you will no longer be able to configure this space afterward. Users In order to configure the users, you must have the Manage users and roles permission. To configure user permissions, on the main menu, click the Security & Monitoring icon. On the left menu, click Users. Notes: You cannot remove the Super administrator role from the built-in admin user. You cannot remove the User role from any of the users. If no role has the Bypass Security permission, ensure at least one of your roles is granted the Manage users and roles permission. Otherwise, you will no longer be able to configure this user afterward. Specific operations Creating and importing applications When an application is created or imported, the User role is automatically granted all application permissions on this application. When a space is created during the import of an application, the User role is also automatically granted all space permissions on this space. The application administrator should modify the permissions of the User role afterward if they are not happy with the automatic settings. Creating spaces When a space is created, the User role is automatically granted all space permissions for this space. The application administrator should modify the permissions on the User role if they are not happy with the automatic settings. Caveats The deployment always checks the rights before building a screen and before processing an operation. If the rights are modified between the building of the screen and the processing of the operation, the operation may fail and an error message is displayed in the on the user interface. The deployment always checks the rights before processing an operation and aborts it if the rights are not valid. Related Links
Managing rights Rights are managed through three objects: permissions, roles, and users. Permissions are granted to roles and roles are granted to users. This means rights are not managed on a per-user basis. An easy way to manage rights on the deployment is to: Identify usages of the deployment (see the concept of persona) and create roles for each usage. Grant the required permissions to each role. Grant users with the roles according to their usage of the deployment. Permissions Permissions represent the ability to do something on the deployment, whether on the deployment itself or on objects contained in the deployment. You have three kinds of permissions: Administration permissions Application permissions Space permissions For information about how to configure permissions, see Roles and permissions. Permission dependencies Tip: Some application permissions are dependent on other application permissions. For example, granting the Data exploration permission also grants the Access the application permission. In the same way, removing the Access the application permission also removes all other application permissions. The deployment automatically enforces dependencies rules. Administration permissions An administration permission represents the ability to do something on the deployment as a whole. Administration permissions are independent of spaces and the application. Permission Dependencies Description Bypass Security Ability to perform any operations on the deployment, grants full rights on any objects. When this permission is granted, all permission checks are ignored. Access Flex application Ability to access the Flex user interface. If not granted, a user trying to access the Flex user interface will be redirected to the HTML one. For more information, see HTML Guide. Manage users and roles Ability to manage users, roles, and deployment permissions. Manage the application Ability to create the application, update application properties, import and export the application, manage application perspectives and manage applications logos. if this permission is granted without the import data integration libraries permission, application import will be rejected if it contains data integration libraries. Access monitoring tools Ability to read-only access to the monitoring tools and JMX (REST API only) Access administration tools Access monitoring tools Ability to access to the monitoring tools, the node shell and JMX (both REST API and JSR160 connector) Access debugging tools Ability to access the node data through the URL <base URL>/private/explorer The access to this URL is disabled by default. See Manage access to debugging tool and logs Access data integration libraries (UI/Import) Ability to import jar files in the deployment through data integration libraries REMOTE Access data integration API Ability to get information or invoke operations via the Web services API Access cluster logs Ability to access the node logs through the URL <base URL>/logs The access to this URL is disabled by default. See Manage access to debugging tool and logs Application permissions An application permission represents the ability to do something on the application. Permission Dependencies Description Access the application Ability to access the application. When no other application permission is granted, the user can only see the dashboards in read-only view.This permission is required to know that the application exists.Also provides the ability to execute queries via the Web service API Data exploration Access the application Ability to use the data exploration tool. The Data visualization permission is required to save the exploration result as a dashboard. Data visualization Access the application Ability to create, modify and delete: dashboards images icon sets Ability to access the HTML UI from the dashboard menu. Data action Access the application Ability to acknowledge data through the acknowledge mashlet and to execute actions through the action mashlet. Data analysis Access the application Ability to create, modify and delete: indicators manual thresholds and manual constants classifiers rhythms spaces Data modeling Access the application Ability to create and modify: entities keys members (attributes, relations) rhythms spaces calendars Data collection Access the application Ability to: view the content of routes start, stop and kill routes view logs associates to routes invoke a mapping via the Web service API Data integration Access the applicationData collection Ability to create, modify and delete: Mappings Events Queries States Notifiers Routes Resources Properties Notification Access the application Ability to create, update, delete, start and stop notifications. System integration Access the applicationData collection,Data integration Ability to create, modify and delete: Triggers Connectors Libraries To create and upload libraries, the Access data integration libraries right is also required Space permissions A space permission represents the ability to do something on a specific space or on objects contained in this space. Permission Dependencies Description Access Ability to view the space and objects contained in this space. Edit Access Ability to modify the objects contained in the space (e.g. dashboards, indicators, ...). The space itself cannot be modified with only this permission. Admin Access, Edit Ability to modify the details of the space and the permissions defined on it. Ability to export objects of this space, import objects into this space. For information about how to configure space permissions, see Space permissions. Note: Some space permissions are dependent on other space permissions. For example, granting the Edit permission also grants the Access permission. In the same way, removing the Access permission will also revoke the Edit and Admin permissions. The dependencies rules are automatically enforced by the user interface. Roles A role defines how the deployment can be used. A role should have a name and a description, but most importantly, a role defines a set of permissions. The deployment provides two built-in roles: Super administrator: Perform any operations on the deployment and full rights on all objects. Automatically granted to the built-in Admin user and cannot be revoked. Its configuration cannot be modified. User: Default role of users. Used to grant default permissions. Automatically granted to all users and cannot be revoked. Except for built-in roles, roles can be created, modified and deleted at will. When the deployment is configured with an external user base, such as LDAP, a mapping is configured between the rights managed in the external user base and the roles managed in the deployment. For example, see the groupRolesMap property in Configuring User Directories (LDAP). For information about how to configure role permissions, see Roles and permissions Users A user represents an actor of the deployment, most usually a person. It has a collection of roles. By transitivity through roles, a user has a collection of permissions. Application menus & associated permissions This table list all application menu and their associated permissions. The user must have at least one of the permissions to have access to the menu. Important: Menu buttons marked with an asterisk (*) in the table below require a user to have the Access flex application permission in order to be visible. Icon Menu Permissions Home All Dashboards Favorites * Explore * Data exploration Configuration * Manage users and rolesManage the applicationAccess administration toolsData analysisData visualizationData modelingData integration Administration * Application Manage the application Logo Manage the application Roles Manage users and roles Spaces Data visualizationData analysisData modeling Model * Entities Data modeling Attributes Data visualizationData analysisData modelingData integration Diagram Data visualizationData analysisData modelingData integration Rhythms Data analysisData modeling Classifiers Data analysis Calendars Data modeling Dashboards * Perspectives Manage the application Images Data visualization Icon sets Data visualization Style Templates Data visualization Pagelets Data visualization Runtime Settings * Purge Data modeling Computing Access administration tools Data integration * Data collectionData integrationSystem integration Endpoints * Connectors System integration Mappings Data integration Libraries System integration Events Data integration Queries Data integration Notifiers Data integration Automation * Triggers System integration Transformations * Routes Data collection States Data integration Resources Data integration Properties Data integration Runtime * Logs Data collection Security & Monitoring * Manage users and rolesAccess administration toolsAccess monitoring tools Security * Users * Manage users and roles Monitoring * Current Activity Access monitoring tools Activity Report Access monitoring tools Computing Access monitoring tools Precomputing Access monitoring tools Support * About Support tools Access administration tools Shell Access administration tools Configuration Roles and deployment permissions To configure roles and permissions, you must have the Manage users and roles deployment permission. To configure roles and deployment permissions, click the Configuration icon. On the left menu, click Roles. Notes: When you create a role: The Name field must be filed in. The Description is optional. You can delete any role except for built-in roles, provided the role you want to delete is not currently assigned to any user. Space permissions To configure the permissions on a space, you must have the Admin space permission on this space. To configure space permissions, on the main menu, click Configuration icon. On the left menu, click Spaces in the Administration section. If you do not have the Bypass Security permission, ensure at least one of your roles is granted the Admin space permission. Otherwise, you will no longer be able to configure this space afterward. Users In order to configure the users, you must have the Manage users and roles permission. To configure user permissions, on the main menu, click the Security & Monitoring icon. On the left menu, click Users. Notes: You cannot remove the Super administrator role from the built-in admin user. You cannot remove the User role from any of the users. If no role has the Bypass Security permission, ensure at least one of your roles is granted the Manage users and roles permission. Otherwise, you will no longer be able to configure this user afterward. Specific operations Creating and importing applications When an application is created or imported, the User role is automatically granted all application permissions on this application. When a space is created during the import of an application, the User role is also automatically granted all space permissions on this space. The application administrator should modify the permissions of the User role afterward if they are not happy with the automatic settings. Creating spaces When a space is created, the User role is automatically granted all space permissions for this space. The application administrator should modify the permissions on the User role if they are not happy with the automatic settings. Caveats The deployment always checks the rights before building a screen and before processing an operation. If the rights are modified between the building of the screen and the processing of the operation, the operation may fail and an error message is displayed in the on the user interface. The deployment always checks the rights before processing an operation and aborts it if the rights are not valid.