This article delves deeper into creating multiple control planes for roles and permission on the Zetaris platform. Lightning provides a unique feature of multi-tier user access that allows the admin user to provide a granular access control mechanism
Understanding of Users, Roles, and Permissions
A user is anyone who can access the Lightning UI. An administrator user can provide the permissions to the users that determine the users' control in the Lightning UI, that is, the widgets that they can access and the activities they can perform within those widgets.
Lightning allows the Admin user to create a role (user group) and assign the roles to a group of users.
How to create Users/Roles in Lightning: User Management Overview
Administrator users can provide permission at the user level or role level:
The above screenshot shows the Roles & Permissions Widget for Lightning that can only be accessed by the admin user in the Lightning environment. This widget contains two consoles:
-
Roles: In the roles section, the admin user can view all the roles/user groups created within the Lightning environment. Here, the admin user provides the access to widgets to a particular role & the permission will be assigned to all the users with that role.
-
Users: In the Users section, the admin user can view all the users created within the Lightning environment. Here, the admin user provides the access to widgets to a particular user.
Permission/ Access assigned through a Role
This make it easier to add/remove permissions for a group of users. The admin only need to update the permission/privilege at the role level instead of user-level.
To provide permission for the widgets to the users via role, first, the admin user needs to create the users & roles in the Lightning environment via User Management Widget.
As in the above screenshot, the admin user has provided Business_Analyst role with access to two widgets:
-
Ndp File System: Here, the privilege is of type ‘View’ & ‘Execute’.
-
Schema Store: Here, the privilege is of type ‘View’.
Here, privilege is of two types:
-
View: This privilege allows the Business_Analyst users to access the ‘Schema Store’ widget & access only those data objects that have been provided access via the ‘Access Control’ Widget. The users can not create any data objects in this widget.
-
View & Execute: This privilege allows the Business_Analyst users to access the ‘Data Mart’ widget (similar to only View privilege). In addition to this, the user can create the data marts via the Data Mart widget.
Permission/ Access assigned through a User
It is very useful when the permission needs to be provided at the user-level instead of the user-group(role) it belongs to.
To provide permission for the widgets to a user first, the admin user needs to create the users & roles in the Lightning environment via User Management Widget.
As in the above screenshot, the admin user has provided access to two widgets:
-
Virtual Data Mart: Here the privilege is of type ‘View’ & ‘Execute’.
-
Query Builder: Here the privilege is of type ‘View’.
Here, privilege is of two types:
-
View: This privilege allows the user ‘user3@zetaris.com’ to access the ‘Query Builder’ widget & access only those data objects that have been provided access via the ‘Query Builder’ Widget. The users can not create any data objects in this widget.
-
View & Execute: This privilege allows the user ‘user3@zetaris.com’ to access the ‘Data Mart’ widget (similar to only View privilege). In addition to this, the user can create the data marts via the Data Mart widget.
Granular level of access for the Data Objects
Once access to the widgets is provided by the admin then those widgets can be used by the users. The admin can also provide granular access to the data objects within those widgets. This can be done by the Access Control widget.
As an example, let’s consider we have two users in Lightning with Data_Analyst as their role:
Both users are provided with access to the ‘Schema Store View’ Widget. As an example, the below screenshot shows the ‘Schema Store View’ Widget access for USER1@ZETARIS.COM:
Similar access is provided to USER2@ZETARIS.COM.
Now within the ‘Schema Store View’ Widget, the admin user can provide access to different data objects via Access Control Tab:
-
Navigate to Access Control Tab.
-
Click on ‘AZURE_MSSQL’ data source.
3. Click on the ‘Assign Button’ under the Assigned Users section.
4. A pop-up window will open that will show the list of users. Click on the user USER1@ZETARIS.COM & then click on Apply.
5. The admin user will be able to view the USER1@ZETARIS.COM as the user with access to the ‘AZURE_MSSQL’ data source. Now click on USER1@ZETARIS.COM which will open the pop-up to provide a more granular level of table access present in the ‘AZURE_MSSQL’ data source.
6. Similarly, steps 1-5 can be followed to provide access to USER2@ZETARIS.COM for any other data source. For example, the ‘NY_VEHICLE_COLLISIONS’ data source.
7. The below images show the Lightning access for USER1@ZETARIS.COM & USER2@ZETARIS.COM with their respective data source access provided.
Similarly, the admin can provide access to the data objects for other Widgets i.e. data marts, Pipelines, Permanent Views etc.