Organization Security Overview

Control Hub authenticates and authorizes user accounts to secure the integrity of your organization and data.

Authentication verifies user identities. Control Hub can authenticate users using the default Control Hub authentication method or the Security Assertion Markup Language (SAML) authentication method.

Authorization determines the tasks a user can complete and the data a user can access after the user account has been authenticated. Control Hub manages user authorization based on the roles and permissions assigned to user accounts or to groups of user accounts:

Roles

Roles determine the tasks that users can perform. You can assign roles to user accounts or to groups so that all user accounts in the same group have the same roles.

Permissions

When permission enforcement is enabled for your organization, permissions determine the access level that users have on objects belonging to the organization. When you create an object within Control Hub, you become the owner of that object and have full access to the object. You can share the object with other groups or user accounts within your organization. When you share the object, you grant others permission to the object - granting read, write, or execute access to the object.

To perform tasks, you must have the appropriate object permissions as well as the role associated with the task. For example, if you have the Pipeline Editor role, you can delete pipeline versions from the repository only when granted write permission on the pipeline.

To create a multitenant environment within your organization, create groups of users and then share objects within the groups to grant each group access to the appropriate objects.

For example, let's say that both the Finance and Marketing departments develop their own pipelines, start their own jobs, and measure the performance of their own topologies. Each group needs access only to their own pipelines, fragments, jobs, and topologies. To set up the multitenant environment, create a Finance group, assigning all users in the Finance department to the group. And create a Marketing group for users in the Marketing department. Then assign the appropriate roles to each group.

After a Finance user publishes a pipeline to Control Hub and starts a job for the pipeline, the user shares the pipeline and job with the Finance group, granting all users in the Finance group access to the pipeline, associated fragment, and job. Users in the Marketing group cannot access the Finance objects because they are not granted any permissions on those objects.