Organizations
An organization is a secure space provided to a set of Control Hub users. All Data Collectors, pipelines, jobs, topologies, and other objects added by any user in the organization belong to that organization. A user logs in to Control Hub as a member of an organization and can access data that belongs to that organization only.
Control Hub includes a default system organization with an ID of admin and a single system administrator user account within that organization. A system administrator can complete full administrative tasks across all Control Hub organizations.
Create organizations for your enterprise separate from the system organization. When you create an organization, you create an organization administrator that can perform administrative tasks for that organization only.
You can create a single organization for your enterprise where you add all users. Or you can create multiple organizations for your enterprise. For example, you might create one organization for the Northern Office and another organization for the Southern Office. Users in the Northern Office organization cannot access any data that belongs to the Southern Office organization.
You can use groups to efficiently assign roles and permissions to sets of users within an organization without having to edit individual users. If you create multiple organizations, you can configure global properties that affect all organizations.
System Organization
Control Hub
includes a single default system organization with an ID of admin
.
- Users in the system organization can be assigned administrator roles that are not available for any other organization.
- Security Assertion Markup Language (SAML) authentication cannot be enabled for the system organization. Users in the system organization can be authenticated using built-in Control Hub authentication only.
- The system organization includes a set of pipelines that can be used as system sample pipelines when users in other organizations design pipelines in Control Hub. For more information, see System Sample Pipelines.
Administrator Roles
Users created in the system organization can be assigned administrator roles that are not available for any other organization.
The following table describes the tasks that each administrator role can perform:
Role | Description |
---|---|
System Administrator | Provides full administrative capabilities:
|
License Administrator | Provides limited administrative capabilities:
|
For a description of all other roles, see Role Descriptions.
Organizations and Groups
You can use both organizations and groups to create sets of users. However, there are important differences between the two:
- Organizations
- Organizations are required. When you create a user, you must specify the organization that the user belongs to.
- Groups
- Groups are optional groupings of users within a single organization. Use groups to more efficiently assign roles and permissions to sets of users without having to edit individual users. When you create a user, you can optionally specify the groups that the user belongs to.
- To create a multitenant environment with organizations, simply create multiple organizations and add the appropriate users to each organization.
- To create a multitenant environment with multiple groups in a single organization, enable permissions for the organization, create groups of users, and then share objects within the groups to grant each group access to the appropriate objects.
For more information about using groups and permissions to create a multitenant environment, see Users and Groups.
Organization Configuration
As the system administrator, you can configure organization properties at a global level to affect all organizations or at an organization level to affect a specific organization. Some properties can be overridden by the organization administrator for each organization.
- To configure organization properties at a global level to affect all organizations, click the Global Configuration icon in the top toolbar:
- To configure organization properties at an organization level to affect a
specific organization, hover over the organization row, and then click the
Configuration icon:Note: After you save organization properties for a specific organization, no subsequent change made at the global level applies to this organization.
Organization Property | Description |
---|---|
Enable Time Series Analysis | Enables Control Hub to store time series data for organizations which users can
analyze when monitoring jobs. When time series analysis is disabled, users can still view the total record count and throughput for a job, but cannot view the data over a period of time. For example, they can’t view the record count for the last five minutes or for the last hour. Only system administrators can view and change this value. |
Maximum number of jobs for the organization | Maximum number of jobs in the organization. Only system administrators can view and change this value. |
System limit on the execution engine heartbeat interval | Largest value that an organization administrator can set for the
maximum number of seconds since the last reported execution engine
heartbeat. If the last reported time exceeds this value, Control Hub considers the execution engine - Data Collector or Transformer - as unresponsive. Only system administrators can view and change this value. |
System limit on the maximum number of job runs | Largest value that an organization administrator can set for the
maximum number of job runs to retain the job history for. Only system administrators can view and change this value. |
System limit on the maximum number of days before job status history is purged | Largest value that an organization administrator can set for the
maximum number of days to retain the job history from each retained
job run. Only system administrators can view and change this value. |
Maximum number of pipelines for the organization | Maximum number of pipelines for the organization. Only system administrators can view and change this value. |
Enable scheduler purge | Enables purging the details for scheduled task runs. Only system administrators can view and change this value. |
System limit on the maximum number of scheduler runs | Largest value that an organization administrator can set for the
maximum number of scheduled task runs to retain the details for. Only system administrators can view and change this value. |
System limit on the maximum number of days before scheduler runs are purged | Largest value that an organization administrator can set for the
maximum number of days to retain run details for each scheduled
task. Only system administrators can view and change this value. |
Disable API Offset and Lengths Check | Disables limiting the number of objects retrieved by API
requests. When selected, a single API request can return all results. Clear the property if API requests consume a large amount of resources. In most cases, you do not need to modify this property. Only system administrators can view and change this value. |
Maximum number of Data Collectors in the organization | Maximum number of Data Collectors in the organization. Only system administrators can view and change this value. |
Maximum number of users in the organization | Maximum number of users in the organization. Only system administrators can view and change this value. |
Disable SAML Backdoor | Disables the SAML backdoor for organizations that have enabled
SAML authentication. As a best practice, Control Hub provides a SAML backdoor that allows administrators to log in using Control Hub credentials if the SAML IdP is incorrectly configured and users cannot log in using SAML authentication. SAML providers recommend having a backdoor available for administrators to use to access a locked system. Disable the backdoor with caution. If disabled and the SAML IdP is incorrectly configured within Control Hub, you must work with StreamSets customer support to resolve the issue. Only system administrators can view and change this value. |
System limit on the maximum number of time series purge days | Largest value that an organization administrator can set for the
maximum number of days that a job can be inactive before the metrics
for that job are deleted. Only system administrators can view and change this value. |
Maximum number of topologies for the organization | Maximum number of topologies for the organization. Only system administrators can view and change this value. |
Enable events to trigger subscriptions |
Enables events so that Control Hub can trigger subscriptions for organizations. Disable events if
you do not want users to use subscriptions.
An organization administrator can override this property for an organization. |
Enable System Data Collector |
Enables users to select the system Data Collector as the authoring Data Collector for creating new pipelines.
Enable the system Data Collector as an authoring Data Collector to let users create pipelines when they cannot access a registered Data Collector that meets the requirements for an authoring Data Collector. The system Data Collector cannot be used for data preview or pipeline validation. Disable the system Data Collector to force users to create pipelines with a registered Data Collector. Designing pipelines using an authoring Data Collector that is a newer version than the execution Data Collector can cause errors. An organization administrator can override this property for an organization. |
Enforce permissions during object access |
Enables permission enforcement to secure the
integrity of organization data. Disable permission enforcement if
you want all users in the organization to have full access to all
objects.
An organization administrator can override this property for an organization. |
Engine reachability timeout | Number of milliseconds that Control Hub waits
for a response from an authoring engine before considering the
engine as not accessible. When the engine is not accessible, you cannot select that engine as the authoring engine when designing pipelines or creating connections. In most cases, the default value should be appropriate. Try increasing the value when the authoring engines are running, but the authoring engine selection pages indicate that engines are not accessible. An organization administrator can override this property for an organization. |
Execution engine heartbeat interval |
Maximum number of seconds since the last
reported Data Collector or Transformer heartbeat before Control Hub considers the engine unresponsive. In most cases, the default
value of 300 seconds, or five minutes, is sufficient.
An organization administrator can override this property for an organization. The maximum value is the corresponding system limit. |
Maximum number of days before job status history is purged | Maximum number of days to retain
the job history from each retained job run. An organization administrator can override this property for an organization. The maximum value is the corresponding system limit. |
Maximum number of job runs | Maximum number of job runs to retain the job
history for. An organization administrator can override this property for an organization. The maximum value is the corresponding system limit. |
Maximum number of scheduler runs | Maximum number of scheduled task runs to
retain the details for. An organization administrator can override this property for an organization. The maximum value is the corresponding system limit. |
Maximum number of days before scheduler runs are purged | Maximum number of days to
retain run details for each scheduled task. An organization administrator can override this property for an organization. The maximum value is the corresponding system limit. |
Inactivity period for session termination | Maximum number of minutes that a user
session can remain inactive before timing out. A user session is
considered inactive when all browser tabs opened by the user and
accessing Control Hub are not in focus or are closed. An organization administrator can override this property for an organization. |
Maximum number of days before time series metrics are purged | Maximum number of days that a job
can be inactive before the metrics for that job are deleted. An organization administrator can override this property for an organization. The maximum value is the corresponding system limit. |
You can also configure all SAML identity provider (IdP) properties at the global or organization level. An organization administrator can override any of the IdP properties.