Roles and Permissions
Data Collector allows you to assign roles and pipeline permissions to users and groups.
Roles, such as Creator or Manager, enable users to perform different Data Collector tasks. Each user needs at least one role to access Data Collector.
Permissions determine read, write, and execute access to individual pipelines. Users generally need a combination of roles and permissions to perform pipeline-related tasks. For example, to edit a pipeline, you need the Creator role as well as read and write permission for the pipeline.
Use groups to easily assign pipeline permissions to sets of users. When using LDAP authentication, you can also assign roles to LDAP groups. When a user belongs to a group, the user has the combination of the access assigned to the group and to the user individually.
When necessary, you can transfer permissions from a user or group to another user or group.
Note that users with the Admin role have full access to every pipeline. And the owner of a pipeline has full access to the pipeline. These users can also change who owns the pipeline.
Roles
Roles enable you to perform Data Collector tasks. Every user requires at least one role to access Data Collector.
When using file-based authentication, you must assign at least one role to each user.
When using LDAP authentication, you can assign roles to users or groups. If the user belongs to a group, any roles associated with the group are granted to the user in addition to the roles assigned directly to the user.
| Role | Tasks |
|---|---|
| admin | Perform any Data Collector task. Can perform all tasks listed below, as well as activate Data Collector, restart and shut down Data Collector, and view Data Collector metrics. Enable Control Hub. Install libraries using Package Manager. Generate support bundles. |
| manager | Start and stop pipelines, monitor pipelines, configure and reset alerts. Take, review, and manage snapshots. |
| creator | Create and configure pipelines and alerts, preview data, and monitor the pipeline. Import pipelines. |
| guest | View pipelines and alerts, and general monitoring information. Export a pipeline. |
Pipeline Permissions
Pipeline permissions determine the access that users have to a pipeline. The owner of the pipeline and users with the Admin role have full access to a pipeline. As a pipeline owner or a user with the Admin role, you can also assign pipeline permissions to individual users and to groups.
To perform pipeline-related tasks, you must have the appropriate pipeline permissions as well as the role associated with the task. For example, a user with the Guest role can only view a pipeline when granted read permission for it. Similarly, to edit a pipeline with a Creator role, you need both read and write permission on the pipeline.
To easily enable pipeline access to sets of users, grant permissions to groups. For example, say you have five users who require read and execute access to run several pipelines. To allow this, you must share each pipeline with each of these users. But if the users are in a single Operations group, you can simply assign read and execute access to the Operations group instead of assigning the permissions to each user individually.
To use pipeline permissions, enable the pipeline.access.control.enabled Data Collector configuration property, and configure the permissions on a pipeline-by-pipeline basis.
By default, the pipeline.access.control.enabled property is disabled. When pipeline permissions are disabled, access to pipelines is based on the roles assigned to the user and its groups.
You can configure the following pipeline permissions:
| Permission | Description |
|---|---|
| Read | View and monitor the pipeline, and see alerts. View existing snapshot data. |
| Write | Edit the pipeline and alerts. |
| Execute | Start and stop the pipeline. Preview data and take a snapshot. |
For details about sharing pipelines with users and groups, see Sharing a Pipeline.
Roles and Permissions for Common Tasks
Performing Data Collector tasks generally requires a combination of roles and permissions. The following table outlines the requirements to perform common tasks.
| Task | Role | Pipeline Permissions |
|---|---|---|
| View a pipeline | Any | Read |
| Create a pipeline | Creator or Admin | None |
| Edit a pipeline | Creator or Admin | Read and write |
| Preview a pipeline | Creator or Admin | Read and execute |
| Start and stop a pipeline | Manager or Admin | Read and execute |
| View existing snapshot data | Manager or Admin | Read |
| Monitor a pipeline and take snapshots | Manager or Admin | Read and execute |
| Duplicate a pipeline | Creator or Admin | Read |
| Import a pipeline to a new pipeline | Creator or Admin | None |
| Import a pipeline to an existing pipeline | Creator or Admin | Read and Write |
| Export a pipeline | Any | Read |
| Share a pipeline and configure permissions | Admin | None |
| View pipeline permissions | Any | Read |
| Start or stop Data Collector | Admin | Not applicable |
| View log data and Data Collector metrics | Admin | Not applicable |
| Install or uninstall stage libraries with the Package Manager | Admin | Not applicable |
Transfer Pipeline Permissions
You can transfer pipeline permissions from a user or group to another user or group. When you transfer permissions, all pipeline permissions are passed to the target user or group. Pipeline ownership transfers only from a user to another user.
Transfer permissions when a user account or group becomes obsolete, such as when a user leaves the company or when you register Data Collector with StreamSets Control Hub. You might also transfer permissions when a user changes positions within the company.
For example, say a JD user account belongs to a pipeline developer who has created several pipelines and is now transitioning to operations. As the pipeline creator, JD has full rights to the pipelines that she created. The pipelines are about to go into production, so she needs read and execute permission to run the pipelines, but she should no longer be able to edit them.
To handle this situation, you can transfer all permissions associated with the JD account to another development user or a development group. Then assign JD to an Ops group with the Manager role and assign the Ops group the read and execute permissions for the pipelines they need to run. Or, without an Ops group, you simply assign the Manager role to the JD user account and edit the pipeline permissions to grant read and execute permissions to JD.
When you transfer permissions, the Transfer User and Group Permissions dialog box lists any users or groups that no longer exist but are still associated with pipeline permissions. This allows you to easily transfer permissions from obsolete users and groups.
Transferring Permissions
You can transfer all permissions from a user or group to another user or group.
To change the permissions related to individual pipelines, configure the sharing properties for each pipeline. For more information, see Sharing Pipelines.
-
To transfer permissions, click the Administration icon
and then click Transfer Permissions.
The Transfer User & Group Permissions dialog box displays.
-
If users or groups are listed, review the list and correct the suggested
mappings as needed.
On the left side of the dialog box, Data Collector lists any users or groups that no longer exist but still have pipeline permissions. This allows you to easily transfer permissions from those users and groups.The right side of the dialog box displays the list of available users and groups. Select the user or group to receive the permissions for each mapping.Or, if you do not want to transfer permissions from a listed user or group, use the Subtract icon to remove the row.
- Using simple or bulk edit mode, click the Add icon to add a row.
- On the left side, enter the name of the user or group that you want to transfer permissions from.
-
On the right side, select the user or group to receive those permissions.
Pipeline ownership can only be transferred to another user. If you transfer permissions from a user to a group and the user is also a pipeline owner, the user retains ownership. A user with the Admin role can transfer the pipeline ownership to another user, as needed.Note: You can transfer permissions from a user or group to a single user or group. If you map the same user or group to multiple targets, Data Collector transfers permission to the last user or group in the list.
-
Add as many rows and mappings as needed, then to save your changes, click
Update.
The permission changes take effect immediately.