Help Center> DataArts Studio> User Guide> DataArts Security> Unified Permission Governance> Configuring Roles
Updated on 2024-04-29 GMT+08:00
View PDF

Configuring Roles

Role management in DataArts Security provides more intuitive and powerful permission management capabilities based on permission sets. The difference between a role and a permission set is that a permission set directly associates users with permissions, while a role is created or managed on the data source to carry the association between users and permissions.

If you associate roles with permission sets on the role management page, permissions are synchronized only to roles instead of users. You are advised to use role management to manage permissions and permission relationships more intuitively. Role management also allows you to use managed roles to manage existing data source permissions.

  • Common roles: Create roles on the data source to bear the associations between users and permissions.
  • Manage roles: Manage existing roles on the MRS data source and inherit their permissions of the MRS data source. (To view existing roles on the MRS data source, log in to MRS FusionInsight Manager and choose System > Permission > Role).

This section describes Configuring a Common Role, Configuring Managed Roles, and Related Operations.

Prerequisites

  • You have configured a workspace permission set. For details, see Configuring Workspace Permission Sets.
  • During the synchronization of MRS and GaussDB(DWS) roles, the system uses the users in the data connections in Management Center to perform addition, deletion, modification, and query operations. Users in the data connections must have the following permissions:
    • Users in MRS Ranger connections must have the admin permission of the Ranger component.
    • In non-rights separation mode (RSM), database users in GaussDB(DWS) connections must have at least the dbadmin permission of the database. In RSM, users must have the system administrator permissions.

    For details about the configuration method, see Preparation 2: Checking Configuration Based on the Checklist.

  • Metada of tables has been collected in DataArts Catalog through a metadata collection task if you want to view the metadata of databases, tables, and fields in data connections during permission configuration in fast mode.

Constraints

  • Currently, roles can only be associated with MRS and GaussDB(DWS) clusters.
  • Workspace permission sets are mainly used to define the permissions of workspaces rather than manage permissions. Roles cannot be associated with workspace permission sets.
  • During authorization, the name of the object to be authorized (database, table, or column name) can contain only digits, letters, underscores (_), hyphens (-), and wildcards (*).
  • If you associate roles with permission sets, permissions are synchronized only to roles instead of users.
  • Role management is available only when the version of the CDM cluster selected for the agent in the data connection is 2.10.0.300 or later.
  • During the synchronization of MRS and GaussDB(DWS) roles, the system uses the users in the data connections in Management Center to perform addition, deletion, modification, and query operations. Users in the data connections must have the following permissions:
    • Users in MRS Ranger connections must have the admin permission of the Ranger component.
    • In non-rights separation mode (RSM), database users in GaussDB(DWS) connections must have at least the dbadmin permission of the database. In RSM, users must have the system administrator permissions.

    For details about the configuration method, see Preparation 2: Checking Configuration Based on the Checklist.

  • Only the directory permissions of the cluster are displayed for roles in the workspace.
  • During permission synchronization, you need to configure required permissions for the dlg_agency. For details, see Preparation 1: Authorizing dlg_agency.
  • The current data permission control uses the allowlist mechanism, which adds operation conditions to the users to be authorized without affecting the permissions the users already have. If you only want to make the permissions granted by the data permission control take effect, you need to revoke the original permissions of the users to be authorized. For details, see Data Permission Management.
  • During script execution and job testing in DataArts Factory, the MRS or GaussDB(DWS) data source uses the account of the data connection for authentication by default. Therefore, permission management still does not take effect during data development. You need to enable a permission application so that the current user is used for authentication during script execution and job testing in DataArts Factory. In this way, different users have different data permissions, and permission management for roles and permission sets takes effect.

Configuring a Common Role

  1. On the DataArts Studio console, locate an instance and click Access. On the displayed page, locate a workspace and click DataArts Security.

    Figure 1 DataArts Security

  2. In the navigation pane on the left, choose Role Management.
  3. Use either of the following methods to configure a common role:

    • Configuring an existing role: On the Role Management page, permission sets that have been created in Creating a Permission Set are displayed in the navigation tree as common roles by default. You can click a role name to go to the role details page.
      Figure 2 Role details page

    • Creating a role: On the Role Management page, click in the navigation tree and select Create Common Role. Set the parameters listed in Table 1 and click OK. The details page of the created role is displayed by default.
      Table 1 Parameters

      Parameter

      Description

      *Name

      Permission set name, which is unique in the instance.

      You should include the meaning of the permission set and avoid meaningless descriptions in the name so that the permission set can be quickly identified.

      *Parent Permission Set

      Select a parent permission set, which can be a workspace permission set or another permission set. After you select a parent permission set, the permissions of the current permission set are a subset of the parent permission set's permissions.

      *Administrator
      The administrators are the owners of the permission set and can configure the permissions in the permission set. The administrators can perform the following operations:
      • Permission configuration: Assign data source permissions to the workspace permission set.
      • User configuration: Assign permissions in the workspace permission set to users, user groups, or workspace roles.
      • Permission set creation: Create permission sets and roles based on the workspace permission set. The created permission sets do not contain more permissions than the workspace permission set.

      Description

      Information to make the permission set easier to be identified
      Figure 3 Creating a common role

  4. In the Basic Information area, you can view the name, ID, and administrator of the role. For details, see Figure 4.

    After configuring roles and permissions, you can synchronize them by clicking Synchronize Permissions and Synchronize Role Information in the upper right corner.
    Figure 4 Basic role information

  5. Data Source Role Associations: On this page, you can click Associate to create roles for associating users and permissions.

    Figure 5 Data Source Role Associations page

    Click Associate. In the displayed dialog box, select data sources, set Associated Role Name, and click OK.

    Figure 6 Associate

    If you no longer need an association, click Disassociate in the Operation column to disassociate the current role from role in the data source and delete the role from the data source. After the association is canceled, permissions are no longer synchronized to the role and only synchronized to user information.

  6. Permissions: On the role details page, click the Permissions tab. By default, By data is selected. You can also select By permissions. The configured permissions are the same for By data and By permissions, and the only difference lies in how the permissions are displayed. You are advised to select By permissions for batch authorization.

    • By data: The system allows you to configure permissions for data. Currently, only MRS data sources are supported.
      Figure 7 Configuring permissions on the By data page

      When configuring permissions, you can select Entire DB, Entire table, or Entire column, and select the corresponding levels in the data source information to perform a batch authorization. You can also click Authorization in the Operation column of a data record in the expanded navigation pane to authorize access to the data.

      For data view authorization, the system also provides Fast mode and Show data this role has no permission to. If Fast mode is enabled, metadata of databases, tables, and columns is obtained from DataArts Catalog. Otherwise, metadata is obtained from the data source. If metadata has been collected, you are advised to enable Fast mode.
      • Note that the permissions of databases, tables, and columns are managed by layer. For example, a user who has been granted database permissions does not have the permissions of tables and columns. Table and column permissions must be granted separately.

        For example, if you enter a table name or an asterisk (*) as a wildcard during database authorization, you are authorizing the table. Note that you cannot enter an asterisk (*) as a wildcard character for the databases, schemas, and tables in GaussDB(DWS). If you enter a column name or an asterisk (*) as a wildcard character, you are authorizing the column.

      • During authorization, the name of the object to be authorized (database, table, or column name) can contain only digits, letters, underscores (_), hyphens (-), and wildcards (*).
      Figure 8 Authorization on the By data page
    • By permissions: The system allows you to configure permissions.
      To configure permissions, click Add and select data levels in sequence. You cannot select multiple objects at the same level (such as database, table, and column) for batch authorization. Permission Type cannot be set to DENY.
      • Note that the permissions of databases, tables, and columns are managed by layer. For example, a user who has been granted database permissions does not have the permissions of tables and columns. Table and column permissions must be granted separately.

        For example, if you enter a table name or an asterisk (*) as a wildcard during database authorization, you are authorizing the table. Note that you cannot enter an asterisk (*) as a wildcard character for the databases, schemas, and tables in GaussDB(DWS). If you enter a column name or an asterisk (*) as a wildcard character, you are authorizing the column.

      • During authorization, the name of the object to be authorized (database, table, or column name) can contain only digits, letters, underscores (_), hyphens (-), and wildcards (*).
      After configuring permissions, you can edit, synchronize, or delete them.
      Figure 9 Configuring permissions on the By permissions page

  7. Members: On the role details page, click the Members tab.

    Members associate the roles on the Data Source Role Associations page with users. Click Add to add users, user groups, or workspace roles to roles. You can select users or user groups that have been added to the workspace.
    Figure 10 Members

  8. Subroles: On the role details page, click the Subroles tab.

    On this page, you can view the subroles of the current role.
    Figure 11 Viewing subroles

  9. Directory Permissions: On the role details page, click the Directory Permissions tab.

    Directory permissions obtain the HDFS policies of this role from the Ranger component to display the HDFS paths to which this role has permissions. In addition, you can view the operation permissions of the paths. You can search for the permissions of a path. Only exact match is supported.

    Figure 12 Viewing directory permissions

  10. Log: On the role details page, click the Log tab.

    On this page, you can view the log details if permission synchronization fails. The system deletes logs generated 30 days ago at 00:00 every day.
    Figure 13 Viewing logs

  11. After the role is configured, it does not take effect immediately. You need to synchronize the permissions and role to the data source for permission management to take effect. For details, see Related Operations.

Configuring Managed Roles

  1. On the DataArts Studio console, locate an instance and click Access. On the displayed page, locate a workspace and click DataArts Security.

    Figure 14 DataArts Security

  2. In the navigation pane on the left, choose Role Management.
  3. On the Role Management page, click in the navigation tree and select Create Managed Role. In the displayed dialog box, select a Ranger connection, set Parent Permission Set/Role, and click Manage in the Operation column of the MRS roles to be managed. You can also select multiple MRS roles to be managed and click Manage above the list.

    If you no longer want to manage roles, you can delete the managed roles from the role management navigation tree. After the managed roles are deleted, permissions are no longer synchronized to the roles and only synchronized to user information.

    Figure 15 Creating a managed role

  4. Close the Manage Role dialog box and return to the Role Management page. In the role management navigation tree, locate the MRS role added in the previous step and click the role name to go to the role details page.
  5. In the Basic Information area, you can view the name, ID, and administrator of the role. For details, see Figure 16.

    After configuring roles and permissions, you can synchronize them by clicking Synchronize Permissions and Synchronize Role Information in the upper right corner.
    Figure 16 Basic role information

  6. Members: On this page, you can view the users or user groups associated with the MRS role. Currently, users cannot be added to managed roles in DataArts Security.

    Figure 17 Members

  7. Permissions: On the role details page, click the Permissions tab. By default, By data is selected. You can also select By permissions. The configured permissions are the same for By data and By permissions, and the only difference lies in how the permissions are displayed. You are advised to select By permissions for batch authorization.

    • By data: The system allows you to configure permissions. If a metadata collection task has been executed successfully, you can view the data source information and click to expand the navigation pane.
      Figure 18 Configuring permissions on the By data page

      When configuring permissions, you can select Entire DB, Entire table, or Entire column, and select the corresponding levels in the data source information to perform a batch authorization. You can also click Authorization in the Operation column of a data record in the expanded navigation pane to authorize access to the data.

      For data view authorization, the system also provides Fast mode and Show data this role has no permission to. If Fast mode is enabled, metadata of databases, tables, and columns is obtained from DataArts Catalog. Otherwise, metadata is obtained from the data source. If metadata has been collected, you are advised to enable Fast mode.
      • Note that the permissions of databases, tables, and columns are managed by layer. For example, a user who has been granted database permissions does not have the permissions of tables and columns. Table and column permissions must be granted separately.

        For example, if you enter a table name or an asterisk (*) as a wildcard during database authorization, you are authorizing the table. Note that you cannot enter an asterisk (*) as a wildcard character for the databases, schemas, and tables in GaussDB(DWS). If you enter a column name or an asterisk (*) as a wildcard character, you are authorizing the column.

      • During authorization, the name of the object to be authorized (database, table, or column name) can contain only digits, letters, underscores (_), hyphens (-), and wildcards (*).
      Figure 19 Authorization on the By data page
    • By permissions: The system allows you to configure permissions.
      To configure permissions, click Add and select data levels in sequence. You cannot select multiple objects at the same level (such as database, table, and column) for batch authorization. Permission Type cannot be set to DENY.
      • Note that the permissions of databases, tables, and columns are managed by layer. For example, a user who has been granted database permissions does not have the permissions of tables and columns. Table and column permissions must be granted separately.

        For example, if you enter a table name or an asterisk (*) as a wildcard during database authorization, you are authorizing the table. Note that you cannot enter an asterisk (*) as a wildcard character for the databases, schemas, and tables in GaussDB(DWS). If you enter a column name or an asterisk (*) as a wildcard character, you are authorizing the column.

      • During authorization, the name of the object to be authorized (database, table, or column name) can contain only digits, letters, underscores (_), hyphens (-), and wildcards (*).
      After configuring permissions, you can edit, synchronize, or delete them.
      Figure 20 Configuring permissions on the By permissions page

  8. Directory Permissions: On the role details page, click the Directory Permissions tab.

    Directory permissions obtain the HDFS policies of this role from the Ranger component to display the HDFS paths to which this role has permissions. In addition, you can view the operation permissions of the paths. You can search for the permissions of a path. Only exact match is supported.

    Figure 21 Viewing directory permissions

  9. The permissions configured for the managed role do not take effect immediately. You need to manually synchronize the permissions to the Ranger component for permission management to take effect. For details, see Synchronizing Permissions.

Related Operations

  • Synchronizing permissions: After configuring data permissions on the Role Management page, you need to synchronize the permissions to the data source for permission management to take effect.

    To synchronize permissions, click Synchronize Permissions in the upper right corner of the Basic Information area on the role details page. To synchronize the permissions of multiple roles, select the roles in the role management navigation tree and click above the navigation tree.

  • Synchronizing roles: In common role management (managed roles do not need to be synchronized), after a permission set is associated with a role, the role takes effect only after being synchronized to the data source.

    To synchronize a role, click Synchronize Role Information in the upper right corner of the Basic Information area or click Synchronize in the Operation column on the Data Source Role Associations tab page. To synchronize multiple roles, select the roles in the role management navigation tree and click above the navigation tree.

    • After role synchronization is successful, MRS data source roles are named in Role name_Timestamp format, and the GaussDB(DWS) data source roles are named in dataarts_studio_role_Role name format.
    • In scenarios where roles are synchronized to an MRS cluster, after the system prompts a successful role synchronization, permission management takes effect after about five minutes during which the Ranger component automatically synchronizes roles from the MRS cluster. You can check whether the synchronization is complete based on Data Source Role Name on the Data Source Role Associations tab page.
      • Roles that are not synchronized are named in Role name_10-digit timestamp format.
      • Roles that have been synchronized are named in Role name_13-digit timestamp format.
  • Deleting roles: Select roles in the role management navigation tree and click above the navigation tree to delete the roles.
    Common roles for which roles, permissions, users, or child permission sets have been configured cannot be deleted. To delete such roles, delete the related configurations first. Managed roles for which permissions have been configured cannot be deleted. To delete such roles, delete the related configurations first. In addition, deleted managed roles are disassociated from roles.

    The deletion operation cannot be undone. Exercise caution when performing this operation.