Enabling Account Mapping
If fine-grained authentication and account mapping policies are not enabled, the data source uses the account of the data connection for authentication by default during script execution and job tests in DataArts Factory. Therefore, user permission management enabled through roles or permission sets does not take effect for data development.
If account mapping policies are enabled, the data source does not use the account of the data connection for authentication during script execution and job tests. Instead, the current user identity is mapped to an MRS system account or LDAP account which is used for authentication. In this way, different users have different data permissions.

- Fine-grained authentication and account mapping are similar in application scenarios and cannot be both enabled. Differences Between Fine-grained Authentication and Account Mapping compares the two functions from different dimensions. In practice, you are advised to enable either of them.
- In the new version mode, account mapping is supported only in the enterprise version. In the old version mode, this function is supported in the basic version or an advanced version.
Prerequisites
- Required data permissions have been configured for the MRS system account or LDAP account before account mapping policies are enabled. This prevents service interruptions due to insufficient data permissions.
Notes and Constraints
- Currently, account mapping in development mode supports only MRS Hive, MRS SPARK, MRS Impala, and MRS Hetu data connections in proxy mode. If the connection type of an MRS Hive or MRS Spark data connection is changed, for example, from proxy to API, account mapping will become invalid.
- Account mapping is supported only when the version of the CDM cluster selected for the agent in the data connection is 2.10.0.300 or later.
- Only the DAYU Administrator, Tenant Administrator, or data security administrator has the permission to create an account mapping policy and configure account mapping.
- When modifying an account mapping policy, a DAYU User user can only change the mapping rule, but cannot change other information such as the mapping type and default access identity.
- Account mapping policies take effect for all workspaces of a DataArts Studio instance. Therefore, only one account mapping policy of a mapping type can be created for a cluster.
- During the configuration of the mapping list of an account mapping policy, the system does not check whether there is an MRS system account or LDAP account and whether the password is correct. If you configure an incorrect username or password, the account mapping fails. The system can check the username and password configured by the default access identity.
Configuring an Account Mapping Policy
An account mapping policy consists of three parts: The first part is basic information. The second part is the default access identity. If an IAM account is not configured in the cluster's account mapping, the default access identity is used. The third part is the cluster's account mapping, which means setting mapping accounts for IAM users.
- On the DataArts Studio console, locate a workspace and click DataArts Security.
- In the navigation pane on the left, choose Permission Applications. On the displayed page, click the Account Mapping tab.
- On the Account Mapping page, click Create.
Figure 1 Configuring an account mapping policy
- Configure parameters based on Table 1 and then click Submit.
Table 1 Parameters Parameter
Description
*Policy Name
Name of the account mapping policy, which is unique in an instance.
You should include the meaning of the permission set and avoid meaningless descriptions in the name so that the account mapping policy can be quickly identified.
*Cluster Type
You do not need to set this parameter. Currently, only MRS is supported.
*Cluster
MRS cluster. Only one account mapping policy of a mapping type can be created for a cluster.
*Mapping Type
Account mapping type. Only one account mapping policy of a mapping type can be created for a cluster.
- System account mapping: The current IAM account is mapped to an MRS system account. This option is displayed by default.
- LDAP account mapping: The current IAM account is mapped to an LDAP account. This option may or may not be displayed, depending on whether LDAP is enabled for MRS Hive and MRS Impala data connections.
System account mapping
*Default Access Identity
Default account mapped to a system account. If no mapped account is configured for an IAM account, the default access identity is used for authentication.
- Data connection account: The MRS system account in the connection is used for authentication and no mapping is required.
- MRS System account: The configured default MRS system account is used for authentication.
- Mapped account with the same name: The MRS system account with the same name as the current IAM account is used for authentication.
KMS Key
KMS key used to encrypt and decrypt authentication information. Select a default or custom key.
Username
This option is displayed when MRS System account is selected for Default Access Identity.
For IAM accounts for which no account mapping is configured, this
MRS system account is used for authentication.
The system does not check whether the account exists or whether the password is correct. If the username or password is incorrect, the account mapping fails.
Password
FusionInsight Manager Account
This option is displayed when the selected MRS cluster is a security cluster and Mapped account with the same name is selected for Default Access Identity.- The FusionInsight account configured for an MRS Hive or MRS Spark connection must have the Manager User management permission.
- The FusionInsight account configured for an MRS Hetu connection must have the permissions of the hetuadmin user group, and the cluster version must be MRS 3.3.0-LTS or later.
The system does not check whether the account exists or whether the password is correct. If the username or password is incorrect, the account mapping fails.
Password
LDAP account mapping
*Default Access Identity
Default account mapped to a system account. If no mapped account is configured for an IAM account, the default access identity is used for authentication.
- Data connection account: The LDAP account in the connection is used for authentication and no mapping is required.
- LDAP account: The configured default LDAP account is used for authentication.
KMS Key
KMS key used to encrypt and decrypt authentication information. Select a default or custom key.
Username
This option is displayed when LDAP account is selected for Default Access Identity.
For IAM accounts for which account mapping is not configured, this LDAP account is used for authentication.
The system does not check whether the account exists or whether the password is correct. If the username or password is incorrect, the account mapping fails.
Password
Cluster Account Mappings
IAM User
IAM users for which an account mapping rule will be configured. For IAM users not configured here, the default access identity is used for authentication.
MRS System User/LDAP account
MRS system user or LDAP account to be mapped and its password
MRS System User Password/LDAP password
Operation
Click Delete to delete a mapping rule and click Add to add one.
A DAYU User can only change their own mapping rule when modifying an account mapping policy.
Figure 2 Creating an account mapping policy
Enabling Account Mapping
After configuring an account mapping policy, you must enable it on the Fine-grained permission applications page for the policy to take effect.
- On the DataArts Studio console, locate a workspace and click DataArts Security.
- In the navigation pane on the left, choose Permission Applications. On the displayed page, click the Fine-grained permission applications tab.
- On the Fine-grained permission applications page, test the account mapping connectivity for the data connection for which you want to enable account mapping.
During the account mapping connectivity test, the system maps the current user identity to an MRS system account or LDAP account based on the account mapping policy before accessing the data source to ensure successful access.Figure 3 Testing account mapping connectivity
- After the account mapping connectivity test is successful, select Account mapping in development mode enabled for Fine-grained Authentication Status. Then the system automatically selects the corresponding account mapping policy based on the cluster of the data connection and enables account mapping for the connection.
Figure 4 Enabling account mapping
Differences Between Fine-grained Authentication and Account Mapping
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot