User management in Pivot
There are several ways to manage Pivot users. Pivot's built-in user management features let you create and authorize user accounts that are native to Pivot.
Alternatively, you can set up external authentication via LDAP or OIDC, and map user properties to Pivot roles and permissions. For information on those mechanisms, see information on managing users with LDAP and OIDC.
Managing permissions and roles
Every user within Imply can belong to one or more roles. A role is a collection of permissions that the user has access to. Some roles are created by default but the set of roles can be modified to fit specific use cases.
The roles can be managed from the settings view.
You can edit an individual role and assign different permissions to it.
It is not possible to edit the super-admin role which permits all actions.
Within a given role you can add and remove permissions that are granted to the users associated with that role. The permissions belonging to a given user is the superset of all the permissions from all the roles assigned to that user.
The possible permissions, grouped by category, are:
System permissions
| Permission | Description |
|---|---|
| ManageConnections | Grants permission to manage database connections from the "Connections" tab in the Settings UI. |
| ManageApiTokens | Grants permission to create and delete API tokens when API access is configured. |
| ConfigureLookAndFeel | Grants permission to see the "Advanced" tab in the Settings UI where certain look and feel related changes can be made. |
Users & Roles
| Permission | Description |
|---|---|
| ManageUsers | Grants permission to create, modify, and delete users. Note that users cannot create or modify a user to have more permissions than they have. |
| ManageUserRoles | Grants permission to create, modify, and delete user roles. Note that users will not be able to create or modify a role which grants additional permissions that they do not possess. |
| ImpersonateUsers | Grants permission to impersonate other users. Note that users will not be able to impersonate users who have been granted permissions that the impersonating user does not have. |
| ManagePasswords | Grants permission to reset user passwords. |
| ManageUserStates | Grants permission to disable and lock user accounts. |
| SeeOtherUsers | Grants permission to see the other users in the system when sharing. |
Datasources
| Permission | Description |
|---|---|
| AccessDatasets | Grants permission to access the Data tab. |
| ManageDatasets | Grants permission to access the Druid console. |
Data cubes and dashboards
| Permission | Description |
|---|---|
| AccessVisualization | Grants permission to access the Visualize tab. |
| AdministerDataCubes | Grants permission to view and manage all data cubes irrespective of their sharing and access configuration. |
| CreateDataCubes | Grants permission to create and duplicate data cubes within the access granted via the individual configuration. |
| ChangeDataCubes | Grants permission to modify and delete data cubes within the access granted via the individual configuration. |
| AdministerDashboards | Grants permission to view and manage all dashboards irrespective of their sharing and access configuration. |
| ChangeDashboards | Grants permission to create, modify, and delete dashboards within the access granted via the individual configuration. |
| QueryRawData | Grants permission to see the raw unaggregated data behind a data cube visualization. Note that this permission is independent from the AccessSQL permission. A user without the QueryRawData permission can still query raw data via the SQL tab if they have the AccessSQL permission. |
| DownloadData | Grants permission to download a limited number of rows (up to a configurable limit) for a data cube. The download limit is set to 5000 rows by default. For more information, see Data export. |
| DownloadLargeData | Grants permission to download an unlimited number of rows for a data cube. For more information, see Data export. |
| MonitorQueries | Grants permission to monitor database queries that Pivot data cubes and dashboards issue under the hood. |
SQL Queries
| Permission | Description |
|---|---|
| AccessSQL | Grants permission to access the SQL tab. Note that users with SQL access can effectively perform arbitrary queries. |
| AdministerSavedQueries | Grants permission to see and modify all saved SQL queries. |
Alerts
| Permission | Description |
|---|---|
| AccessAlerts | Grants permission to access the Alerts tab. |
| AdministerAlerts | Grants permission to view and manage all alert configurations irrespective of their sharing and access configuration. |
| ChangeAlerts | Grants permission to create, modify, and delete alerts within the access granted via the individual configuration. |
| CreateElevatedAlerts | Grants permission to override the Minimum alert frequency and Minimum alert timeframe settings on a data cube. See Managing data cubes and Alerts for more information. |
| ManageAlertsWebhooks | Grants permission to configure alerts to send webhook notifications. |
Reports
| Permission | Description |
|---|---|
| AccessScheduledReports | Grants permission to access the Reports tab. |
| AdministerScheduledReports | Grants permission to view and manage all report configurations irrespective of their sharing and access configuration. |
| ChangeScheduledReports | Grants permission to create, modify, and delete reports within the access granted via the individual configuration. |
Errors
| Permission | Description |
|---|---|
| SeeErrorMessages | Grants permission to view UI error notifications and receive error email messages for alerts and reports as well as system errors. An alert owner must have this permission for an alert to send errors by email or webhook. |
Role visibility
When setting up a role, it is also possible to define how this role and users assigned to this role will appear when sharing system artifacts like data cubes, dashboards, alerts, or reports using access control lists.
The visibility of the role itself in access control lists is set by the "Role visibility" dropdown. The visibility of members of the role in access control lists is set by the "Member visibility" dropdown. For each of these, there are three possible options:
- Hidden: The role or role members will be hidden from all access control lists.
- Visible to members of this role: The role or role members will only be visible to other members of this role in access control lists.
- Visible to all users: The role or role members will be visible on all access control lists.
The `SeeOtherUsers` permission takes precedence over role visibility controls. Users with this permission will be able to see all roles and users in the system.
Role-level connection auth
It is also possible to set up a connection token associated with a role. This connection token will be used to communicate with the Druid cluster for all configured Pivot connections. This allows you to map Pivot roles to Druid basic-auth users, which can be set up to limit which datasources are exposed.
The auth token takes the form:
{
"type" : "basic-auth",
"username": <USERNAME>,
"password": <PASSWORD>,
"priority": <1-10>
}
The priority property is used to determine which auth token should be used when a user has multiple roles with auth tokens configured. The highest priority will take precedence. In the case of multiple auth tokens with matching properties, a deterministic alphabetic sort on the role name will be used to apply a match.
Managing users
You can manage users in the Users tab in the settings.
Here you can create new users and edit and assign roles to existing users.
Users impersonation
If you have the ImpersonateUsers permission you can impersonate users from the user menu
Imply Hybrid considerations
As in Imply Enterprise (formerly Imply Private), with Imply Hybrid (formerly Imply Cloud) you can edit an individual role and assign different permissions to it.
It is not possible to edit the super-admin role, which permits all actions.
Within a given role you can add and remove permissions that are granted to the users associated with that role. The permissions belonging to a given user is the superset of all the permissions from all the roles assigned to that user.
Permissions are:
ManageUsers- grants the ability to create, modify, and delete users. This permission is very powerful because the possessor could just change themselves to be a Super Admin.ManageClusters- grants the ability to create and terminate clusters. Users without this permission will be taken straight to the visualization interface instead.ManageDatasets- grants the ability to onboard new data, modify, and delete datasets within Druid.AdministerDataCubes- grants the ability to see and modify data cubes irrespective of their sharing and access configuration.AdministerDashboards- grants the ability to see and modify dashboards irrespective of their sharing and access configuration.ChangeDataCubes- grants the ability to create, modify, and delete data cubes within the access granted via the individual configuration.ChangeDashboards- grants the ability to create, modify, and delete dashboards within the access granted via the individual configuration.AccessSQL- grants the ability to access the Run SQL section. Note that users with SQL access can effectively perform arbitrary queries.AccessVisualization- grants the ability to access the Visualize section.AccessDataset- grants the ability to access the Data manager section.