Skip to main content

User roles

To enable Imply Hybrid (formerly Imply Cloud) Auth for your organization, contact your Imply account representative.

Imply Hybrid Auth uses roles to manage permissions for protected resources and scopes. When a user is granted a role, they receive a permission to access a functionality associated with that role.

Types of roles

Imply User management provides predefined roles that correspond to the existing permissions in Imply, such as manage-clusters, access-datasets, and change-data-cubes. When Imply Hybrid Auth is enabled for your organization, you can manage Imply Manager and Pivot roles from the same User management console.

Imply Hybrid Auth supports the following types of roles:

  • Organization roles permit users to perform actions across the entire organization. For example, a user assigned the administer-organization role can manage users, identify providers, and configure API clients for the entire organization.
  • Environment roles permit users to perform actions within an environment. For example, a user assigned the administer-data-cubes role can view and manage all data cubes for that environment.
  • Composite roles are custom roles composed of other roles. Composite roles allow you to group other roles together to create a set of permissions. For example, you can create a composite role called Visualization Team that is comprised of administer-dashboards and administer-data-cubes roles. A user mapped to the Visualization Team role inherits all of the associated permissions. Because this inheritance is recursive, a single composite role can inherit other composite roles and all of the permissions associated with those roles.

Organization roles

Imply Hybrid Auth provides the following organization-level roles:

  • administer-organization: administer the entire organization. This includes managing users, creating API clients, and setting password policies.
  • administer-clients: create, manage, and delete API clients.

Environment roles

Imply Hybrid Auth provides the following environment-level roles:

  • access-alerts: access the Alerts tab.
  • access-clarity: access cluster monitoring data.
  • access-datasets: access the Data tab.
  • access-scheduled-reports: view and manage all report configurations irrespective of their sharing and access configuration.
  • access-sql: access the Run SQL section. Note that users with SQL access can effectively perform arbitrary queries.
  • access-visualization: access the Visualize tab.
  • administer-alerts: view and manage all alert configurations irrespective of their sharing and access configuration.
  • administer-clusters: view and manage all clusters irrespective of their sharing and access configuration.
  • administer-dashboards: view and manage all dashboards irrespective of their sharing and access configuration.
  • administer-data-cubes: view and manage all data cubes irrespective of their sharing and access configuration.
  • administer-scheduled-reports: view and manage all scheduled reports irrespective of their sharing and access configuration.
  • change-alerts: create, modify, and delete alerts within the access granted via the individual configuration.
  • change-dashboards: create, modify, and delete dashboards within the access granted via the individual configuration.
  • change-data-cubes: modify and delete data cubes within the access granted via the individual configuration.
  • change-scheduled-reports: create, modify, and delete reports within the access granted via the individual configuration.
  • configure-look-and-feel: access the Advanced tab in the Settings UI.
  • create-data-cubes: create and duplicate data cubes within the access granted via the individual configuration.
  • create-elevated-alerts: Grants permission to override the Minimum alert frequency and Minimum alert timeframe settings on a data cube. See Managing data cubes and Alerts for more information.
  • download-data: export and download data from a data cube.
  • download-large-data: download large data sets.
  • manage-alerts-webhooks: configure alerts to send webhook notifications.
  • manage-clusters: create and terminate clusters. Users without this permission are taken straight to the visualization interface instead.
  • manage-connections:manage database connections from the Connections tab in the Settings UI.
  • manage-datasets: access the Apache Druid console.
  • monitor-queries: monitor database queries that Pivot data cubes and dashboards issue under the hood.
  • query-raw-data: view the raw unaggregated data behind a data cube visualization. Note that this permission is independent from the access-sql permission.
  • see-error-messages: view UI error notifications and error email messages for alerts and reports as well as system errors.
  • see-other-users: view other users in the system when sharing.

View roles and associated users

To view all available roles and the users assigned each role, follow these steps:

  1. In the left pane, select Environments.
  2. Click on the environment with the roles you want to view.
  3. Click on the role name to view the role details and associated users.

Create a new role

To add a role, follow these steps:

  1. In the left pane, select Environments.
  2. Click on the environment you want the new role to belong to.
  3. Click Add Role.
  4. Provide a role name and description (optional). Click Save.
  5. To assign permissions to the role, enable the Composite Roles toggle in the role's Details tab. This will bring up the Composite Roles section and display all available organization and environment-level roles.
  6. From the available Organization Roles, select the roles you want to enable. Click Add selected. These roles will be available across all of the organization's environments.
  7. To assign environment-specific permissions, select the desired environment ID from the Environment Roles dropdown. This will display the roles associated with that particular environment. Make your selection and click Add selected.

Delete a role

To delete a role, click the trash icon next to the role name. This action permanently deletes the role from your environment. It does not delete the users associated with the role.