To enable Imply Cloud Auth for your organization, contact your Imply account representative.
Imply Cloud Auth uses roles to manage permissions for protected resources and scopes. When a user is granted a role, they receive a permission to access a functionality associated with that role.
Types of roles
Imply User management comes configured with roles that correspond to existing permissions in Imply, such as
change-data-cubes. When Imply Cloud Auth is enabled for your organization, you can manage Imply Manager and Pivot roles from the same User management console.
Imply Cloud Auth supports the following types of roles:
- Organization roles permit users to perform actions across the entire organization. For example, a user assigned the
administer-accountrole can manage users, identify providers, and configure API clients for the entire organization.
- Environment roles permit users to perform actions within an environment. For example, a user assigned the
administer-data-cubesrole can view and manage all data cubes for that environment.
- Composite roles are custom roles composed of other roles. For example, you can create a new composite role called Analyst that is comprised of
change-data-cubesroles. A user mapped to the
manage-data-cubesrole will inherit all of the associated permissions. Because this inheritance is recursive, a single composite role can inherit other composite roles and all of the permissions associated with those roles.
The following table lists predefined organization roles.
|administer-account||Grants permission to administer the entire organization. This includes managing users, creating API clients, setting password policies, etc.|
|administer-clients||Grants permission to create, manage, and delete API clients.|
The following table lists predefined environment roles.
|access-alerts||Grants permission to access the Alerts tab.|
|access-clarity||Grants permission to access cluster monitoring data.|
|access-datasets||Grants permission to access the Data tab.|
|access-scheduled-reports||Grants permission to view and manage all report configurations irrespective of their sharing and access configuration.|
|access-sql||Grants permission to access the Run SQL section. Note that users with SQL access can effectively perform arbitrary queries.|
|access-visualization||Grants permission to access the Visualize tab.|
|administer-alerts||Grants permission to view and manage all alert configurations irrespective of their sharing and access configuration.|
|administer-clusters||Grants permission to view and manage all clusters irrespective of their sharing and access configuration.|
|administer-dashboards||Grants permission to view and manage all dashboards irrespective of their sharing and access configuration.|
|administer-data-cubes||Grants permission to view and manage all data cubes irrespective of their sharing and access configuration.|
|administer-scheduled-reports||Grants permission to view and manage all scheduled reports irrespective of their sharing and access configuration.|
|change-alerts||Grants permission to create, modify, and delete alerts within the access granted via the individual configuration.|
|change-dashboards||Grants permission to create, modify, and delete dashboards within the access granted via the individual configuration.|
|change-data-cubes||Grants permission to modify and delete data cubes within the access granted via the individual configuration.|
|change-scheduled-reports||Grants permission to create, modify, and delete reports within the access granted via the individual configuration.|
|configure-look-and-feel||Grants permission to see the Advanced tab in the Settings UI where certain look and feel related changes can be made.|
|create-data-cubes||Grants permission to create and duplicate data cubes within the access granted via the individual configuration.|
|download-data||Grants permission to export/download data from a data cube.|
|download-large-data||Grants permission to download large data sets.|
|manage-alerts-webhooks||Grants permission to configure alerts to send webhook notifications.|
|manage-clusters||Grants permission to create and terminate clusters. Users without this permission are taken straight to the visualization interface instead.|
|manage-connections||Grants permission to manage database connections from the Connections tab in the Settings UI.|
|manage-datasets||Grants permission to access the Druid console.|
|monitor-queries||Grants permission to monitor database queries that Pivot data cubes and dashboards issue under the hood.|
|query-raw-data||Grants permission to see the raw unaggregated data behind a data cube visualization. Note that this permission is independent from the access-sql permission.|
|see-error-messages||Grants permission to view system errors.|
|see-other-users||Grants permission to see the other users in the system when sharing.|
View roles and associated users
To view all available roles and the users assigned each role, follow these steps:
- In the left pane, select Environments.
- Click on the environment with the roles you want to view.
- Click on a role name to view role details and associated users.
Create a new role
To add a role, follow these steps:
- In the left pane, select Environments.
- Click on the environment you want the new role to belong to.
- Click Add Role.
- Provide a role name and description (optional). Click Save.
- To assign permissions to the role, enable the Composite Roles toggle in the role's Details tab. This will bring up the Composite Roles section and display all available organization and environment-level roles.
- From the available Organization Roles, select the roles you want to enable. Click Add selected. These roles will be available across all of the organization's environments.
- To assign environment-specific permissions, select the desired environment ID from the Environment Roles dropdown. This will display the roles associated with that particular environment. Make your selection and click Add selected.
Delete a role
To delete a role, click the trash icon next to the role name. This action permanently deletes the role from your environment. It does not delete the users associated with the role.