Get started with Imply Hybrid Auth

To enable Imply Hybrid (formerly Imply Cloud) Auth for your organization, contact your Imply account representative.

Imply Hybrid Auth provides secure and comprehensive authentication and authorization capabilities. Imply Hybrid Auth lets you set strict password policies, configure multi-factor authentication, integrate Imply Hybrid with a third-party identity provider, and use OAuth 2.0 for API authentication. It brings all of your Imply Hybrid accounts under one organization, making administration easier.

Imply Hybrid Auth lets you control access to Imply components, including Imply Manager, Pivot, and Clarity, across Imply Hybrid environments in your organization.

Key concepts

The following are key concepts of Imply Hybrid Auth:

• User management: A web interface for setting up, monitoring, and managing user access. It encapsulates access settings across an organization.

• Organization: An organization is a top level entity that maps to an Imply customer. When you first sign up for Imply Hybrid, an organization is created for you automatically. You log into the organization to manage and authenticate the users, set credentials, define roles and groups, and perform other actions. All organizations are isolated from one another and can only manage and authenticate the users that they control.

• Environment: An environment represents a complete Imply deployment to an individual AWS VPC. An organization can have one or more environments. This is useful when you need to maintain separate environments; for example, for production and staging, or to support data in different AWS regions.

• Groups: Groups let you assign and manage roles for a set of users collectively, instead of mapping roles to users individually. When you add a member to a group, that member inherits all attributes and role mappings that the group defines.

• Role: A role is a permission to perform certain actions in Imply Hybrid. For example, the administer-data-cubes role lets you view and manage all data cubes and the monitor-queries role makes it possible to monitor Pivot's database queries. Roles associate permissions to users or groups within the context of an environment, giving you the flexibility to control user permissions for each deployment. For example, a user can have admin permissions in staging but not in a production environment.

The following figure depicts the sample scenario:

• Mappers: Mappers associate a user's attribute or property from an external identity provider to a particular role in Imply. For example, you can map users in an admin group in Okta to an admin role in Imply.

• OAuth Client: An API client that contains a name (ID), a secret, and a token used to authenticate API requests.

• Session: A session is created when a user logs into an environment. A session contains information such as active users, their IP addresses, and when they last logged in. Both admins and users can view session information.

User management console

The User management console is where you manage user access settings, configure authentication policies, create user groups, and connect third-party identity providers for Imply Hybrid.

To access the User management console from Imply Manager, click on the profile menu in the top right corner. Select User management from the list of menu options.

User profile settings

As an end user, after logging in, you can access your personal settings from the User management console by clicking the profile icon or your username at the top of the page and selecting Manage account. Personal settings include personal information, account security, and applications. Applications refer to the different Imply Hybrid environments you have access to.

Next steps

It is important to understand how Imply Hybrid Auth relates to other user management mechanisms in the Imply technology stack. When running on-premises or in detached Pivot mode, you can provision users for Pivot separately, as described in Access control for Pivot. Similarly, the Druid engine has its own authorization and authentication mechanism, as described in Druid operations topics. Imply Hybrid Auth encompasses both of these methods so that you can control access to Pivot, Druid, and the Imply Manager from a single place.

The following are the setup and administrative tasks you can perform when using Imply Hybrid Auth:

• Configure local users
• Configure an external identity provider integration, so that you can rely on user data from a single source for your organization, with specific instructions for:
  • Okta OIDC integration
  • Okta SAML integration
• Understand roles and permissions in Imply Hybrid Auth.
• Configure multi-factor authentication.
• Configure password retry attempts and generally defenses against brute force attacks.
• Resetting passwords and terminating user sessions.
• Set up client API authentication tokens.

Many of the configuration settings apply at the organization level, but you can configure user-level settings as well. For any user, you can configure role mappings and groups, manage sessions and configure multi-factor authentication (via OTP), require password update, and verify email: