skip to main content
Administering Hybrid Data Pipeline : Permissions and default roles
  

Try Now

Permissions and default roles

Hybrid Data Pipeline user accounts are required to have at least one role. A user account with a given role inherits all the permissions associated with that role. Roles can be assigned and managed either through the Users API or the Web UI. However, the users API must be used to associate a permission directly with a user account. The permissions for a user account are the sum of the permissions granted to the role(s) associated with the account and the permissions granted explicitly on the account.
Hybrid Data Pipeline provides three default roles in the system tenant: System Administrator, Tenant Administrator, and User. As detailed in the table below, the System Administrator role has all permissions, the Tenant Administrator role has tenant and user permissions, and the User role has only user permissions. These roles cannot be deleted, and only the users associated with them can be modified.
When building out a Hybrid Data Pipeline environment, it can be useful for administrators to consider permissions in terms of the following categories.
*User permissions support the ability of users to create and manage their own data sources directly through the Web UI, the Management API, or both.
*Tenant permissions support the ability of administrators to provision and manage users. The OnBehalfOf permission allows administrators to create and manage resources on behalf of users. This on-behalf-of functionality allows administrators to obscure or conceal the service from users.
*Elevated permissions support the ability of administrators to use administrative features, such as throttling and logging. The operations associated with these permissions can affect all users of the system and may not be isolated on a tenant-by-tenant basis.
Important: To administer user accounts and other resources that belong to a tenant, a tenant administrator must be given explicit administrative access to the given tenant. In the Web UI, administrative access to a tenant can be granted by editing a user account via the Manage Users view. With the API, administrative access can be granted either by updating the tenants administered for a user via the Users API or by updating the list of administrators for a tenant via the Tenant API.
Note: A subset of permissions can be set on data sources. See Data source permissions for details.
Permission
System admin
Tenant admin
User
Category
ID
Description
CreateDataSource
x
x
x
user
1
May create new data sources
ViewDataSource
x
x
x
user
2
May view the details of any data source they own
ModifyDataSource
x
x
x
user
3
May modify or update any data source they own
DeleteDataSource
x
x
x
user
4
May delete any data source they own
UseDataSourceWithJDBC
x
x
x
user
5
May connect to any data source they own with the JDBC driver
UseDataSourceWithODBC
x
x
x
user
6
May connect to any data source they own with the ODBC driver
UseDataSourceWithOData
x
x
x
user
7
May make OData requests to any data source they own
WebUI
x
x
x
user
8
May use the Web UI with data sources they own. Operations on the data source through the Web UI will be limited based on the permissions they have been granted
ChangePassword
x
x
x
user
9
May use the Web UI to change their password
SQLEditorWebUI
x
x
x
user
10
May query the data sources they own with the SQL Editor in the Web UI
MgmtAPI
x
x
x
user
11
May use the Management API
CreateUsers
x
x
tenant
13
May create users in administered tenants
ViewUsers
x
x
tenant
14
May get lists of users and their information in administered tenants
ModifyUsers
x
x
tenant
15
May modify user information in administered tenants
DeleteUsers
x
x
tenant
16
May delete users in administered tenants
CreateRole
x
x
tenant
17
May create roles in administered tenants
ViewRole
x
x
tenant
18
May get lists of roles and their information in administered tenants
ModifyRole
x
x
tenant
19
May modify role information in administered tenants
DeleteRole
x
x
tenant
20
May delete roles in administered tenants
OnBehalfOf
x
x
tenant
21
May use ?user=<user> to manage user's data sources in administered tenants
Configurations
x
elevated
22
May view and modify system configuration values
CORSwhitelist
x
elevated
23
May view and modify the CORS whitelist
Logging
x
elevated
24
May view and modify logging settings
TenantAPI
x
elevated
25
May use the Tenant API to create, view, modify or delete tenants
RegisterExternalAuthService
x
elevated
26
May create, view, modify, or delete authentication services in administered tenants
Limits
x
elevated
27
May see and modify limit values for administered tenants, users in administered tenants, and data sources of users in administered tenants
OAuth
x
elevated
28
May specify and update OAuth information that a data source uses for authentication
IPWhiteList
x
elevated
29
May create, view, modify or delete IP whitelists
Administrator
x
system admin
12
May use the Administrator API. A user with the Administrator permission has all permissions and access privileges across the system. This permission can only be granted to a user in the system tenant.