Once a tenant architecture has been established as described in Tenant architectures, a Hybrid Data Pipeline administrator can proceed with provisioning users. User accounts can be created and managed either through the Web UI or using Hybrid Data Pipeline APIs. User accounts must have at least one assigned role. A role is defined by the permissions that are associated with it. Users can be provisioned to have either direct access to the Hybrid Data Pipeline service or query-only access to Hybrid Data Pipeline data sources. Whether a user is a direct-access or query-only user depends on the role assigned and its associated permissions.
A direct-access user is a user the administrator has provisioned with direct access to the service to create, manage, and query data sources. The following work flow describes how access to data may be established with a direct-access user.
1. The administrator creates a role for a direct-access user.
2. The administrator creates a user account for the direct-access user.
3. The direct-access user creates a data source through either the Web UI or the Data Sources API.
4. Data source connection information is integrated into a client-side application or BI tool.
Query-only user
An administrator can limit user access such that users can run applications against Hybrid Data Pipeline data sources, but not access Hybrid Data Pipeline directly. In this scenario, the administrator must not only provision user accounts, but also create the data sources against which queries will be made. The data source information may then be supplied either directly to the query-only user, or integrated into the client application such that data access is transparent to the application end user. Thus, client applications are given access to backend data stores, while users and developers on the client side do not otherwise have access to Hybrid Data Pipeline.
When provisioning users for query-only access to Hybrid Data Pipeline data sources, administrators can manage data sources in two distinct ways.
First, they can create a data source themselves, and then share the data source with one or more user accounts. In this case, the data source information, including connection information, is the same for all accounts querying the data source. Hence, sharing data sources can be used to support general access to a backend data store when access to the data is the same across multiple end users. For example, an administrator might create a data source to support the use of a reporting tool. Multiple end users across the organization use the tool to run reports against the backend data store. In this case, connection information associated with the data source can be integrated with the reporting tool. Hybrid Data Pipeline may be entirely transparent to the users running the reports. However, the reporting tool uses the Hybrid Data Pipeline data source to access the backend data. Administrators can share data sources either through the Data Sources API or the Web UI.
Second, the administrator can create a data source on behalf of a user account. In this scenario, the data source is owned by the user account, and the data source information is unique to the account. Therefore, creating data sources on behalf of users should be used in scenarios where access to backend data must be unique for each user. For example, a backend data store might have row-level security measures on an Employee database such that managers are only able to access information for the employees they manage. In this case, an administrator would create data sources on the backend data store that are unique to each manager based on each manager's credentials. Administrators must use the Hybrid Data Pipeline API to create data sources on behalf of users.
The following work flow describes how access to data may be enabled for a query-only user.
1. The administrator creates a role for the query-only user.
2. The administrator creates a user account for the query-only user.
3. The administrator uses either of the following methods to create a Hybrid Data Pipeline data source for the query-only user.
a. The administrator creates a data source through either the Web UI or the Data Sources API. The administrator then shares the data source with the query-only user based on the rules and guidelines in Sharing data sources.
4. Data source connection information is integrated into a client-side application or BI tool.
Administrator permissions
The ability of an administrator to provision users depend on the administrator's permissions and administrative access to a given tenant. A system administrator – defined as a user with the Administrator (12) permission – can provision users across any tenant in the system. An administrator who does not have the Administrator (12) permission must meet the following requirements to provision users.
WebUI (8) permission must be granted if the administrator is using the Web UI to provision users.
The permission corresponding to the specific operation. For example, the administrator must have the CreateUsers (13) permission to create a user account, or the DeleteUsers (16) permission to delete a user account.
User provisioning scenarios
The following topics describe a number of Hybrid Data Pipeline user provisioning scenarios.
First, they can create a data source themselves, and then share the data source with one or more user accounts. In this case, the data source information, including connection information, is the same for all accounts querying the data source. Hence, sharing data sources can be used to support general access to a backend data store when access to the data is the same across multiple end users. For example, an administrator might create a data source to support the use of a reporting tool. Multiple end users across the organization use the tool to run reports against the backend data store. In this case, connection information associated with the data source can be integrated with the reporting tool. Hybrid Data Pipeline may be entirely transparent to the users running the reports. However, the reporting tool uses the Hybrid Data Pipeline data source to access the backend data. Administrators can share data sources either through the Data Sources API or the Web UI.
