Data Quality user documentation | Create groups, users or roles

Data Studio has a sophisticated and advanced security model. You can control not only who can perform what operations, but also the level of access that users will have to specific Data Studio objects (e.g. Workflows).

Roles are used to control the operations that a user can perform in a Data Studio environment. Permissions are defined for Spaces to control access to objects.

Groups

A group would typically contain a set of users who do similar work. Groups make it easier to assign permissions and each user can optionally be added to more than one group.

Users with the 'Manage User Groups' capability in their role can create new and manage existing groups by going to System > Groups. A group must have a least one manager, and only the manager can assign other users to that group.

Groups aren't shared across Environments.

Users

From a licensing perspective, there are two types of users:

Designer – can 'Access Designer Interface' and optionally have access to admin settings such as managing users.
Data Consumer – can only access a simplified interface with Dashboard reports that have been shared with them. If a report contains a data grid, Data Consumers will also be able to explore and manipulate this data (e.g. profile, sort or group). Data Consumers have no access to all other pages (Workflows, Datasets, Views, etc.).

To see how many users you're licensed for, view your license information.

To create a new user:

Go to System > Users.
Click on Create new user.
Enter a unique email.
Set the username.
Set the user as enabled or disabled.
(Optional) Set the user as an Installation manager.
Installation manager is a system-wide setting that allows a user to create and edit environments and access auditing information, in the same way that the super admin user can.

We recommend that only a limited number of users are given this ability, and are additionally assigned the Administrator role within your primary environment.
Only existing installation managers can grant other users the ability to be an installation manager.
Enter and confirm the password.
By default, a user will need to change their password on first login. The system's password policy options can be configured by clicking Settings and selecting Security.
If you have enabled SAML authentication, password fields will not be present.
Optionally, assign one or more user roles.

Users can be assigned one or more roles. If you have more than one Data Studio Environment, a user has to be assigned at least one role in that Environment to access it. Users can have different roles in different Environments.

To let you control access to specific Data Studio objects such as Datasets, Views, Workflows or Functions, we use Spaces. Work and data are contained within a defined Space and users have to be explicitly granted access to that Space to access it.

Super admin

For security reasons, Data Studio has a built-in user account (username 'administrator') that can't be deleted. This account is a permanent Installation manager user and can manage and access all Environments, so the 'Manage Environments' screen will always be shown when logging in as this user. The roles and capabilities of the super admin user cannot be edited.

The super admin user does not count towards the number of licensed users.

The super admin account overrides the Data Studio security model and has write access to every object in Data Studio. We do not recommend using it for normal day to day activity.

The authentication mechanism can't be changed for the super admin. Find out how to reset the super admin's password.

LDAP users

LDAP configuration should be set up before creating LDAP users.

If LDAP security is configured, the authentication mechanism can be selected from the drop-down that appears on the Create new user screen.

To create a user authenticated via LDAP:

Go to System > Users.
Click on Create new user.
Change 'Authentication mechanism' to LDAP and MS Active Directory
Add a unique LDAP ID in one of these formats:
- username@domain.
- domain\username.
- fully qualified X500 directory specification, for example: cn=name,ou=orgunit,dn=domain.
Optionally, add email. Note that the email address can be used for login as well as LDAP ID, and it should be globally unique.
Set the username.
Optionally, assign one or more user roles.

Roles

A role is a collection of capabilities. Each user can be assigned multiple roles (in which case the capabilities in each role are additive). The user's role is specific to an Environment, so if you have more than one, you can assign different roles to the same user in each Environment.

You can create your own roles and assign capabilities to them. Users with the 'Manage Roles and Permissions' capability can create roles and modify capabilities for existing roles.

To view and manage roles:

Go to System > Roles. This will display the current roles.
Click Manage permissions to view the capabilities defined for each role.
If you have the 'Manage Roles and Permissions' capability, you will also have the option to Create new role here. When viewing role permissions, you will be able to Edit roles to assign different permissions to them.

For example, if you want to restrict access to who can download CSV files, you can create a 'CSV downloader' role with a single capability of 'Download data' (and if required, remove it from the 'Administrator' and 'Designer' roles).

Role managers

You can restrict users who can add new roles: select the Only allow role managers to assign option and add one or more users to the Managers list. Only users in this list will be able to assign this role to other users.

If this option isn't selected for a role, users with the 'Manage Users' capability will also be able to assign that role to users. For example, you may want to restrict who can apply the Administrator role to users.

Capabilities

A capability is an operation that you can assign to a role. You can assign one or more capabilities to a role, as required.

In all cases, having a capability in your role gives you the ability to carry out the given operation, for example to 'Create Datasets'. However, the object access control model always applies, so you will only be able to create a Dataset in a Space to which you have Admin or Writer access.

Permission	Group	Users with this capability in their role will be able to:
Access Designer Interface	General	Log into Data Studio as a Designer user. Without this capability, any user will only have access to the simplified Data Consumer interface. If a role is given this capability then enabled users assigned to that role will be deducted from the Designer license limit. Otherwise they will be deducted from the Consumer count.
Create and Edit Spaces	General	Create new Spaces, and edit Space details (including assigning access to the Space for other users).
View Datasets	Dataset Management	Access Datasets, and create Datasets by loading files or External system sources. Without this capability Datasets can only be created using the Take Snapshot step, but even then they will not be visible.
Create and Edit Datasets	Dataset Management	Edit the details of an existing Dataset and add a new Dataset, either in the Datasets screen or by using the Take Snapshot step. Without this capability new batches of data can still be added to an existing Dataset.
Upload Dataset file	Dataset Management	Uploaded their own files when creating or updating a Dataset. Without this capability Datasets can only be created from External systems, files in the Server import directory, or from the Take Snapshot step.
Create and Edit Views	Dataset Management	Edit, clone or share existing Views, or create a new View.
Create and Edit Charts	Dataset Management	Create, edit, clone or share existing Charts (outside of Workflow)
Create and Edit Data Tags	Dataset Management	View the list of existing data tags, create new tags, and manage training datasets for tags.
Download data	Dataset Management	Use the Download as CSV button from all data grids, and download files exported by a Workflow in the Job screen. Also copy from selected cells in the grid. Data Consumers can be assigned this capability.
View Workflows	Workflow Management	Access Workflows and create a new Workflow.
Create and Edit Workflows	Workflow Management	Create or edited Workflows. If the capability is removed workflows are always read-only.
Execute Workflows	Workflow Management	Execute workflows manually, via a schedule, or using the REST API.
Monitor Workflows	Workflow Management	See the Jobs button in the side menu, and therefore view workflow progress and workflow execution details.
Create and Edit Workflow Step Settings	Workflow Management	Access Workflow Step settings to view or edit them. Without this capability Step settings can still be used in workflow steps.
View Functions	Function Management	View or edit user defined Functions, and include a Function in a Space that is shared from another Space. Without this capability system and user defined Functions can still be used in Workflows and Views.
Create and Edit Functions	Function Management	Create new user defined functions and manage existing ones. Without this capability functions cannot be made re-usable.
Create and Edit Function Categories	Function Management	Create new function categories and edit or delete existing ones.
View External Systems	Integration	View the list of External systems. Without this capability data cannot be loaded into a Dataset from an External System
Manage Connections to External Systems	Integration	Create new External systems and edit details for existing systems. Without this capability data can still be loaded from an External system if the user has been assigned valid credentials.
API access	Integration	Create and manage REST API keys, and authorize with the REST API.
Publish Metadata Changes	Metadata	Allows Workflows, Views and Functions to be published. Without this capability, objects can only be in the Draft state.
Export Metadata	Metadata	Allows metadata and data to be exported from a Space to a .dmx or .dmxd file.
Import Metadata	Metadata	Allows metadata and data from a .dmx or dmxd file to be imported into a Space.
Synchronize Metadata Between Environments	Metadata	Allows metadata and data from a .dmx or dmxd file to be synchronized with a Space.
View Solution Packages	Metadata	View any created Solutions. View a Solution in read-only mode.
Manage Solution Packages	Metadata	Create / Edit / Delete a Solution. Access previous versions of a Solution. Download a published Solution package (.dmxs).
View Solution Deployments	Metadata	View deployed Solutions.
Deploy Solution Packages	Metadata	Deploy a Solution (.dmxs).
View Schedules	Automations	Access the list of Schedules.
Create and Edit Schedules	Automations	Create new Schedules, and view and edit the details of existing Schedules. Without this capability Schedules can still be Run Now.
View Automations	Automations	Access the list of Automations.
Create and Edit Automations	Automations	Create new Automations. View and edit the details of existing Automations, including enabling or disabling them.
View Custom Events	Automations	Access the list of Custom Events. Without this capability Custom Events cannot be selected in the Fire Event step.
Create and Edit Custom Events	Automations	Create new Custom Events. View and edit the details of existing Custom Events.
Manage Users	Security	Create and edit users. Assign users to a role, unless that role only allows the role managers to assign it.
Manage User Groups	Security	Create new groups of users, assign users to groups, and view and manage existing groups.
Manage Roles and Permissions	Security	View the list of roles, and the capabilities that make up the role. Create new roles and edit existing roles, including assigning capabilities.
Change All Users' Passwords	Security	Reset any other user's password.
Manage Authentication Type	Security	Change a user's authentication mechanism, for example from Internal Authentication to LDAP Authentication.
Manage Communication Settings	System Settings	View and configure the server's port, certificate, and SMTP properties.
Manage System Settings	System Settings	View and configure system defaults for warnings, connections to external services, server time zone, and system metrics logging.
Manage Data Handling Settings	System Settings	View and configure data display settings.
Manage Data Loading Settings	System Settings	View and configure loading and auto tagging settings.
Manage Performance Settings	System Settings	View and configure data load and processing performance settings.
Manage Security Settings	System Settings	View and configure session, password policy, and authentication settings
Manage Workflow Step Settings	System Settings	View and configure remote Find duplicates server URL and other step-specific settings.
Manage Storage Settings	System Settings	View and configure file storage purge settings.
Manage Product License	System Settings	Allows a license update key to be retrieved and license update codes to be applied.
View System Information	System Settings	Allows access to the Metrics Operations endpoints in the REST API (assuming a valid API key is also provided).
Create Key Encryption	Data Encryption	Access the Data encryption system settings
Manage Issue lists	Issue Management	Create, update, delete Issue lists
View and Update Issues	Issue Management	Access an existing lists of issues, update an issue and add comments. Consumer users can have this capability

Was this helpful?

Previous: Deploy Linux Container

Next: Restrict user sessions

Aperture Data Studio v2

Set up

Next topic:
Create Spaces