Data Studio has a sophisticated and advanced security model. You can control not only who can perform what operations, but also the level of access that users will have to specific Data Studio objects (e.g. Workflows).
Roles are used to control the operations that a user can perform in a Data Studio environment. Permissions are defined for Spaces to control access to objects.
A group would typically contain a set of users who do similar work. Groups make it easier to assign permissions and each user can optionally be added to more than one group.
Users with the 'Manage User Groups' capability in their role can create new and manage existing groups by going to System > Groups. A group must have a least one manager, and only the manager can assign other users to that group.
From a licensing perspective, there are two users:
These three are the default users that you can modify as required.
To see how many users you're licensed for, view your license information.
To create a new user:
Users can be assigned one or more roles. If you have more than one Data Studio Environment, a user has to be assigned at least one role in that Environment to access it. Users can have different roles in different Environments.
To let you control access to specific Data Studio objects such as Datasets, Views, Workflows or Functions, we use Spaces. Work and data are contained within a defined Space and users have to be explicitly granted access to that Space to access it.
For security reasons, Data Studio has a built-in user account (username 'administrator') that can't be deleted. This account is a permanent Installation manager user and can manage and access all Environments, so the 'Manage Environments' screen will always be shown when logging in as this user. The roles and capabilities of the super admin user cannot be edited.
The authentication mechanism can't be changed for the super admin. Find out how to reset the super admin's password.
If LDAP security is configured, the authentication mechanism can be selected from the drop-down that appears on the Create new user screen.
To create a user authenticated via LDAP:
A role is a collection of capabilities. Each user can be assigned multiple roles (in which case the capabilities in each role are additive). The user's role is specific to an Environment, so if you have more than one, you can assign different roles to the same user in each Environment.
You can create your own roles and assign capabilities to them. Users with the 'Manage Roles and Permissions' capability can create roles and modify capabilities for existing roles.
To view and manage roles:
For example, if you want to restrict access to who can download CSV files, you can create a 'CSV downloader' role with a single capability of 'Download data as CSV' (and if required, remove it from the 'Administrator' and 'Designer' roles).
You can restrict users who can add new roles: select the Only allow role managers to assign option and add one or more users to the Managers list. Only users in this list will be able to assign this role to other users.
If this option isn't selected for a role, users with the 'Manage Users' capability will also be able to assign that role to users. For example, you may want to restrict who can apply the Administrator role to users.
A capability is an operation that you can assign to a role. You can assign one or more capabilities to a role, as required.
|Permission||Group||Users with this capability in their role will be able to:|
|Access Designer Interface||General||Log into Data Studio as a Designer user. Without this capability only Reports exposed to Consumer users will be visible. If a role is given this capability then enabled users assigned to that role will be deducted from the Designer license limit. Otherwise they will be deducted from the Consumer count.|
|Create and Edit Spaces||General||Create new Spaces, and edit Space details (including assigning access to the Space for other users).|
|View Datasets||Dataset Management||Access Datasets, and create Datasets by loading files or External system sources. Without this capability Datasets can only be created using the Take Snapshot step, but even then they will not be visible.|
|Create and Edit Datasets||Dataset Management||Edit the details of an existing Dataset and add a new Dataset, either in the Datasets screen or by using the Take Snapshot step. Without this capability new batches of data can still be added to an existing Dataset.|
|Upload Dataset file||Dataset Management||Uploaded their own files when creating or updating a Dataset. Without this capability Datasets can only be created from External systems, files in the Server import directory, or from the Take Snapshot step.|
|Create and Edit Views||Dataset Management||Edit, clone or share existing Views, or create a new View.|
|Create and Edit Charts||Dataset Management||Create, edit, clone or share existing Charts (outside of Workflow)|
|Create and Edit Data Tags||Dataset Management||View the list of existing data tags, create new tags, and manage training datasets for tags.|
|Download data as CSV||Dataset Management||Use the Download as CSV button from all data grids, and download exported files (generated by workflow execution) from the Job Details. Also copy from selected cells in the grid.|
|View Workflows||Workflow Management||Access Workflows and create a new Workflow.|
|Create and Edit Workflows||Workflow Management||Create or edited Workflows. If the capability is removed workflows are always read-only.|
|Execute Workflows||Workflow Management||Execute workflows manually, via a schedule, or using the REST API.|
|Monitor Workflows||Workflow Management||See the Jobs button in the side menu, and therefore view workflow progress and workflow execution details.|
|Create and Edit Workflow Step Settings||Workflow Management||Access Workflow Step settings to view or edit them. Without this capability Step settings can still be used in workflow steps.|
|View Functions||Function Management||View or edit user defined Functions, and include a Function in a Space that is shared from another Space. Without this capability system and user defined Functions can still be used in Workflows and Views.|
|Create and Edit Functions||Function Management||Create new user defined functions and manage existing ones. Without this capability functions cannot be made re-usable.|
|Create and Edit Function Categories||Function Management||Create new function categories and edit or delete existing ones.|
|View External Systems||Integration||View the list of External systems. Without this capability data cannot be loaded into a Dataset from an External System|
|Manage Connections to External Systems||Integration||Create new External systems and edit details for existing systems. Without this capability data can still be loaded from an External system if the user has been assigned valid credentials.|
|API access||Integration||Create and manage REST API keys, and authorize with the REST API.|
|Publish Metadata Changes||Metadata||Allows Workflows, Views and Functions to be published. Without this capability, objects can only be in the Draft state.|
|Export Metadata||Metadata||Allows metadata and data to be exported from a Space to a .dmx or .dmxd file.|
|Import Metadata||Metadata||Allows metadata and data from a .dmx or dmxd file to be imported into a Space.|
|Synchronize Metadata Between Environments||Metadata||Allows metadata and data from a .dmx or dmxd file to be synchronized with a Space.|
|View Schedules||Scheduling and Notifications||Access the list of Schedules.|
|Create and Edit Schedules||Scheduling and Notifications||Create new Schedules, and view and edit the details of existing Schedules. Without this capability Schedules can still be Run Now.|
|View Notification Configuration||Scheduling and Notifications||Access the list of Notifications.|
|Manage Notification Configuration||Scheduling and Notifications||Create new Notifications. View and edit the details of existing Notifications, including enabling or disabling them.|
|View Custom Events||Scheduling and Notifications||Access the list of Custom Events. Without this capability Custom Events cannot be selected in the Fire Event step.|
|Create and Edit Custom Events||Scheduling and Notifications||Create new Custom Events. View and edit the details of existing Custom Events.|
|Manage Users||Security||Assign users to a role, unless that role only allows the role managers to assign it.|
|Manage User Groups||Security||Create new groups of users, assign users to groups, and view and manage existing groups.|
|Manage Roles and Permissions||Security||View the list of roles, and the capabilities that make up the role. Create new roles and edit existing roles, including assigning capabilities.|
|Change All Users' Passwords||Security||Reset any other user's password.|
|Manage Authentication Type||Security||Change a user's authentication mechanism, for example from Internal Authentication to LDAP Authentication.|
|Manage Communication Settings||System Settings||View and configure the server's port, certificate, and SMTP properties.|
|Manage System Settings||System Settings||View and configure system defaults for warnings, connections to external services, server time zone, and system metrics logging.|
|Manage Data Handling Settings||System Settings||View and configure data display settings.|
|Manage Data Loading Settings||System Settings||View and configure loading and auto tagging settings.|
|Manage Performance Settings||System Settings||View and configure data load and processing performance settings.|
|Manage Security Settings||System Settings||View and configure session, password policy, and authentication settings|
|Manage Workflow Step Settings||System Settings||View and configure remote Find duplicates server URL and other step-specific settings.|
|Manage Storage Settings||System Settings||View and configure file storage purge settings.|
|Manage Product License||System Settings||Allows a license update key to be retrieved and license update codes to be applied.|
|View System Information||System Settings||Allows access to the Metrics Operations endpoints in the REST API (assuming a valid API key is also provided).|