You are viewing content for 5.0 | 4.9 | 4.8 | 4.7 | 4.6 | 4.5 | 4.4 | 4.3 | Previous Releases


Tools → Security Manager

About the Security Manager

The Security Manager allows you to create and manage users and groups so as to both enable sharing and restrict access. Using built-in Security Roles, you are able to assign access permissions to groups of users. Known as a Role Based Access Control (RBAC), you can easily enforce access to certain features and functionality within Incorta.

Using the Security Manager

By default, the Super User (the Tenant Administrator) has the SuperRole, which is covered in security roles. Roles are immutable permission settings that can be applied to groups. You cannot create, edit, or delete a role. As a user with the ability to manage security, you create groups and assign permissions to them using one or more roles. You can assign one or more groups to a user to give them the desired permissions.

Security Role Management

Incorta’s security model is optimistic, meaning that Incorta enforces the least restrictive role permissions and access rights.

Role Based Access Control

Role Based Access Control (RBAC) enforces access to certain features and functionality within the Incorta Analytics Service. There is no direct way to assign a role to a user, with two exceptions:

  • All users inherit the User role.
  • A tenant administrator inherits the SuperUser role unless otherwise configured for the tenant.

In Incorta, a user belongs to zero or more groups, and a group is assigned to zero or more roles.

Note

While RBAC, through permissions, controls access to features and functionality, access rights refer to the individual access to an object. For example: The user Tom gives access rights to Rachel to view a dashboard Tom has created.

Role properties

The following table describes the roles and associated permissions, accessible from the Roles tab in the context menu of the Security Manager:

Role Description Permissions
Analyze User Manages folders and dashboards and has access to the Analyzer screen. This role creates Dashboards with shared and personal (requires Schema Manager) schemas. This role also shares with the Share option, shares through email, or schedules Dashboards for sharing via email. Can Manage: Catalog
Can View: Schema
Dashboard Analyzer In addition to viewing and sharing the dashboards available to the user role, this role will also be able to personalize the dashboards shared with them. Can Share: Catalog
Individual Analyzer Creates new dashboards using shared or personal schemas (requires Schema Manager). This role cannot share or send dashboards via email. Can Manage: Catalog
Can View: Schema
Privileged User Shares and schedules sending dashboards via emails. Can Share: Catalog
Schema Manager Creates schemas and data sources and loads the data into the schemas. This role also shares the schemas with other users so they can create dashboards. Can Manage: Schema, Data
SuperRole Manages users, groups, and roles. Can create users and groups. This role also creates schemas and dashboards without requiring any additional roles. This is the master Admin role. Can Manage: Security, Catalog, Schema, Data
User The default roles assigned to an end-user assigned to a group. This role views any dashboard shared with them. This role can apply filters but cannot change the underlying metadata. Can View: Catalog
User Manager Creates and manages groups and users. Creates groups and adds roles. Adds users to groups. Can Manage: Security
Note

Note that Catalog refers to the Content tab in the Navigation bar.

Group Management

As a user with security edit access, you are able to create, edit, or delete groups. You assign a group one or more roles from the Edit Group drawer. In addition, you are able to add users to a group through the Edit Group drawer.

Group Properties

The following are the group properties found in the Groups tab of the Security Manager:

Properties Description
Name The group name
Description Optional group description
Add User(s) Visible by hovering over the desired group. Open the Add User(s) to Group(s) window.
Delete Visible by hovering over the desired group. Delete the selected group.
Add Role(s) Visible by hovering over the desired group. Open the Add Role(s) to Group(s) window.

Create a Group

The following are the steps to a create a group:

  • In the Navigation bar, select Security.
  • In the Action bar, select + New.
  • From the drop down menu, select Add Group.
  • In the Add Group dialog, enter a group Name.
  • Optionally, enter a group description.
  • Select Add.

Edit Group Properties

When you select a group from the Groups tab, the Edit Group drawer will open. The Edit Group drawer is split into three sections.

Edit Group Info properties

The following are the properties of the Edit Group drawer Info section:

Property Description
Name The group name
Description Optional group description

Edit Group Users properties

From the Users section of the Edit Group drawer, you are able to view the user name and email of users in the group. You can easily search for users within the group using the search bar.

The following are the properties of users in the Users section of the Edit Group drawer:

Property Description
Name The user name
Email The users email

Add users to a group

From the Groups tab or the Edit Group drawer, you can access the Add User(s) to Group(s) window. Using this window, you can add one or more users to a group. From the Edit Group drawer, access the Add User(s) to Group(s) window in the Users section and select the Add User(s) icon (+ icon).

The Add User(s) to Group(s) window will only display users not currently in the group. You can search users using the search bar at the top of the window. Usernames and emails will be displayed in the window.

The following are the steps to access the Add User(s) to Group(s) window and add one or more users to a group:

  • In the Navigation bar, select Security.
  • In the Context bar, select Groups.
  • Hover over the desired group, select Add User(s) (people icon).

    • Optionally, you can select the desired group to open the Edit Group drawer.

      • Select Users.
      • Select Add User(s) (+ icon).
    • You may use the checkboxes in the Groups tab to select multiple groups before selecting Add Users(s) (people icon). This will allow you to add users to multiple groups at once.
  • Select one or more users from the list. You may use the search bar to filter the list.
  • Select Add.

Remove a user from a group

The following are the steps to remove one or more users from a group:

  • In the Navigation bar, select Security.
  • In the Context bar, select Groups.
  • Select the desired group.
  • In the Edit Group drawer, select Users.
  • Select one or more users.
  • Select Remove (trash icon).

Edit Group Roles properties

The following are the role properties in the Roles section of the Edit Group drawer:

Property Description
Role The role name
Permissions The granted permissions of the role.

Add roles to a group

The following are the steps to add roles to a group:

  • In the Navigation bar, select Security.
  • In the Context bar, select Groups.
  • Select the desired group.
  • In the Edit Group drawer, select Roles.
  • Select Add Role(s) (+ icon).
  • From the Add Role(s) to Group(s) drawer, select the desired roles for the group.
  • Select Add.
Note

Optionally, you can select more than one group from the Groups tab. After selecting groups, select Add Role(s) from More Options (kebab icon). This will open the Add Role(s) to Group(s) window.

Remove roles from a group

The following are the steps to remove roles from a group:

  • In the Navigation bar, select Security.
  • In the Context bar, select Groups.
  • Select the desired group.
  • In the Edit Group drawer, select Roles.
  • Select one or more roles from the drawer.
  • Select delete (trash icon).

Group API Key Enablement

Only a SuperUser can manage API Key access for groups and users. You can enable or disable API Key Generation, for the Incorta Public API, for one or more groups from the Groups tab. Users will still need to generate their individual API key once access has been granted.

The following are the steps to enable or disable API Key generation for groups:

  • In the Navigation bar, select Security.
  • In the Action bar, select Groups.
  • Select one or more groups.
  • From the Groups tab, select More Options(kebab icon).
  • Select Enable API Key Generation or Disable API Generation.
Recommendation

If you disable API key generation for all users in a group, the active API keys for those group users become immediately invalidated. For this reason, managing an API key by group is not recommended. Rather, a specific user should be associated with an API key.

Delete a group

The following are the steps to delete a group:

  • In the Navigation bar, select Security.
  • In the Context bar, select Groups.
  • Select the desired group(s).
  • Select delete (trash icon).
Warning

When you delete a group, the group and all role permissions for that group are removed from all users that were in the deleted group.

User Management

User properties

The following are the properties of a user in the Users tab of the Security Manager:

Property Description
Name The user display name.
Email The user email.
Authentication Type The Authentication type for this user. Authentication types are controlled in tenant Security of the CMC.
Last Signed In The last time the user signed in.

Edit User properties

You can access the detailed properties of an individual user by selecting them from the Users tab.

User general properties

The following are the user properties in the General section of the Edit User drawer:

Property Control Description
Login Name immutable The user login name.
Profile Image file selection Upload an image to use as the user profile image. The file type must be a JPEG or PNG, and the file size is limited to 2MB.
Display Name text box Enter the user’s display name.
Email text box Enter the user email.
Language drop down menu Select the user’s language. Available options are:
Arabic, Chinese(Simplified), Dutch, English, French, German, Italian, Spanish, and Spanish.
Region Format drop down menu Select the user’s GMT based time zone.
Time Zone drop down menu Select the user’s GMT based time zone.
Calendar drop down menu Select the calendar format for the user.

User group membership properties

The following are the user properties in the Group Membership section of the Edit User drawer:

Property Description
Name The group name
Description The description of the group

User security properties

The following are the user properties in the Group Membership section of the Edit User drawer:

Property Control Description
Enable API Key Generation toggle Only visible as a SuperUser. Toggle API key generation for the selected user.
Current Password text box Only available in the drawer of the logged in user. Enter the current user password.
Password text box Only available in the drawer of the logged in user. Enter a new password.
Confirm Password text box Only available in the drawer of the logged in user. Confirm new password.
Reset Password button Only available to users with Security management privileges. An email will be sent to the user with a link to reset their password.
Login As button Only available to a SuperUser. Temporarily log into Incorta as the selected user. For additional information, see Additional Considerations.
Delete User button Delete the selected user.
Generate/Renew API Key button Only visible to a user that has API key generation enabled. Generate a new API key.
Copy Key button Only visible to a user that has API key generation enabled. Copy the current API key to the clipboard.

User Appearance properties

The appearance properties section is only visible to the currently logged in user.

The following are the user properties in the Appearance section of the Edit User drawer:

Property Control Description
Dark Theme toggle Enable Incorta dark mode for the selected user.
Reduce Motion toggle Enable a visually reduced motion for Interaction with chart legends.

Create a new user

The following are the steps to create new user:

  • In the Navigation bar, select Security.
  • In the Context bar, select + New.
  • Select Add User.
  • Enter the desired user properties.
  • Select Add.

Add a group to a user’s group membership

The following are the steps to add a group to a user’s group membership:

  • In the Navigation bar, select Security.
  • In the Context bar, select Users.
  • Select the desired user.
  • Optionally, you can select multiple users and select the Add to Group(s) (people icon).
  • In the Edit User drawer, select the Group Membership section.
  • Select the Add to Group(s) (+ icon).
  • Select the desired groups to add the user to.
  • Select Add.

Remove a group from a user’s group membership

The following are the steps to remove a group from a user’s group membership:

  • In the Navigation bar, select Security.
  • In the Context bar, select Users.
  • Select the desired user.
  • In the Edit User drawer, select the Group Membership section.
  • Select the desired groups to remove from the user.
  • Select delete (trash icon).

User API Key Enablement

Only a SuperUser can manage API Key access for groups and users. You can enable or disable API Key Generation, for the Incorta Public API, for one or more users from the Users tab. Users will still need to generate their individual API key once access has been granted.

The following are the steps to enable or disable API Key generation for users:

  • As an Incorta Super User, sign into the Incorta Direct Data Platform™.
  • In the Navigation bar, select Security.
  • In the Action bar, select Users.
  • Select the checkbox next to each user for which you would like to enable/disable API key generation.
  • From the more options menu (kebab icon), select Enable/Disable API Key Generation.

Delete a user

When you delete a user, Incorta will inform you of what content they have created and have ownership of. The content must either be deleted or ownership transferred to another user. You can not delete more than one user at a time and a user cannot delete their own account.

The following are the steps to delete a user:

  • In the Navigation bar, select Security.
  • In the Context bar, select Users.
  • Select the desired user.
  • Select delete (trash icon).
  • In Check:

    • Incorta will inform you if the selected user owns content.
    • If the user owns no content:

      • You can select Next and proceed to Confirm.
    • If the user owns content:

      • Incorta will list the quantity of each type of entity the user owns.
      • You must select one of the following options:

        • Delete the entities owned by the user.
        • Or, transfer ownership to the current/another user.
  • In Transfer:

    • Select if sharing permissions, sharing access rights, are transferred to the new owner.
    • Select to transfer to the current user or another user.
    • When you select Next, the ownership transfer is completed immediately.
  • In Confirm:

    • Select Delete.

Additional Considerations

Login As feature

A user that inherits the SuperRole has the ability to impersonate a user. The SuperUser is able to use the Login As feature to impersonate another Inocrta user. You can access the feature from the Edit User drawer. Once active, you will be restricted to the same permission and shared access as the impersonated user. Any changes you make to the user’s content or user settings will be reflected in the user’s account. To return to your SuperUser account, select Switch Back from the profile menu in the top right corner of the Action bar.

An impersonated user receives an email notifying them of their impersonation. However, this requires SMTP configuration for the Incorta Cluster.

To limit the possibility of unwanted user impersonation, Incorta strongly encourages that security administrators limit the number of users that inherit the SuperRole as well as configure SMTP for the Incorta Cluster.

To learn more about SMTP configuration, please review Email Configuration.


© Incorta, Inc. All Rights Reserved.