Groups and Permissions
Groups and Permissions in Matillion ETL allow admin users to specify what parts of the client each user can access. With this feature, admin users can define sets of permissions, allocate these permissions to specific permission groups, and divide users into these groups, granting the group's permissions to each user.
Once user permissions have been configured, if a user lacks the necessary permission to access a resource, it will be grayed-out within the Matillion ETL user interface. Hovering over a grayed-out item will show a tool tip stating the permission required to access the resource.
- This is an Enterprise Mode only feature.
- This feature will only become available after security has been configured on the Matillion ETL instance via User Configuration.
- A user requires the Server Admin role to access this feature.
- Admin users (and only admin users) can create, edit and remove an unlimited number of groups through the Groups dialog. To open this, click Admin → Manage Groups.
- In the Groups dialog, Matillion ETL provides several default groups to be used "out of the box", including:
- All Global Access: new users are automatically added to this group. Grants full access permissions.
- Reader: may view the project and almost all parts of the instance including API profiles, credentials, OAuths, jobs, and variables—however, none of these may be edited.
- Reader with Comments: all "reader" permissions, plus the ability to write notes to annotate jobs.
- Runner: all "reader" permissions, plus the ability to run jobs as well as the individual components within—however, schedules cannot be edited or executed.
- Scheduler: all "runner" permissions, plus the ability to edit and execute schedules and related areas such as credentials, drivers, and OAuths.
- Writer: view, edit, and execute all parts of Matillion ETL—however, may not delete projects and versions.
These default groups can be edited and/or removed as required.
- Click the add (plus) icon to add a new permission group, the edit (pencil) icon to edit an existing permission group, or the delete (dustbin) icon to remove an existing permission group. Click manage (people) icon to manage the members of an existing permission group.
- Adding or editing a permission group will produce one of two outcomes, depending on whether LDAP Integration is being used. If LDAP is not being used, you will only be able to edit the group name:
When using LDAP integration, you have the ability to add roles to permission groups, as described in ldap, below.
- To add users to a group, click people icon to the right of the group name in the Groups dialog. This will open the Manage Members dialog.
- The Manage Members dialog lists all users that have been created in Matillion ETL (see User Configuration). To add users to the current group, select the checkboxes next to the required users and then click OK. To remove users from the group, clear the checkboxes before clicking OK.
Users can be added as members to more than one permission group, allowing for great flexibility in setting a user's permissions.
If a user belongs to multiple groups with conflicting permissions, Granted will take precedence over Forbidden, as described permissionstates.
- An alternative method for adding users to groups is to click the Membership button on the Groups dialog. This opens the Permission Group Members dialog, which lists all Matillion ETL users. Click the edit (pencil) icon next to a user, and this will open the Edit Permission Group Member dialog which allows you to assign groups to that user. This will be the more convenient method to use if you want to place one user in several different groups.
- Admin users can manage permission settings for each permission group created as described above. Click Admin → Manage Permissions to open the Manage Permissions dialog.
- In the Permissions dialog, click edit (pencil) icon to the right of the name of the group you want to manage permissions for.
The Permissions dialog shows a hierarchical list of all permissions in Matillion ETL. You can use the arrow icons to expand and collapse the list to find the permission you want, or you can use the search field and radio buttons at the top of the dialog to search for a permission by Name, State or Expected State.
To change the state of a permission, click in the State column and select the state. Changing the state of any permission will affect that resource's availability to members within the current group.The permission states are:
- Granted: the permission is available to members of the group and will override a "Forbidden" Expected State
- Forbidden: the permission is unavailable to members of the group and will override a "Granted" Expected State
- Unspecified: the permission defers to its Expected State value
The permission State can be set at any level in the hierarchy, to affect individual permissions, entire sets of resources, and even all user permissions. For example, in the illustration above, setting the permission state at the Project level to Granted would mean that permission was granted to Join Project, Update Project Group, Create Project, etc.
Any user can view their own current permissions by clicking Help → View Permissions.
Linking LDAP groups
As described in User Configuration, Matillion ETL can be configured to use External security, meaning the Matillion ETL instance will link to an existing external LDAP (Lightweight Directory Access Protocol) directory server such as OpenLDAP or Microsoft Active Directory. When using external LDAP integration, you can add roles to existing permission groups.
1. From the Manage Groups dialog, add or edit a permission group using add or edit icons. This will open the Edit Permission Group dialog and allow you to add new roles to the group.
2. Click the add icon to add roles to the Role Name list, or highlight a role and click remove (minus) icon to remove it. Once all roles have been configured, click OK.
Any LDAP group that can be found from the Role Base provided during LDAP configuration can be used to map to existing or custom Matillion ETL groups and permissions, and this mapping is completely independent of LDAP role mapping as described in the article LDAP Configuration. As best practice we recommend that these two functions use different LDAP groups, i.e. an LDAP group used to map to a Matillion ETL access role should not also be used to map to Matillion ETL groups and permissions as described here.