Groups and Permissions
  • Dark
  • PDF

Groups and Permissions

  • Dark
  • PDF


Groups and Permissions in Matillion ETL allow admin users to specify what parts of the client each user can access. With this feature, admin users can define sets of permissions, allocate these permissions to specific permission groups, and divide users into these groups—granting the group's permissions on each user.

Once user permissions have been configured, if a user lacks the necessary permission(s) to access a resource, it will be greyed-out within the Matillion ETL instance and accompanied by a tooltip stating the permission required to access the resource.


  • This is an Enterprise Mode Only feature.
  • This feature will only become available after security has been configured on the Matillion ETL instance via Admin, User Configuration. See here.
  • A user requires the Server Admin role to access this feature.

Manage Groups

1. Admin users (and only admin users) can create, edit and remove an unlimited number of groups through the Groups dialog. To open this, click AdminManage Groups.

2. In the Groups dialog, Matillion ETL provides several default groups to be used "out of the box", including:

  • All Global Access: new users are automatically added to this group. Grants full access permissions.
  • Reader: may view the project and almost all parts of the instance including API Profiles, Credentials, OAuths, Jobs, and Variables—however, none of these may be edited.
  • Reader with Comments: all "reader" permissions with the ability to write notes to annotate jobs.
  • Runner: all "reader" permissions with the ability to run jobs as well as the individual components within—however, schedules cannot be edited or executed.
  • Scheduler: all "runner" permissions with the ability to edit and execute schedules and related areas such as Credentials, Drivers, and OAuths.
  • Writer: view, edit, and execute all parts of Matillion ETL—however, may not delete Projects and Versions.


These default groups can be edited and/or removed as required.

3. Click to add a new permission group, to edit an existing permission group, or to remove an existing permission group. Click to manage the members of an existing permission group.

Manage permission groups

4. Adding or editing a permission group using or will produce one of two outcomes, depending on whether LDAP Integration is being used. If LDAP is not being used, you will only be able to edit the group name:

Edit group name

When using LDAP integration, you have the ability to add roles to existing permission groups, as described in Linking LDAP Groups, below.

5. To add users to a group, click to the right of the group name in the Groups dialog. This will open the Manage Members dialog.

6. The Manage Members dialog lists all users that have been created in Matillion ETL (see User Configuration). To add users to the current group, select the checkboxes next to the required users and then click OK. To remove users from the group, clear the checkboxes.


Users can be added as members to more than one permission group, allowing for great flexibility in setting a user's permissions.

Manage Members

7. An alternative method for adding users to groups is to click the Membership button on the Groups dialog. This opens the Permission Group Members dialog, which lists all Matillion ETL users. Click the icon next to a user, and this will open the Edit Permission Group Member dialog which allows you to assign groups to that user. This method may be easier to use if you want to assign one user to several groups.

Permission Group Members

Manage Permissions

1. Admin users can manage permission settings for each permission group created as described above. Click AdminManage Permissions to open the Manage Permissions dialog.

2. In the Permissions dialog, click to the right of the name of the group you want to manage permissions for.


3. The Permissions dialog shows a hierarchical list of all permissions in Matillion ETL. You can use the and arrows to expand and collapse the list to find the permission you want, or you can use the search field and radio buttons at the top of the dialog to search for a permission by Name, State or Expected State.

4. To change the state of a permission, click in the State column and select the state. Changing the state of any permission will affect that resource's availability to members within the current group.The permission states are:

  • Granted: the permission is available to members of the group and will override a "Forbidden" Expected State
  • Forbidden: the permission is unavailable to members of the group and will override a "Granted" Expected State
  • Unspecified: the permission defers to its Expected State value



The permission State can be set at any level in the hierarchy, to affect individual permissions, entire sets of resources, and even all user permissions. For example, in the illustration above, setting the permission state at the Project level to Granted would mean that permission was granted to Join Project, Update Project Group, Create Project, etc.

View Permissions

Any user can view their own current permissions by clicking HelpView Permissions.

Linking LDAP Groups

As described in User Configuration, Matillion ETL can be configured to use External security, meaning the Matillion ETL instance will link to an existing external LDAP (Lightweight Directory Access Protocol) directory server such as OpenLDAP or Microsoft Active Directory. When using external LDAP integration, you can add roles to existing permission groups.

1. From the Manage Groups dialog, add or edit a permission group using or . This will open the Edit Permission Group dialog and allow you to add new roles to the group.

2. Click to add roles to the Role Name list, or highlight a role and click to remove it. Once all roles have been configured, click OK.

Edit Permission Group

Matillion ETL instance roles configured externally in LDAP groups can also be specified as members of internal permission groups. For example, if the METL Access role is configured in the LDAP directory server, and also in an internal Matillion ETL permission group, this role will then have the permissions configured in LDAP as well as additional permissions configured in the internal permission group.


What's Next