Authorisation and authentication
Matillion ETL comes with different admin settings and permissions to control user access to various parts of Matillion which will be briefly overviewed in this article. Follow links on this page for in-depth information on the mentioned features.
User Configuration allows Matillion ETL instance admins to define the user list for that instance, along with some basic permissions for those users. To open the User Configurations pop-up window, click Admin → User Configuration in the top right corner of the screen.
There are three types of security options available for user configurations.
- INTERNAL: Uses an internal database of usernames and passwords that can be managed from this menu. Some broad access rights can be assigned here.
- EXTERNAL: This is used for linking to an existing directory server (e.g. Microsoft Active Directory or OpenLDAP). External security prevents logins using the existing users in Internal Security.
- NONE: The instance requires no login and can be directly accessed by anyone on the network - not recommended for instances that are publically available.
The primary decision admins will need to make is what type of security will be used: None, Internal, or External.
There are different admin levels that give varying degrees of access and control:
Project Admins can edit the project. This includes:
- Creating Passwords
- OAuths Setups
- Creating Jobs
- Managing Jobs
In Matillion ETL, on the top left of the screen, click Project → Manage Project will bring up a list of users that can be assigned Public Access (project visibility), and Project Administration.
A User Admin has access to the Admin on the top right side of Matillion, and overrides the Manage Project settings. A User Admin can controls what other users can do (see Permissions), manages the developer's access to features, and can create more users and SSLs.
Non-project Admins but User Admins can access a project if they have access to it.
When a User is a member of multiple Groups and has conflicting Permissions, a Grant permission takes precendence over Forbid. When a user is not a member of any Group, they are a member of the Matillion role and have all non-Admin and non-API permission through Matillion. Once you add that User to a Group, any Forbid privileges take precedence over the broad privileges granted by the default Matillion role. To sum up: the Admin role takes priority over Permissions assigned from Group membership.
OpenID login on Matillion ETL can be done using generic identity provider credentials through the Admin → User Configuration in the top right corner of the screen. Only a single provider can be used at any given time. For more information, see here
The Permissions in Matillion ETL allow admins to specify what parts of the client each user has access to or restrictiuon if any. To enable Permissions on the server, an Admin must ensure that the Security Configuration Admin → User Configuration is set to "Internal" or "External". That will allow admin to "Manage Groups" and "Manage Permissions" through Admin menu. View Permissions is available through the Help menu and can be managed by both "Admins" and regular users.
Permissions is an Enterprise-only feature. It allows admins to determine what parts of the client each user has access to. Each group has a defined set of permissions that allow or restrict access to specific parts of Matillion ETL. For more information, see here.
A Project is a group of configuration settings and resources (such as a jobs) required to use Matillion ETL. When you first log in the instance you'll need to create a Project. The Project can be accessed via the button on the top left of Matillion ETL. There you have Manage Project and use various other features such as "export/import", "managing environments", and "managing credentials", "passwords", "OAuth" and many more.
Accessing the Matillion ETL Client (Amazon EC2)
After Launching Matillion ETL from the AWS Marketplace, you'll need some details of your EC2 instance to log into your Matillion ETL client. Browse to the EC2 Management Console of your AWS account (or browse to Services → EC2 → Instances). Select the running instance that hosts your Matillion ETL client. You will need to take note of the IP or Public DNS, and Instance ID. For more detailed instructions, see here.
Accessing the Matillion ETL Client (Google Cloud Platform)
After Launching Matillion ETL instance on Google Cloud Platform, log into Google Cloud Console and browse to VM instances. Click on the instance you wish to access, and look for the Primary Internal and External IP addresses, to access the instance through your browser. For more detailed instructions, see here.
Accessing the Matillion ETL Client (Microsoft Azure)
After Launching Matillion ETL instance on Microsoft Azure, log into the Azure Portal, browse Virtual Machines, and select the VM. You can find your new instance through its listed Public IP Address. Your first login to Matillion will use the credentials from Azure. For more detailed instructions, see here.
It is also possible to authenticate users against an Active Directory or other LDAP directory server. Matillion supports three roles that allow a user to access specific aspects of the product:
- Emerald: This role allows access to the ETL interface. Typically all users have this role.
- Admin: This role allows a user to access the Admin Menu and related functions.
- API: This role allows a user to use the Matillion ETL API.
We recommended taking a snapshot of your instance prior to making changes and restore it if required.
For more information on the details you need from your LDAP/Domain, see here.
Cloud Platform Roles & Permissions
IAM Roles & Permissions (AWS)
IAM (Identity and Access Management) lets you manage access to different AWS services and resources. You can manage user and groups, giving them various permissions. These are managed in your AWS admin console.
There are two ways you can give access to Matillion ETL:
- With instance credentials (specifying an IAM Role for the EC2 instance at launch time).
- With existing user defined credentials.
You can also attach different Managed Policies to the role you are using, to have "coarse-grained access control" or "Fine-grained access control". For fine-grained access control, there are many IAM privileges which Matillion can require. These include EC2, KMS, RDS, SQS, CloudWatch, and Lambda actions. For more information, see here.
IAM Roles & Permissions (Azure)
For Matillion ETL to detect Azure Blob Storage containers, you may need to input additional credentials. You can either use "Instance Credentials" or "User Defined Credentials" (getting your credentials from Azure and entering them into Matillion). For Matillion ETL to access Azure resources, you are required to provide.
- Tenant ID
- Client ID
- Scret Key
For more information on setting up and locating these credentials, see here.
IAM Roles & Permissions (Google Cloud Platform)
GCP credentials are needed for Matillion to access Google Cloud Platform services, including Cloud Storage buckets, and KMS. You'll need to give permission through the GCP admin console, and enter it into the Matillion ETL instance via Project Menu → Manage Credentials. See here for more information.
Matillion ETL uses the "admin BigQuery role", and the "Storage admin role". For more information on IAM Roles & Permissions for GCP, see here.