Authorisation and authentication
Admin users can assign or remove permissions to control which areas of Matillion ETL specified users can access. This article explains in more detail which areas of the tool are affected by user permissions:
- User Configuration
- Manage Project
- Admin Menu
- OpenID Setup
- Project Access
- Accessing the Matillion ETL Client (Amazon EC2)
- Accessing the Matillion ETL Client (Google Cloud Platform)
- Accessing the Matillion ETL Client (Microsoft Azure)
- LDAP Integration
- Cloud Platform Roles and Permissions
To open the User Configurations dialog, click Admin, in the top right of your Matillion ETL instance, then click User Configuration.
The User Configuration dialog lets you manage new and existing users, and control their permissions. For more information about this dialog, read User Configuration.
In Matillion ETL, on the top-left, click Project → Manage Project. The Manage Project dialog will be displayed, where you can modify the details of the intended Matillion ETL project. For more information, read Manage Project.
A User Admin has access to the Admin menu on the upper-right of the Matillion ETL UI, and overrides the Manage Project settings. A User Admin can manage developer access to certain features, and create more users, and manage SSLs.
In Matillion ETL, in the upper-right, click the Admin menu to administer your instance. For more information, read Admin Menu.
When a user is a member of multiple groups and has conflicting permissions, a Grant Permission takes precendence over Forbid. When a user isn't a member of any group, they will be assigned the Matillion role, where all non-admin, and non-API permissions will apply throughout the use of Matillion ETL. Once you add that user to a group, any Forbid privileges take precedence over the broad privileges granted by the default Matillion role. The Admin role takes priority over permissions assigned from the Group membership.
In Matillion ETL, in the upper-right, click the Admin menu, then User Configuration to open the dialog. Switch to the Open ID Connect Login tab.
Open ID Connect Login lets you set up Open ID logins from a specified provider of your choosing, using the Identity Provider drop-down menu in the dialog. Only a single provider can be used at any given time. For further details and help with setting up an OpenID login, read OneLogin OpenID Setup.
Permissions is an Enterprise-only feature. It allows admins to determine what parts of the client each user has access to. Each group has a defined set of permissions that allow or restrict access to specific parts of Matillion ETL. For more information, see here.
To enable permissions on the server, a user with an Admin role must ensure that the Security Configuration, situated in the Admin, then User Configuration, is set to "Internal" or "External". When the security configuration has been set, it will allow the user with the Admin role to Manage Groups, and Manage Permission.
View Permissions is available through the Help menu, situated next to the Admin menu in Matillion ETL, and can be managed by both "Admins" and regular users.
The Project menu can be accessed in the upper-left of your Matillion ETL instance. A Project is a group of configuration settings and resources (such as a jobs) required to use Matillion ETL. When you first log in to your Matillion ETL instance, you'll need to create a project. Access the Project menu , and click Manage Project, and you can use various other features such as Import - Export, Manage Credentials, Manage Passwords, Manage OAuth, and many more.
There are different administrative levels that grant varying degrees of access and control. Project admins can edit the project, this includes:
- Creating Passwords.
- OAuth entry setups.
- Creating jobs.
- Managing jobs.
Accessing the Matillion ETL Client (Amazon EC2)
After Launching Matillion ETL from the AWS Marketplace, you'll need some details of your EC2 instance to log into your Matillion ETL instance. Browse to the EC2 Management Console of your AWS account, or browse to Services, EC2, then Instances. Select the running instance that hosts your Matillion ETL instance. You will need to take note of the IP or Public DNS, and Instance ID. For more detailed instructions, see here.
Accessing the Matillion ETL Client (Google Cloud Platform)
After Launching Matillion ETL instance on Google Cloud Platform, log into Google Cloud Console, and browse to VM instances. Click on the instance you want to access, and look for the Primary Internal and External IP addresses, to access the instance through your browser. For more detailed instructions, see here.
Accessing the Matillion ETL Client (Microsoft Azure)
After Launching Matillion ETL instance on Microsoft Azure, log into the Azure Portal, browse Virtual Machines, and select the VM. You can find your new instance through its listed Public IP Address. Your first login to Matillion will use the credentials from Azure. For more detailed instructions, see here.
In your Matillion ETL instance, LDAP integration can be accessed through the Admin menu. Select User Configuration, and use the Select Security Configuration drop-down menu to select External. Authenticate users against an Active Directory or other LDAP directory server. Matillion supports three roles that allow a user to access specific aspects of the product:
- Emerald: This role allows access to the ETL interface. Typically all users have this role.
- Admin: This role allows a user to access the Admin Menu and related functions.
- API: This role allows access to the Matillion ETL API.
Take a snapshot of your Matillion ETL instance before making changes, and restore it if required.
For more information about the details that required from your LDAP/Domain, see here.
Cloud Platform Roles and Permissions
IAM Roles and Permissions (AWS)
IAM (Identity and Access Management) lets you manage access to different AWS services and resources. You can manage users and groups, giving them various permissions. These are managed in your AWS admin console.
There are two ways you can give access to Matillion ETL:
- Instance credentials (specifying an IAM Role for the EC2 instance at launch time).
- Existing user-defined credentials.
You can also attach different Managed Policies to the role you are using, such as "coarse-grained access control" or "fine-grained access control". For fine-grained access control, there are many IAM privileges that Matillion ETL requires. These include EC2, KMS, RDS, SQS, CloudWatch, and Lambda actions. For more information, see here.
IAM Roles and Permissions (Azure)
For Matillion ETL to detect Azure Blob Storage containers, you may need to input additional credentials. You can either use "Instance Credentials" or "User Defined Credentials", where you obtain your credentials from Azure, and enter them into Matillion ETL. For Matillion ETL to access Azure resources, you are required to provide the following:
- Tenant ID
- Client ID
- Secret Key
For more information about setting up and locating these credentials, see here.
IAM Roles and Permissions (Google Cloud Platform)
GCP credentials are needed for Matillion to access Google Cloud Platform services, including Cloud Storage buckets, and KMS. You'll need to give permission through the GCP admin console, and enter it into your Matillion ETL instance by accessing the Project menu, then selecting Manage Credentials. For more information, see here.
Matillion ETL uses the "admin BigQuery role", and the "Storage admin role". For more information about IAM Roles and Permissions for GCP, see here.