User Configuration allows Matillion ETL instance admins to define the user list for that instance, along with some basic permissions for those users. To open the User Configurations pop-up window, click Admin → User Configuration in the top right corner of the screen.
The primary decision admins will need to make is what type of security will be used: Internal, External or None.
When selecting None, the Matillion ETL instance will essentially provide no control over who can access the Matillion ETL instance. As best practice, this option is never recommended, especially for users whose instances are publicly available.
When selecting Internal, the Matillion ETL instance will use instance-based database of username, passwords and privileges. Users can be added, removed and modified in the Manage Users tab.
Via the OpenID Connect Login tab, internal users may also be configured using an OpenID and connected to an internal user profile.
Add user: Click + in the bottom left of the pop-up window.
User roles: Users can be configured into the following roles:
- Server Admin: this role allows the user access to the Admin menu and all admin-related features therein.
- API: this role allows the user to use the Matillion v0 and v1 APIs.
- Global Project Admin: this role allows the user to read and access all projects on the instance regardless of the project's access settings.
Remove user: Click to the right of the relevant user's name.
Change user's password: Click to the right of the relevant user's name. This will open the Add User pop-up window. From here, enter a username and password, as well as selecting any roles the user will be allowed (optional).
Passwords entered via the User Configuration pop-up window are displayed in plaintext but are stored as SHA512 hashes. If manually editing a password, either via the database or the API, the desired password must be supplied as a SHA512 hash. Plaintext passwords can never recoverable by any means.
When selecting External, the Matillion ETL instance will link to an existing directory server—for example OpenLDAP (Lightweight Directory Access Protocol) or Microsoft Active Directory.
Opting to use External security will prevent existing users configured in Internal security from logging in.
Add user: Users can be configured by completing the Set Realm Parameters form will allow users to use LDAP integration to grant and prevent access to users on a Matillion ETL instance:
Parameter Description Connection Name The name of a user to make the initial bind to the directory (for Active Directory, include a realm using the form "user@REALM")
Connection Password The password for the user to make the initial bind to the directory Encryption Key A list of KMS keys that the user has access to that are used to encrypt connection passwords Connection URL The location of the directory server, using one of the forms below:
ldap://<hostname>:389/ For SSL
User Base The part of the directory tree to begin searching for users User Search The attribute to search for user names Role Base The part of the directory tree to begin searching for groups / roles (often the same place as users) Role Name The name of the attribute containing the role name Role Search How to find all the roles for a user METL Access The role a user must be a member of to gain access to the Matillion ETL application METL Server Admin The role a user must be a member of to gain access to the Matillion ETL administration page (this can be different to the METL Role Name) METL Global Project Admin The role a user must be a member of to gain access to the Matillion ETL project administration (this can be different to the METL Role Name) API The role a user must be a member of to gain access to the Matillion ETL API (this can be different to the METL Role Name)
Remove user: Any user that has logged into a Matillion ETL instance is stored in the Access Control List on the Manage Project window and will remain there even after logging out. To remove a user from the Access Control List, click the x to the right of the user's name. If currently logged in, this user will be forced to log out and disconnect from the instance.
Once saved, the server will need to be restarted for the configuration to take effect. This can be done by clicking Admin → Restart Server in the top right corner of the screen.
If any issues occur during user configuration, please refer to Reverting from External to Internal Security for more details.