User Configuration

User Configuration


Overview

User Configuration allows Matillion ETL instance admins to define the user list for that instance, along with some basic permissions for those users. To open the User Configurations pop-up window, click Admin User Configuration in the top right corner of the screen.

The primary decision admins will need to make is what type of security will be used: Internal, External or None.


None

When selecting None, the Matillion ETL instance will essentially provide no control over who can access the Matillion ETL instance. As best practice, this option is never recommended, especially for users whose instances are publicly available.

No User Configuration

No User Configuration


Internal

When selecting Internal, the Matillion ETL instance will use instance-based database of username, passwords and privileges. Users can be added, removed and modified in the Manage Users tab.

Please Note

Via the OpenID Connect Login tab, internal users may also be configured using an OpenID and connected to an internal user profile.

Internal User Configuration

Internal User Configuration

  • Add user: Click + in the bottom left of the pop-up window.

  • User roles: Users can be configured into the following roles:

    • Server Admin: this role allows the user access to the Admin menu and all admin-related features therein.
    • API: this role allows the user to use the Matillion v0 and v1 APIs.
    • Global Project Admin: this role allows the user to read and access all projects on the instance regardless of the project's access settings.

  • Remove user: Click to the right of the relevant user's name.

  • Change user's password: Click to the right of the relevant user's name. This will open the Add User pop-up window. From here, enter a username and password, as well as selecting any roles the user will be allowed (optional).

    Please Note

    Passwords entered via the User Configuration pop-up window are displayed in plaintext but are stored as SHA512 hashes. If manually editing a password, either via the database or the API, the desired password must be supplied as a SHA512 hash. Plaintext passwords can never recoverable by any means.

Add User

Add User


External

When selecting External, the Matillion ETL instance will link to an existing directory server—for example OpenLDAP (Lightweight Directory Access Protocol) or Microsoft Active Directory.

Please Note

Opting to use External security will prevent existing users configured in Internal security from logging in.

External User Configuration

External User Configuration

  • Add user: Users can be configured by completing the Set Realm Parameters form will allow users to use LDAP integration to grant and prevent access to users on a Matillion ETL instance:

    Parameter Description
    Connection Name The name of a user to make the initial bind to the directory (for Active Directory, include a realm using the form "user@REALM")
    exampleuser@EXAMPLE.COM
    Connection Password The password for the user to make the initial bind to the directory
    Encryption Key A list of KMS keys that the user has access to that are used to encrypt connection passwords
    Connection URL The location of the directory server, using one of the forms below:
    For non-SSL ldap://<hostname>:389 / For SSL ldaps://<hostname>:636
    User Base The part of the directory tree to begin searching for users
    User Search The attribute to search for user names
    Role Base The part of the directory tree to begin searching for groups / roles (often the same place as users)
    Role Name The name of the attribute containing the role name
    Role Search How to find all the roles for a user
    METL Access The role a user must be a member of to gain access to the Matillion ETL application
    METL Server Admin The role a user must be a member of to gain access to the Matillion ETL administration page (this can be different to the METL Role Name)
    METL Global Project Admin The role a user must be a member of to gain access to the Matillion ETL project administration (this can be different to the METL Role Name)
    API The role a user must be a member of to gain access to the Matillion ETL API (this can be different to the METL Role Name)
  • Remove user: Any user that has logged into a Matillion ETL instance is stored in the Access Control List on the Manage Project window and will remain there even after logging out. To remove a user from the Access Control List, click the x to the right of the user's name. If currently logged in, this user will be forced to log out and disconnect from the instance.

Please Note

Once saved, the server will need to be restarted for the configuration to take effect. This can be done by clicking Admin Restart Server in the top right corner of the screen.

Error

If any issues occur during user configuration, please refer to Reverting from External to Internal Security for more details.