Authorisation and Authentication

Authorisation and Authentication

Authorisation and authentication

Matillion ETL comes with different admin settings and permissions to control user access to various parts of Matillion.

The Admin Menu button can be found at the top-right of Matillion ETL.

The administrator can choose from two login options for users:

INTERNAL uses an internal database of usernames and passwords. In Security Configuration -> +, enter a username and password for the user. To enable admin access for the user, tick the "Admin" checkbox. To remove a user, click "X".

EXTERNAL is used for linking to an existing directory server (e.g. Microsoft Active Directory or OpenLDAP). External security prevents logins using the existing users in Internal Security.

For more information, see here.

A third authentication mode, NONE, means the instance requires no login and can be directly accessed by anyone on the network.

There are different admin levels that give varying degrees of access and control:

Project Admins can edit the project. This includes creating passwords and OAuths, and creating and managing jobs. Clicking "Manage Project" will bring up a list of users that can be assigned Public Access (project visibility), and Project Administration. Non-project Admins but User Admins can access a project if they have access to it. A User Admin has access to the Admin Menu on the top right side of Matillion, and overrides the "Manage Project" settings. A User Admin controls what other users can do (see Permissions), manages the developers' access to features, and can create more users and SSLs.

Admin menu

When a User is a member of multiple Groups and has conflicting Permissions, a Grant permission takes precendence over Forbid. When a user is not a member of any Group, they are a member of the Matillion role and have all non-Admin and non-API permission through Matillion. Once you add that User to a Group, any Forbid privileges take precedence over the broad privileges granted by the default Matillion role. To sum up: the Admin role takes priority over Permissions assigned from Group membership.

OpenID Setup

Through the Admin Menu, you can allow OpenID logins from a particular provider. Only a single provider can be used at any given time. For more information, see here.


Permissions is an Enterprise-only feature. It allows admins to determine what parts of the client each user has access to. Each group has a defined set of permissions that allow or restrict access to specific parts of Matillion ETL. For more information, see here.

Create Project

A Project is a group of configuration settings and resources (such as a jobs) required to use Matillion ETL. When you first log in the instance you'll need to create a Project. The Project menu can be accessed via the button on the top left of Matillion ETL. There you can manage the Project and use various features such as export/import, managing environments, and managing credentials, passwords and OAuth.

Accessing the Matillion ETL Client (Amazon EC2)

After launching Matillion ETL from the AWS marketplace, you'll need some details of your EC2 instance to log into your Matillion ETL client. Browse to the EC2 Management Console of your AWS account (or browse to Services -> EC2 -> Instances). Select the running instance that hosts your Matillion ETL client. You will need to take note of the IP or Public DNS, and Instance ID. For more detailed instructions, see here.

Accessing the Matillion ETL Client (Google Cloud Platform)

After launching a Matillion ETL instance on Google Cloud Platform, log into Google Cloud console and browse to VM instances. Click on the instance you wish to access, and look for the Primary Internal and External IP addresses, to access the instance through your browser. For more detailed instructions, see here.

Accessing the Matillion ETL Client (Microsoft Azure)

After launching Matillion ETL, log into the Azure Portal, browse Virtual Machines, and select the VM. You can find your new instance through its listed Public IP Address. Your first login to Matillion will use the credentials from Azure. For more detailed instructions, see here.

LDAP Integration

It is also possible to authenticate users against an Active Directory or other LDAP directory server. Matillion supports three roles that allow a user to access specific aspects of the product:

  1. Emerald: This role allows access to the ETL interface. Typically all users have this role.
  2. Admin: This role allows a user to access the Admin page.
  3. API: This role allows a user to use the Matillion ETL API.

We recommended taking a snapshot of your instance prior to making changes and restore it if required.

For more information on the details you need from your LDAP/Domain, see here.

Cloud Platform Roles & Permissions

IAM Roles & Permissions (AWS)

IAM (Identity and Access Management) lets you manage access to different AWS services and resources. You can manage user and groups, giving them various permissions. These are managed in your AWS admin console.

There are two ways you can give access to Matillion ETL: with instance credentials (specifying an IAM Role for the EC2 instance at launch time), and with existing user defined credentials. You can also attach different Managed Policies to the role you are using, to have coarse-grained access control. For fine-grained access control, there are many IAM privileges which Matillion can require. These include EC2, KMS, RDS, SQS, CloudWatch, and Lambda actions. For more information, see here.


Roles & Permissions (Azure)

For Matillion ETL to detect Azure Blob Storage containers, you may need to input additional credentials. You can either use Instance Credentials or User Defined Credentials (getting your credentials from Azure and entering them into Matillion). For Matillion ETL to access Azure resources, you are required to provide a Tenant ID, which is unique to your Azure account, a Client ID, and Secret Key.

For more information on setting up and locating these credentials, see here.

IAM Roles & Permissions (Google Cloud Platform)

GCP credentials are needed for Matillion to access Google Cloud Platform services, including Cloud Storage buckets, and KMS. You'll need to give permission through the GCP admin console, and enter it into the Matillion ETL instance via Project -> Manage Credentials. See here for more information.

Matillion ETL uses the admin BigQuery role, and the Storage admin role. For more information on IAM Roles & Permissions for GCP, see here.