The User Configuration dialog in the Admin Menu allows Matillion ETL instance admins to define the user list for that instance along with some basic permissions for those users.
Note: Passwords used here are given in Plaintext but are stored as SHA512 hashes. If you are manually editing a password either by manually editing the database or via the API, you must supply the desired password as a SHA512 hash. Plaintext passwords are never recoverable by any means.
The primary decision admins need to make is what type of security they are looking to use; Internal, External or None.
Selecting this means there is essentially no Matillion ETL solution for instance security in terms of who can access your instance. This is not recommended for users whose instances are publically available and we would always advise using a security measure as best practice.
The 'Internal' option uses an internal (instance-side) database of username, passwords and privileges. You can add remove and modify users in the Security Configuration section.
- Server Admin: User has access to the Admin menu and all admin-related features therein.
- API: User can use the Matillion v0 and v1 APIs.
- Project Admin: Can see and access all Projects on this instance regardless of the Project's access settings.
To change the user's password: select the padlock icon by the appropriate username.
To Remove a user: click the X icon by the appropriate username. A removed user is forced to log out and disconnect from the instance.
To add a user, click the + icon underneath the list of usernames; this will create a new 'Add User' dialog box. Enter a username and password for the user (required) and select any Roles they are allowed (optional).
The 'External' option is used for linking to an existing directory server (e.g. OpenLDAP (Lightweight Directory Access Protocol) or Microsoft Active Directory).
Note: Opting to use External Security will prevent logins using the existing users in Internal Security.
Completing the 'Set Realm Parameters' form will allow you to use LDAP to grant and prevent access to users on your Matillion ETL instance. Sample values below are for an Active Directory server running for the realm EXAMPLE.COM.
|Connection Name||The name of a user to make the initial bind to the directory.
For active directory, that will include a realm using the form "user@REALM"
|Connection Password||The password for the user to make the initial bind to the directory.|
|Encryption Key||A list of KMS keys that the user has access to that are used to encrypt connection passwords.|
The location of the directory server, using one of the forms below:
For non SSL - ldap://<hostname>:389
For SSL - ldaps://<hostname>:636
|User Base||The part of the directory tree to begin searching for users.
|User Search||The attribute to search for user names.
|Role Base||The part of the directory tree to begin searching for groups/roles - often the same place as users.
|Role Name||The name of the attribute containing the role name.
How to find all the roles for a user.
|METL Role Name||The role a user must be a member of to gain access to the Matillion ETL application.|
|METL Admin Role Name||The role a user must be a member of to gain access to the Matillion ETL administration page - this can be different to the METL Role Name but is not required to be.|
Once the configuration is Saved, you will need to restart the server to take effect - use the Restart Server button on the top-right of the screen.
Remove User: Any user that logs into this Matillion ETL instance is stored in the Access Control List and will persist there even after logging out. To remove a user from the ACL, use the X button beside that user's name. If currently logged in, the removed user will be forced to log out and disconnect from the instance.