2. Users and Groups
In this section, you will learn:
- How different user roles impact capabilities
- How to manage users
- How to manage groups
User roles
The way you add users to Connect will depend on the authentication mechanism your environment is configured with, the Admin Guide has steps for each supported authentication integration. All users on Connect will have one of three roles:
Administrator
Publisher
Viewer
Below you’ll see the default capabilities of each role:
| Administrator | Publisher | Viewer | Configurable? | |
|---|---|---|---|---|
| Typical Persona | IT System Administrator, Data Science Leader | Data Scientist, Analyst | Business User | |
| Can add users, set user roles, and manage groups | ✅ | ❌ | ❌ | It is possible to allow publishers to add users and own groups. |
| Publish Content to the Server | ✅ | ✅ | ❌ | It is possible to restrict publishing to admins. |
| View Content on the Server | ✅ (when content permissions grant them access) | ✅ (when content permissions grant them access) | ✅ (when content permissions grant them access) | |
| Create tags | ✅ | ❌ | ❌ | |
| Manage Content settings (e.g. manage permissions for views & collaborators, Add tags, change runtime settings) | ✅ (All content, actions audited when content permissions overridden) | ✅ (Content they publish or collaborate on) | ❌ | |
| Set Vanity URL for content, change RunAs setting for content | ✅ | ❌ | ❌ | It is possible to allow publishers or collaborators to set Vanity URLs on their content |
| See a list of existing users | ✅ | ✅ | ✅ | It is possible to restrict viewers from seeing a list of users |
User Management
Users can be managed from the user interface, from the Connect API and from the usermanager CLI tool. Certain actions like user deletion can only be done using the CLI tool.
When a user leaves the organization or no longer needs access to Connect it is recommended that you lock that user’s account, so that the individual is no longer able to access Connect. A locked user does not count towards your Named User license count. Locking a user also does not remove or alter content deployed by that user, so content that others depend on remains operational.
You can also delete a user account from Connect using the usermanager CLI tool, this will delete all content and groups owned by that user, and will leave any audit information associated with that user without a reference.
Connect API
The Connect API can do several user management tasks including listing, creating, updating and locking user accounts. Refer to the Users section of the API documentation for more details on the endpoints available.
To learn more about managing users using the Connect API refer to the Connect API Cookbook Users Section.
usermanager CLI
The usermanager CLI tool can do several user management tasks including listing users, deleting a user account, or transferring content ownership between users. This tool can be used while Connect is up and running if you are using a PostgreSQL database but the service must be stopped if you are using an SQLite database to support the service.
Group Management
Groups can be used to grant viewer or collaborator access to content. Groups can be managed either locally in Connect or remotely via your authentication provider.
Local groups are configured by admins in the People tab of Connect user interface or by using the Connect API. Remote groups from a supported authentication provider can also be added in the People tab, the group information for a user will be updated when a user logs in.
To learn more about managing groups using the Connect API refer to the Connect API Cookbook Groups Section.
Exercise
🚀 Launch the exercise environment!
In the exercise environment you will get experience:
- Exploring user and group permissions
- Locking and deleting a user
- Transferring content between users
- Creating a group and adding a user
- Assigning permissions for a group for a piece of content
Go to: 3. Publishing Content