Top.Mail.Ru
Access Roles
CTRL+K

Access Roles

In this article
  • Access Roles
  • Role-Based Model
  • Platform Module
  • ClickHouse Module
  • Monitoring Module
  • Active Directory Module
  • Business Intelligence Module
  • Automation Module
  • Predefined Access Roles
  • Additional Information on Access Roles
  • API Key Access Rights

The Access Roles page is used to create access roles for system functionality.

Access Roles page

Each access role can be assigned a unique name and configured with privileges.

You can change the access role name in its profile on the General tab.

Access role name

The Administrator and Information Security Administrator roles are predefined in the system.

If needed, you can also create custom roles with different capability levels.

Note
  • You cannot create custom privileges.
  • Not all access operations are available for some privileges.

Examples:

  • Business Administrator — has extended access to workspaces, automation, ClickHouse data, and all employees and their settings. However, unlike the Administrator and Information Security Administrator, this role does not have access to global system settings, such as access roles, synchronization settings, or authentication configurations
  • Data Analyst — can create workspaces and dashboards, work with ClickHouse data and automation. The Data Analyst can view all system users but cannot modify their settings
  • Business Analyst — can create dashboards and view ClickHouse data and other users’ dashboards
  • Employee (or user) — a regular user who can view only the dashboards and employees to which they have been granted access

Role-Based Model

The role-based model provides the following access controls for users:

  • To system functionality
  • To user data
  • To analytical reports
  • To the GraphQL tool (API)

Each system user can be assigned access roles, available users, and data workspaces. The user’s possible actions in the system are determined by the set of assigned privileges.

For each access role, a set of allowed access operations is defined for a group of specific objects. A user can be assigned more than one access role. As a result, the user receives the rights of each assigned role. The following access operations are available for assignment:

  • R — Read
  • W — Write
  • C — Create
  • D — Delete
  • E — Execute

It is not possible to assign access roles to API Keys. For each API Key, access privileges are assigned separately. The available operations are:

  • R — Read
  • W — Write
  • C — Create
  • D — Delete
  • E — Execute

The access control system is closed by default. Initially, no object is accessible to anyone. The availability of specific access privileges depends on the connected modules. Privileges are listed in the table below.

Platform Module

PurposeActions
Access Roles privilege
Controls access role configuration in the system.

In the web interface, parameter configuration is performed at: Settings/Administration/Access Roles.

Assignment of this privilege to API Keys is not possible.		R operation provides access to view:
1. Access Roles section: list of created roles and access role profile (name and privileges)
2. Users section, user profile, Access tab:
Provides access to the list of access roles created in the system (if the user also has the Users access privilege with W – Write)

W operation provides access to:
1. Modify the name and configure the role in the access role profile

C operation provides access to create:
1. Access roles

D operation provides access to delete:
1. Access roles
API Keys privilege
Controls configuration of API Keys used for external and internal integrations.

In the web interface, parameter configuration is performed at: Settings/Administration/API Keys.		R operation provides access to view:
1. List of API Keys and their profiles (name, key value, authentication mode, workspace access, privileges)

W operation provides access to:
1. Modify the key name and workspace access, and configure key privileges in the Key Profile tab

C operation provides access to:
1. Create an API Key and upload a certificate if the secure key type is selected

D operation provides access to:
1. Delete a key
Authentication privilege
Controls authentication parameter configuration in the system.

In the web interface, parameter viewing and configuration is performed at: Settings/Administration/Authentication.		R operation provides access to view:
1. Authentication section: list of authentications (type Built-in and others) and authentication profile (type Built-in)
2. Authentication profile: name, type, complex password (Minimum password length, if Complex password: On), password expiration, login attempt limit
3. Users section: authentications in the user list (if the Users access privilege R – Read is enabled)
4. Users section, user profile, Access tab: Authentication parameter (if the Users access privilege R – Read is enabled), list of authentications created in the system (if the Users access privilege W – Write is enabled)

W operation provides access to modify:
1. In the Built-in authentication profile: name, complex password (Enabled/Disabled), minimum password length, password expiration, allowed login attempts
2. In the Kerberos authentication profile: name, authentication type, key (.keytab), key distribution center address, attribute mapping by field

C operation provides access to create:
1. Authentication

D operation provides access to delete:
1. Authentication
General Settings privilege
Controls the Initial format parameter and access rights to automation agent parameters.

In the web interface, parameters are available at Settings/Administration/Additional settings and Settings/Data processing/Automation agents.		R operation provides access to view:
1. Additional settings section (initial format)
2. About the System page
3. Automation agents section and agent statuses

W operation provides access to:
1. Modify the Additional settings section (initial format)
2. Connect/disconnect automation agents in the Automation agents section
Outgoing Mail Server privilege
Controls configuration of the system mail server.

Parameter configuration is performed in the web interface at: Settings/Connections/Outgoing mail server.		R operation provides access to view:
1. In the Connection tab: email address, server address, connection port, encryption, username
2. In the Contacts tab: email address and phone number

W operation provides access to modify:
1. In the Connection tab: email address, server address, connection port, encryption (Disabled/SSL/TLS), username, password
2. In the Contacts tab: email address and phone number

E operation provides access to:
1. Test the connection
Users and Departments privilege
Controls access rights to Users, General user profile, Department profile, and Activity collection sources.

Only users and parameters to which the user has access are displayed in the user list. In the web interface, parameter configuration is performed at: Settings/Administration/Users.		R operation provides access to view:
1. Users section: list of users and departments, user profile (first name, last name, system language, department, personnel number, email, phone number, custom fields), department profile (department name and location)
2. Information about users with Active Directory security groups via GraphQL query

W operation provides access to:
1. Merge users and departments in the Users section
2. Modify user profile (first name, last name, system language, department, personnel number, email, phone number, custom field data), department profile (department name and location)

C operation provides access to create:
1. Users and departments
With the Users access privilege — W and AuthenticationW, the user can also assign authentication and enable the Access to all users setting in the user profile

D operation provides access to delete:
1. Users and departments
Users Access privilege
Controls the ability to configure user access in the system.R operation provides access to view:
1. In the user profile, Access tab: assigned access roles, authentications (if the Authentication privilege R – Read is enabled), Access to all users setting (Enabled/Disabled), available users (if the Access to all users parameter is disabled)
2. System variables in the formula editor and data input methods for script execution

W operation provides access to modify:
1. Access roles (allows removing and assigning access roles if the user also has the Access Roles privilege R – Read), login, authentications (allows removing or adding authentications if the Authentication privilege W – Write is enabled), available users, set or reset password (if the user also has the Authentication privilege W – Write)

E operation provides access to:
1. Send invitations
GraphQL Tool privilege
Controls access to the GraphQL tool in the system.

Assignment of this privilege to API Keys is not possible.		E operation provides access to:
1. Use the GraphQL tool
Tag Settings privilege
Controls creation, configuration, and deletion of tags in the system.

In the web interface, parameter configuration is performed at: Settings/Administration/Tags.		R operation provides access to view:
1. List of tags and tag profile (tag name and color)

W operation provides access to modify:
1. Tag profile (tag name and color)

C operation provides access to create:
1. Tags

D operation provides access to delete:
1. Tags
Service Mode privilege
Controls system access when the Service Mode system state is enabled.R operation provides access to:
1. Log in to the system when Service Mode is enabled
User Fields privilege
Controls the User Fields section.R operation provides access to view:
1. List of fields in the User Fields section

W operation provides access to edit:
1. Fields in the User Fields section

C operation provides access to create:
1. Custom fields in the User Fields section

D operation provides access to delete:
1. Custom fields in the User Fields section
Prometheus Metrics privilege
Controls collection and transmission of Prometheus metrics.

This privilege cannot be applied to access roles and can be assigned only to API Keys.		R operation provides access to view:
1. Collected metrics
License Management privilege
Controls access to the License Management section.R operation provides access to view:
1. List of keys and total license count in the Overview tab

C operation provides access to activate:
1. License keys

ClickHouse Module

PurposeActions
Storages privilege
Controls connection configuration in the Data Storages settings section.R operation provides access to view:
1. List of created connections and their settings

W operation provides access to modify:
1. List of created connections and their settings, user access to create workspaces on the selected connection

C operation provides access to create:
1. ClickHouse connection in the Data Storages section

D operation provides access to delete:
1. ClickHouse connection in the Data Storages section

Monitoring Module

PurposeActions
Monitoring Settings privilege
Controls access to monitoring parameters.R operation provides access via GraphQL queries to retrieve:
1. List of data collected by the monitoring agent, current monitoring agent version, activity sources list, Activity collection parameter status for a specific employee, monitoring agent logging level

W operation provides access to:
1. Re-process activity data with the option to delete the file in case of error
2. Assign an activity source to a specific employee
Monitoring Filters privilege
Controls configuration of monitoring filters (include and exclude lists).R operation provides access to view tabs:
1. Filter configuration, include list, exclude list

W operation provides access to modify:
1. Filter mode (disabled, include list, exclude list), activity in the include list, activity in the exclude list

C operation provides access to add:
1. Activity to the include and exclude lists

D operation provides access to delete:
1. Activity from the include and exclude lists
Export/Import User Activity privilege
Allows exporting and importing user activity via API.E operation provides access to execute:
1. GraphQL queries for exporting and importing user activity
Download Monitoring Agent privilege
Controls access to downloading the monitoring agent distribution in the system.E operation provides access to:
1. Download the agent
Monitoring Agent privilege
Controls connection between the monitoring agent and the system server.

This privilege cannot be applied to access roles and can be assigned only to API Keys.		R operation provides access to retrieve:
1. Current monitoring agent version, monitoring agent distribution for update, monitoring agent settings, user full name by ID, list of supported agent data protocols, Monitoring parameter value for users, monitoring filters list, research settings, screenshot blurring parameter in the configuration file

W operation provides access to:
1. Upload activity data from the monitoring agent, upload monitoring agent dump files
2. Create users
Research privilege
Controls access to research.R operation provides access to:
1. View research, research settings, screenshot blurring value in the configuration file
2. Download screenshots by UUID via URL

W operation provides access to:
1. Modify research settings
*Adding employees is possible if the user has the Users and Departments privilege with R or W access
2. Start/stop research

C operation provides access to add:
1. Research

D operation provides access to delete:
1. Research

Active Directory Module

PurposeActions
User Directory Synchronization privilege
Controls management of Active Directory and other integration settings in the User Synchronization section.R operation provides access to view:
1. List of synchronizations and their profiles, including settings: integration name, automatic synchronization, synchronize by field in the system, synchronize by attribute in AD, disable access when disconnected in AD, disable access if source is missing, enable access when connected in AD, depersonalize when deleted from AD, synchronization time, list of controllers and their parameters (connection protocol, certificate, address, username, password, description), list of domain objects, primary attribute mapping parameters: attribute in AD and field in the system
2. List of prioritization conditions

W operation provides access to modify:
1. Integration name, connection protocol, certificates, domain controller address, username, password, disable access when disconnected in AD, enable access when connected in AD, depersonalize when deleted from AD, domain objects, synchronized attributes, Active Directory user profile synchronization, primary attribute mapping (field in system and attribute in AD)
2. Source prioritization in the Prioritization tab

C operation provides access to create:
1. Integrations, domain controllers, domain objects, synchronized attributes, prioritization conditions

D operation provides access to delete:
1. Integrations, certificates, domain controllers, domain objects, synchronized attributes, prioritization conditions

E operation provides access to execute:
1. Connection testing and synchronization

Business Intelligence Module

PurposeActions
Workspace privilege
Controls workspace access rights.R operation provides access to:
1. View workspaces, dashboards, tables in Data Model, links, global workspace indicators, and the General tab
2. View all folders and nested folders and workspaces
3. Add workspaces to favorites and remove them (drag-and-drop supported)
4. View recent workspaces
5. View, add, rename, and delete bookmarks
6. Add workspaces to bookmarks

W operation provides access to:
1. View dashboards, scripts, Data Model, tables, processes, and connections
*Working with connections is possible if the user has the Connections privilege with R or W operations
2. Rename workspaces, add and modify description
3. Create, delete, and edit dashboards, scripts, Data Model, processes, connections, and global workspace indicators
4. Import and export tables from Data Model
5. Assign access in workspaces
*Access assignment is possible if the user has the Users and Departments privilege with R or W access
6. View packages in workspaces, add and remove them. Addition is possible both from Marketplace and via manual configuration import
7. Work with Execution Log
8. Create folders in the root section and subfolders, rename folders, move folders and workspaces between folders using the mouse
*Granting the W (Write) operation automatically enables the R (Read) operation for the user

C operation provides access to:
1. View all folders and nested folders
2. Create workspaces (requires the Storages privilege)
*After workspace creation, the user who created it automatically receives local write access (W) to it

D operation provides access to:
1. Move workspaces to trash and restore them via drag-and-drop
*Requires local write access or W operation of the Workspace privilege
2. Permanently delete workspaces from trash
*Requires local write access or W operation of the Workspace privilege
3. Delete folders by dragging their contents to trash
*Requires W operation of the Workspace privilege

E operation provides access to:
1. Duplicate workspaces
*Requires local write access or W operation of the Workspace privilege, and the Storages privilege
2. Export workspaces
*Requires one of the following: local write access or W operation of the Workspace privilege
Component Export privilege
Allows exporting widget data from dashboards.E operation provides access to:
1. Export data from Table and Pivot Table widgets in .csv format
Marketplace privilege
Allows uploading packages to the Marketplace.
This privilege is available only in the standalone version.		C operation provides access to:
1. Upload packages

D operation provides access to:
1. Delete packages
Applications privilege
Allows installing applications from Marketplace.C operation provides access to:
1. Install applications

D operation provides access to:
1. Delete applications

Local Access (assigned to a specific workspace)

AccessWhat the access grants within a workspace
View1. View workspaces, dashboards, tables in Data Model, links, global workspace indicators, and the General tab
2. View folders to which workspace access is granted
3. View, add, rename, and delete bookmarks
4. Add workspaces to bookmarks
5. View recent workspaces
6. Add workspaces to favorites and remove them (drag-and-drop supported)
Edit1. View dashboards, scripts, Data Model, tables, processes, and connections
*Working with connections is possible if the user has the Connections privilege with R or W operations
2. Rename workspaces, add and modify description
3. Import and export tables from Data Model
4. Assign access in workspaces
*Access assignment is possible if the user has the Users and Departments privilege with R or W operations
5. View packages in workspaces, add and remove them
6. Work with Execution Log
7. Move workspaces to trash and restore them via drag-and-drop
*Requires the Workspace privilege with D operation
8. Duplicate workspace
*Requires the Workspace privilege with E operation and the Storages privilege
9. Export workspace
*(Requires the Workspace privilege with E operation)
10. Move workspace between folders using the mouse
11. View folders to which workspace access is granted
12. View, add, rename, and delete bookmarks
13. Add workspace to bookmarks
14. View recent workspaces
15. Add workspaces to favorites and remove them (drag-and-drop supported)
Create dashboards1. Create dashboards in the workspace (dashboard edit access is automatically assigned upon creation)
2. View created dashboards and Data Model
3. View folders to which workspace access is granted
4. View, add, rename, and delete bookmarks
5. Add workspace to bookmarks
6. View recent workspaces
7. Add workspaces to favorites and remove them (drag-and-drop supported)

Local Dashboard Access

AccessCapabilities
Read1. View available dashboards in the workspace
2. View workspaces to which dashboard access is granted
3. View recent workspaces
4. Add workspaces to favorites and remove them (drag-and-drop supported)
5. View folders to which workspace access is granted
6. View, add, rename, and delete bookmarks
7. Add workspace to bookmarks
Edit1. View available dashboards in the workspace, Data Model, and General tab
2. View workspaces to which dashboard access is granted
3. Edit dashboards
4. View recent workspaces
5. Add workspaces to favorites and remove them (drag-and-drop supported)
6. View folders to which workspace access is granted
7. View, add, rename, and delete bookmarks
8. Add workspace to bookmarks

Access Matrix

ActionsOperations
View workspace and foldersR
Add to favorites and remove from favoritesR
View recent workspacesR
View, add, rename, and delete bookmarksR
Add workspace to bookmarksR
Edit workspaceR, W
Import and export tables from Data ModelR, W
Assign workspace accessR, W and Users and Departments privilege
Create foldersR, W
Move foldersR, W
Move workspaces between foldersR, W
Rename foldersR, W
Create workspaceC and Storages privilege
Move workspace to trashR, W, D or
D and local edit access to workspace
Move folders to trashR, W, D
Delete workspaces from trashR, W, D or
D and local edit access to workspace
Restore workspaces from trashR, W, D or
D and local edit access to workspace
Duplicate workspaceR, W, E and Storages privilege or
E, local edit access to workspace, and Storages privilege
Export workspaceR, W, E or
E and local edit access to workspace
Import workspaceImport when creating workspace:
C and Storages privilege

Import into existing workspace:
R, W or local edit access to workspace

Automation Module

PurposeActions
Connections privilege
Controls access rights to connections.R operation provides access to view:
1. List of available connections and their parameters (name, source, host, port, database name, username, password (the Change password button. By default, entered characters are hidden as dots; clicking the eye icon reveals the entered text), SSL toggle)

W operation provides access to:
1. Modify connection: name, host, port, database name (table selection is limited to the specified database), username, password (by default, entered characters are hidden as dots; clicking the eye icon reveals the entered text), SSL toggle (when enabled): root certificate (certificate upload)

C operation provides access to:
1. Create connections

D operation provides access to:
1. Delete connections
System Tables privilege
Controls access to reading and editing the System Tables package block.C operation provides access to:
1. Add the System Tables package block to a script and import a script with the System Tables block

Predefined Access Roles

By default, after system installation, two global access roles are available across modules:

  • Administrator (A)
  • Information Security Administrator (ISA)

The Administrator has extended access to all system settings. They can:

  • Create, modify, and delete:
    • Users, departments
    • Access roles
    • API Keys
    • Authentications
    • Workspaces
    • Active Directory synchronizations, etc.
  • Modify general system settings and monitoring parameters
  • Use the GraphQL tool

The Administrator also has access to service mode.

The Information Security Administrator role is intended for personnel whose primary responsibility is ensuring information security.

The Information Security Administrator performs the following functions:

  • Controls user access provisioning to the system
  • Controls user access rights to system functionality
  • Controls user access rights to system data
  • Identifies unauthorized access events
  • Submits requirements to the system administrator for system configuration changes aimed at implementing information security measures

The Information Security Administrator also has access to the GraphQL tool.

The access privilege matrix for predefined roles is shown in the table below.

Privilege NameAISA
Access RolesRWCDR
API KeysRWCDR
AuthenticationRWCDR
General SettingsRWR
Outgoing Mail ServerRWER
Users and DepartmentsRWCDR
Users AccessRWER
GraphQL ToolEE
Tag SettingsRWCDR
User FieldsRWCDR
StoragesRWCDR
Monitoring SettingsRWR
Monitoring FiltersRWCDR
Export/Import User ActivityEE
Download Monitoring AgentEE
Monitoring Agent
User Directory SynchronizationRWCDER
Service ModeRR
WorkspaceRWCDE
ConnectionsRWCD
System TablesC
MarketplaceCDCD
ApplicationsCDCD
Component ExportE
Prometheus Metrics
ResearchRWCDR
License ManagementRC

The Administrator role must have access to all users.

For the Information Security Administrator, selective access is set by default, but you can grant access to all users in the employee profile on the Access tab.

Selective user access means the user has access to a specific list of users. The user list is defined by the customer, and access is granted by the system administrator. Access to all users means access to all users existing in the system.

Additional Information on Access Roles

  • The first system user is assigned the Administrator access role
  • When a new module is installed, no access roles are assigned to anyone in it
  • The access role name must be unique. Assigning the same name to multiple access roles is not possible
  • You cannot delete the Administrator access role
  • Before assigning users as administrators, you must enable Access to all users in their profiles

If only one user remains in the system with a role that has the W access operation, then:

  • You cannot modify/disable this privilege for that access role
  • The user’s profile in the General tab must have the Email and Password fields filled in (to enable password recovery and authentication)
  • You cannot remove the access role with the Access Roles privilege from this user if it is the last role with this privilege enabled

Authentication in the system is available both with and without an access role. Authentication configuration is performed via the configuration file.

API Key Access Rights

For each API Key, similar to system users, you can assign access rights to privileges and workspaces. API Key access rights configuration is performed in its profile in the system web interface at Settings / API Keys.

API Key access rights configuration

Was the article helpful?

Yes
No
Previous
Prometheus Metrics
Next
Working with GraphQL
We use cookies to improve our website for you.