Manage roles in Semarchy xDM

Roles define sets of privileges to Semarchy xDM features and to the data contained in the data location. When they log in, users receive roles according to the identity provider configuration. They also receive assigned roles.

Create a role

To create a new role:

  1. In Configuration, select Roles in the navigation drawer.
    The Roles list opens.

  2. Click on the Add Role floating action button in the lower-right corner of the screen.

  3. Provide a Name and a Label for the new role.

  4. Select the Privileges you want to grant to this role. See Privileges for the details of each privilege.

  5. Click Add.

The role is created. You can grant this role to users, and use the role in the model and applications.

Role names are case-sensitive

When using a third-party identity provider, the role names defined in Semarchy should exactly match the role or group names returned by the security provider, in order to apply the privileges based on the groups/roles defined in the third-party IDP.

For example, if you define in your LDAP directory a group called BusinessUsers, users authenticating to Semarchy using the LDAP directory and having this group are granted the privileges of the BusinessUsers role if it exists in Semarchy.

You can configure role mappings for each identity provider to transform the IDP role/group names into matching role names as defined in Semarchy xDM.

Manage roles using the REST API

Endpoints are available on the Semarchy xDM REST API to consult and set up roles.

For more details, refer to the REST API documentation.

Privileges

The following table describes the platform privileges you can grant to a role:

Platform Privilege Description

Application Design

Grants access to all the components of the Model Design perspective in the Application Builder to view or design models.
Grants also access to the model creation/export, as well as model editions management (close model editions, create a branch, manage the translations), and the Image Library.

Application Management

Grants access to all components for model and application management (the Management view in the Application Builder), including deploying model editions, creating and configuring the data locations (notification policies, continuous loads, data notifications, etc), the batch poller, the execution engine, the job logs, and the purge schedules. This privilege also allows upgrading the data locations, and configuring Variable Value Providers.

Dashboard Management

Grants full access to the Dashboard Builder to create applications, queries, charts, and dashboards.

Dashboard Design

Grants limited access to the Dashboard Builder to create charts and dashboards only.

Discovery Management

Grants access to xDM Discovery to define, profile and browse the profiling statistics of datasources.

Platform Administration

Grants access to the Semarchy Configuration interface to view or configure the Datasources, the Notification Servers, the Variable Value Providers, the Image Libraries, the Plug-ins, the Logging Configuration, the REST Clients, the Custom Translations, and the Applications Configuration. This privilege also allows managing the License.
Note that this privilege does not give access to the Users and Roles configuration, and to repository upgrade.

User Management

Grants access to the Semarchy Configuration interface to manage Users as well as their role assignment. This privilege does not give access to Roles configuration.

To avoid privilege escalation, a user with this privilege is still limited in the operations that he can perform:

  • He cannot modify another user with higher privileges.

  • He cannot assign a role granting privileges higher than his own privileges.

These limitations do not apply to a user with the semarchyAdmin role.

Role Management

Grants access to the Semarchy Configuration interface to manage Roles. This privilege does not give access to Users configuration.

To avoid privilege escalation, a user with this privilege is still limited in the operations that he can perform:

  • He cannot modify a role having privileges higher than his own privileges.

  • He cannot add to a role privileges higher than his own privileges.

These limitations do not apply to a user with the semarchyAdmin role.

Built-in roles

The semarchyAdmin role is a built-in role with full access to all the features of the platform with no restrictions. semarchyAdmin is the only role that gives you access to the Identity Management and API Keys configuration. It is also required for repository upgrade operations.

The semarchyConnect role must be granted for a user to log in. It should be granted by default to all users connecting to Semarchy xDM.

Privilege precedence

Privileges apply in order of precedence: Read/Write then Read then None. As a consequence, a user always has the best privileges associated with all his roles.

Privilege precedence

For example The user John has two roles granted to him:

  • The ModelDesigner role has Read privileges for Application Management and Read/Write for Application Design.

  • The ProductionManager has Read/Write privileges for Application Management and None on for Application Design

The resulting privileges for John are Read/Write for both Application Management and Application Design.

Sample roles

You can use the following role examples in a typical Semarchy xDM configuration:

Platform Privilege Developer Production User Administrator

Platform administration

Read

Read

Read/Write

Application Design

Read/Write

Read

Read

Application Management

Read

Read/Write

Read/Write

Dashboard Management

Read/Write

None

None

Discovery Management

Read/Write

None

None

These roles are given as examples and should be adapted to your environment’s requirements.