Manage the Security in Semarchy xDM

Users accessing Semarchy xDM are authenticated and their experience is customized depending on their privileges. Semarchy xDM uses role-based security and privilege grants for accessing its features as well as the data contained in the data location.

Platform and Model Security

There are two levels of security in Semarchy xDM:

  • Platform-Level Security defines access to the features of the platform. For example, access to the administrative features, or access to the design-time capabilities. Platform-level security sets platform users' privileges (who can design models, monitor executions, manage security, etc.).

  • Model-Level Security defines security privileges to access and modify data in the data locations. Defining these privileges is a data governance decision and should be defined as part of the data governance initiative. These privileges are part of the model and are explained in Secure the Data Hub.

Role-Based Security

Both levels of security are role-based:

  • Roles are declared in Semarchy xDM, and Privileges (platform level/model level) are granted to these Roles in Semarchy xDM.

  • Users logging in to Semarchy xDM receive effective roles as part of their login process. Roles that match those defined in Semarchy xDM give the user the associated privileges.

Two built-in roles, named semarchyConnect and semarchyAdmin, provide respectively baseline access and full access to the Semarchy xDM features.

Security Enforcement

When a users log in to Semarchy:

  1. The user enters his username and password in the Semarchy xDM login window or authenticates with a single sign-on provider.

  2. The login process returns a list of effective roles in the user session’s Security Context.

  3. Semarchy xDM matches these roles with those defined in its list of roles, to build the session’s security context, allowing:

    • Certain platform features depending on the Platform-Level Privileges granted to the corresponding roles.

    • Certain data access/modification capabilities depending on the Model-Level Privileges granted to the corresponding roles.

Semarchy xDM enforces security at several layers in the application. Insufficient privileges for a user will reflect in the user interface as missing elements or disabled menus. In the REST API, insufficient privileges to perform an operation will cause an error with the operation.

The roles declared in Semarchy xDM are not only used for security purposes. They are also used as email aliases for email notifications and in workflow assignments.

Built-in Roles

The following roles are built into the platform:

  • semarchyConnect: This role must be granted for a user to log in. It should be granted by default to all users connecting to Semarchy xDM.

  • semarchyAdmin: This role has full access to all the features of the platform with no restrictions. semarchyAdmin is the only role that gives you access to Identity Management and API Keys configuration. It is also required for repository upgrade operations.

Be cautious when granting the semarchyAdmin role. This role defines a superuser who can create roles, grant privileges, and update the license information.