Technology – Denodo Security Roles

After running around in the denodo documentation trying to track down the roles and their capabilities, I decided to compile a unified overview of the denodo roles and their capabilities. So, here is a summary list of denodo role and I hope you find the list of denodo security roles helpful.

Virtual Data Port (VDP) Roles

Role NameRole Can Perform These Tasks
AdministratorGrants database management including: Creating DatabasesConfiguring and Deleting DatabasesCreating UsersModifying and Deleting UsersCreating Roles
allusersGrants the default permission which has been configured for new users.
ALL PRIVILEGESGrants equivalent of this list: CONNECT,CREATE,CREATE_DATA_SOURCE,CREATE_VIEW, CREATE_DATA_SERVICE, CREATE_FOLDER,EXECUTE, METADATA, WRITE and FILE.
denodo_developerGrants database admin and itpilot, including: Rolesvdp_developer anditpilot_developerPrivileges CONNECT, METADATA, EXECUTE, CREATE, and WRITE
vdp_developerGrants database admin privileges , which includes: CONNECT, EXECUTE, CREATE, and WRITE.
itpilot_developerGrants database itpilot privileges, which includes: CONNECT,EXECUTE,CREATE, and WRITE.

Denodo Data Catalog

Role NameRole Can Perform These Tasks
data_catalog_classifierAssign categories, tags and custom properties groups to views and web services.
data_catalog_editorEdit views, web services, and databases. Create, edit and delete tags, categories, custom properties groups, and custom properties.
data_catalog_managerCan do the same as a user with the roles “data_catalog_editor” and “data_catalog_classifier”.
data_catalog_content_adminConfigure personalization options and content search.
data_catalog_adminThis role can perform any action of all the other data catalog roles.
data_catalog_exporterThe exporter role can export the results of a query from the Denodo Data Catalog.

Denodo Scheduler

Role NameRole Can Perform These Tasks
scheduler_adminThe users that have this role assigned can perform any task in the Scheduler Administration Tool.

Solution Manager

Role NameRole Can Perform These Tasks
solution_manager_adminGrants the Solution Manager and manage of Denodo licenses capabilities, which includes: Create, edit and remove environments, clusters and servers.Set the Version Control System configuration.Set the Informative Message configuration.Manage licenses.
solution_manager_promotionGrants the ability to create revisions, validate and deploy them in environments, which includes: Access the main information of the elements of the catalog in read only mode.Create, edit and remove her own revisions.Validate her own revisions in environments.Deploy her own revisions.
solution_manager_promotion_adminGrants read only access to the main information of the elements of the catalog, and can: Manage deployment configurations.Manage load balancing variables.Set Virtual DataPort and Scheduler properties in environments and clusters.Create, edit and remove her own revisions.Access the revisions from other users in read only mode.Validate and deploy any revision in environments.
solution_manager_promotion_admin_developmentGrants the ability to promote revisions created by users in any development environment.
solution_manager_promotion_admin_productionGrants the ability to promote revisions created by users in any production environment.
solution_manager_promotion_admin_stagingGrants the ability to promote revisions created by users in any staging environment.
JmxadminGrants the privilege of connecting to the JMX interface of Virtual DataPort and includes: Access the main information of the elements of the catalog in read only mode.Change logging level of Virtual DataPort servers. Execute Denodo Monitor to gather the execution logs of the Virtual DataPort servers.

Other Denodo Roles

Role NameRole Can Perform These Tasks
itpilot_developerGrants database itpilot privileges, which includes: CONNECT,EXECUTE,CREATE, and WRITE.
diagnostic_monitoring_tool_adminGrants administration privileges over the Diagnostic and Monitoring tool.
  
web_panel_adminGrants administration privileges over the Web Panel.
assignprivilegesGrants the privilege of granting/revoking privileges to other users.

Assignable VDP Privileges

PrivilegesDescription
CONNECTThe user can connect to the database. If the user does not have this privilege on a database, the other privileges are ignored.
CREATEThe user can create new elements in the database and grants CREATE_DATA_SOURCE, CREATE_VIEW, CREATE_DATA_SERVICE and CREATE_FOLDER Privileges.
CREATE_DATA_SOURCEThe user can create new data sources in the database.
CREATE_VIEWThe user can create new views in the database.
CREATE_DATA_SERVICEThe user can create new data services (REST, SOAP web services and widgets) in the database.
CREATE_FOLDERThe user can create new folders in the database.
METADATAThe user has access to the metadata of the views but cannot query them.
EXECUTEThe user will have “Execute” privileges over the elements of the database and grants Metadata privileges.
WRITEThe user will have “Write” privileges over the elements of the database and grants Insert, Update and Delete privileges.
FILEThe user will have the privilege “FILE”, which will allow her to browse through the directories listed in the dialog “File privilege” of the wizard Server Configuration.
ADMINThe user will have “Admin” (local administrator) privileges over the database.

Other Denodo Security Notes

There is not currently an explicit privilege to grant CREATE ASSOCIATION to a user/role without granting rights to create other objects. 

Related References

User Manuals /Virtual DataPort Administration Guide /Databases, Users and Access Rights in Virtual DataPort /User and Access Right in Virtual DataPort

https://community.denodo.com/docs/html/browse/8.0/en/vdp/administration/databases_users_and_access_rights_in_virtual_dataport/user_and_access_right_in_virtual_dataport/user_and_access_right_in_virtual_dataport#roles

User Manuals /Virtual DataPort VQL Guide /Creating Databases, Users, Roles and Access Privileges /Managing Users /Managing User Roles

https://community.denodo.com/docs/html/browse/8.0/en/vdp/vql/creating_databases_users_roles_and_access_privileges/managing_users/managing_user_roles

User Manuals /Solution Manager Administration Guide /Authentication and Authorization /Authorization

https://community.denodo.com/docs/html/browse/8.0/en/solution_manager/administration/authentication_and_authorization/authorization/authorization#authorization