Manta Flow Server Authentication and Authorization

This article describes the overall concepts of authentication and authorization in Manta Flow Server. See Manta Identity Management: Keycloak for more details about authentication management and configuration.

User Roles

The application uses several user roles to authorize specific operations within the metadata repository. The roles are:

ROLE_USER — basic role needed for all secured pages, which by default is all pages
ROLE_EXPORTER — exports data from the repository
ROLE_LIGHTHOUSE _READ — scans the metadata repository and searches for particular patterns or evaluates rules
ROLE_MERGER — executes data-modifying operations such as merging objects, truncating databases, and propagating edges
ROLE_VIEWER_DATAFLOW — executes operations for the visualization of data flow
ROLE_VIEWER_CATALOG — explores and searches the metadata catalog
ROLE_USAGE — exports and cleans server-usage metadata
ROLE_REPOSITORY_READ — executes data-reading operations via repository API
ROLE_REPOSITORY_WRITE — executes data-modifying operations via repository API
ROLE_REPOSITORY_EVALUATE — executes special data-modifying operations based on DSL-script evaluation via repository API
Additional roles can be created simply by starting to use them as described below. Creating new roles is only useful for the section Access Rights for the Metadata Repository.

Access Rights for the Metadata Repository

It is possible to define access rights for the metadata repository. This means that some parts of the metadata repository may only be visible to particular users.

Enabling and Disabling Access Rights

To enable this feature, set the repository.permissions-enabled property in the configuration Configurations > Server > Common > Repository Configuration in Manta Admin UI to true.

To disable this feature, set that property to false. In this case, the entire repository will be accessible to all users.

Defining Access Rights

If the access rights feature is enabled, it is possible to configure metadata repository permissions for IBM Automatic Data Lineage users. This is done on three levels.

Level	Location of definition	Description
Repository view configuration	Automatic Data Lineage	A repository view is any part of the repository. It is defined as a set of included and excluded repository subtrees.
Assigning repository views to user roles	Automatic Data Lineage	Each role has a set of repository views assigned to it that are accessible to users with this role. It is possible to assign no view (i.e., no part of the repository is accessible) as well as the entire repository. One view can be assigned to more than one role.
Assigning users to user roles	External systems (e.g., LDAP) or Automatic Data Lineage	Each user can be assigned one or more roles and vice versa. There is no need to define the roles explicitly in Automatic Data Lineage.

Repository view configuration

Automatic Data Lineage

A repository view is any part of the repository. It is defined as a set of included and excluded repository subtrees.

Assigning repository views to user roles

Automatic Data Lineage

Each role has a set of repository views assigned to it that are accessible to users with this role. It is possible to assign no view (i.e., no part of the repository is accessible) as well as the entire repository. One view can be assigned to more than one role.

Assigning users to user roles

External systems (e.g., LDAP) or Automatic Data Lineage

Each user can be assigned one or more roles and vice versa.

There is no need to define the roles explicitly in Automatic Data Lineage.

Repository View Configuration

Repository views can be configured in the configuration Configurations > Server > Common > Repository Views in Manta Admin UI. The rows are records of the inclusion of repository objects in the view or the exclusion of them from the view. The record fields are:

Repository view

Name of the repository view the record applies to

Type

Type of record. The value must be either INCLUDE or EXCLUDE. If it is INCLUDE, the affected objects are included in the view. If it is EXCLUDE, the affected objects are excluded from the view. The exclusions precede the inclusions. If only EXCLUDE records are defined for the view, the rest of the repository is considered to be included in the view.

Affected objects

Case-insensitive regular expressions of repository path entries separated by slashes (/). A repository object is affected if and only if:

each entry of its path matches the corresponding regular expression,
or any of its ancestors fulfill point one.

The object resource is the first object path entry.

Special cases:

To enclose a path entry in double quotes ("), use the \" sequence.
To use double quotes as part of the path entry, use the \"\" sequence.
To use a backslash (\) as part of the path entry, use the \\ sequence.

Assigning Repository Views to User Roles

The assignment of repository views to user roles can be configured in the configuration Configurations > Server > Common > Repository Views Permissions in Manta Admin UI. The rows are records of view-to-role assignments. The record fields are:

Role	The user role the record applies to; must be unique within the file
Repository views	Comma-separated list of views accessible to the role; if set to `*`, users with this role have access to the entire repository

Repository Object Permission Evaluation

A repository object is accessible to the user if and only if it is contained in at least one repository view assigned to at least one of the user roles.

Example Configuration

Repository Views

Repository View	Type	Affected Objects
Teradata	INCLUDE	Teradata
OracleDwhExclParty	INCLUDE	Oracle/ORCL/DWH
OracleDwhExclParty	EXCLUDE	Oracle/ORCL/DWH/PARTY.*
MSSQLInstance	EXCLUDE	MSSQL/Server\\Instance/.*

Repository Views Permission

Role	Repository Views
ROLE_SYSTEM	*
ROLE_USER	Teradata,OracleDwhExclParty

Users with the ROLE_SYSTEM role have access to the entire repository.

Users with the ROLE_USER role have access to all Teradata databases and ORCL.DWH Oracle schemas, excluding all objects (tables, views, etc.) having a name starting with PARTY.