Roles and Permissions

Data Collector allows you to assign roles and pipeline permissions to users and groups.

Roles, such as Creator or Manager, enable users to perform different Data Collector tasks. Each user needs at least one role to access Data Collector.

Permissions determine read, write, and execute access to individual pipelines. Users generally need a combination of roles and permissions to perform pipeline-related tasks. For example, to edit a pipeline, you need the Creator role as well as read and write permission for the pipeline.

Use groups to easily assign pipeline permissions to sets of users. When using LDAP authentication, you can also assign roles to LDAP groups. When a user belongs to a group, the user has the combination of the access assigned to the group and to the user individually.

When necessary, you can transfer permissions from a user or group to another user or group.

Note that users with the Admin role have full access to every pipeline. And the owner of a pipeline has full access to the pipeline. These users can also change who owns the pipeline.

Roles

Roles enable you to perform Data Collector tasks. Every user requires at least one role to access Data Collector.

When using file-based authentication, you must assign at least one role to each user.

When using LDAP authentication, you can assign roles to users or groups. If the user belongs to a group, any roles associated with the group are granted to the user in addition to the roles assigned directly to the user.

Data Collector provides the following roles:
Role Tasks
admin Perform any Data Collector task. Can perform all tasks listed below, as well as start and stop Data Collector, view Data Collector configuration, JVM metrics, and log information. Install libraries using the Package Manager. Generate support bundles.
manager Start and stop pipelines, monitor pipelines, configure and reset alerts. Take, review, and manage snapshots.
creator Create and configure pipelines and alerts, preview data, and monitor the pipeline. Import pipelines.
guest View pipelines and alerts, and general monitoring information. Export a pipeline.

Pipeline Permissions

Pipeline permissions determine the access that users have to a pipeline. The owner of the pipeline and users with the Admin role have full access to a pipeline. As a pipeline owner or a user with the Admin role, you can also assign pipeline permissions to individual users and to groups.

To perform pipeline-related tasks, you must have the appropriate pipeline permissions as well as the role associated with the task. For example, a user with the Guest role can only view a pipeline when granted read permission for it. Similarly, to edit a pipeline with a Creator role, you need both read and write permission on the pipeline.

To easily enable pipeline access to sets of users, grant permissions to groups. For example, say you have five users who require read and execute access to run several pipelines. To allow this, you must share each pipeline with each of these users. But if the users are in a single Operations group, you can simply assign read and execute access to the Operations group instead of assigning the permissions to each user individually.

To use pipeline permissions, enable the pipeline.access.control.enabled Data Collector configuration property, and configure the permissions on a pipeline-by-pipeline basis.

Note: When enabled, the pipeline owner and users with the Admin role have full access to a pipeline, and other users have no access.

By default, the pipeline.access.control.enabled property is disabled. When pipeline permissions are disabled, access to pipelines is based on the roles assigned to the user and its groups.

You can configure the following pipeline permissions:

Permission Description
Read View and monitor the pipeline, and see alerts. View existing snapshot data.
Write Edit the pipeline and alerts.
Execute Start and stop the pipeline. Preview data and take a snapshot.

For details about sharing pipelines with users and groups, see Sharing a Pipeline.

Roles and Permissions for Common Tasks

Performing Data Collector tasks generally requires a combination of roles and permissions. The following table outlines the requirements to perform common tasks.

Note: The pipeline owner and users with the Admin role can perform any pipeline-related task regardless of permissions.
Task Role Pipeline Permissions
View a pipeline Any Read
Create a pipeline Creator or Admin None
Edit a pipeline Creator or Admin Read and write
Preview a pipeline Creator or Admin Read and execute
Start and stop a pipeline Manager or Admin Read and execute
View existing snapshot data Manager or Admin Read
Monitor a pipeline and take snapshots Manager or Admin Read and execute
Duplicate a pipeline Creator or Admin Read
Import a pipeline to a new pipeline Creator or Admin None
Import a pipeline to an existing pipeline Creator or Admin Read and Write
Export a pipeline Any Read
Share a pipeline and configure permissions Admin None
View pipeline permissions Any Read
Start or stop Data Collector Admin Not applicable
View log data and JVM metrics Admin Not applicable
Install or uninstall stage libraries with the Package Manager Admin Not applicable

Transfer Pipeline Permissions

You can transfer pipeline permissions from a user or group to another user or group. When you transfer permissions, all pipeline permissions are passed to the target user or group. Pipeline ownership transfers only from a user to another user.

Transfer permissions when a user account or group becomes obsolete, such as when a user leaves the company or when you register Data Collector with Dataflow Performance Manager. You might also transfer permissions when a user changes positions within the company.

For example, say a JD user account belongs to a pipeline developer who has created several pipelines and is now transitioning to operations. As the pipeline creator, JD has full rights to the pipelines that she created. The pipelines are about to go into production, so she needs read and execute permission to run the pipelines, but she should no longer be able to edit them.

To handle this situation, you can transfer all permissions associated with the JD account to another development user or a development group. Then assign JD to an Ops group with the Manager role and assign the Ops group the read and execute permissions for the pipelines they need to run. Or, without an Ops group, you simply assign the Manager role to the JD user account and edit the pipeline permissions to grant read and execute permissions to JD.

When you transfer permissions, the Transfer User and Group Permissions dialog box lists any users or groups that no longer exist but are still associated with pipeline permissions. This allows you to easily transfer permissions from obsolete users and groups.

Transferring Permissions

You can transfer all permissions from a user or group to another user or group.

To change the permissions related to individual pipelines, configure the sharing properties for each pipeline. For more information, see Sharing Pipelines.

  1. To transfer permissions, click the Administration icon and then click Transfer Permissions.
    The Transfer User & Group Permissions dialog box displays.
  2. If users or groups are listed, review the list and correct the suggested mappings as needed.
    On the left side of the dialog box, Data Collector lists any users or groups that no longer exist but still have pipeline permissions. This allows you to easily transfer permissions from those users and groups.
    The right side of the dialog box displays the list of available users and groups. Select the user or group to receive the permissions for each mapping.
    Or, if you do not want to transfer permissions from a listed user or group, use the Subtract icon to remove the row.
  3. To add a row, click the Add icon.
  4. On the left side, enter the name of the user or group that you want to transfer permissions from.
  5. On the right side, select the user or group to receive those permissions.
    Pipeline ownership can only be transferred to another user. If you transfer permissions from a user to a group and the user is also a pipeline owner, the user retains ownership. A user with the Admin role can transfer the pipeline ownership to another user, as needed.
    Note: You can transfer permissions from a user or group to a single user or group. If you map the same user or group to multiple targets, Data Collector transfers permission to the last user or group in the list.
  6. Add as many rows and mappings as needed, then to save your changes, click Update.
    The permission changes take effect immediately.