Skip to content

Roles and authorization concept

Platform Authentication Authorization

Authentication and authorizations within the various logical contexts or domains of the HelloDATA system are handled as follows. 
Authentication is handled via the OAuth 2 standard. In the case of the Canton of Bern, this is done via the central KeyCloak server. Authorizations to the various elements within a subject or Data Domain are handled via authorization within the HelloDATA portal.
To keep administration simple, a role concept is applied. Instead of defining the authorizations for each user, roles receive the authorizations and the users are then assigned to the roles. The roles available in the portal have fixed defined permissions.

Business Domain

In order for a user to gain access to a Business Domain, the user must be authenticated for the Business Domain.
Users without authentication who try to access a Business Domain will receive an error message.
The following two logical roles are available within a Business Domain:

  • HELLODATA_ADMIN
  • BUSINESS_DOMAIN_ADMIN

HELLODATA_ADMIN

  • Can act fully in the system.

BUSINESS_DOMAIN_ADMIN

  • Can manage users and assign roles (except HELLODATA_ADMIN).
  • Can manage dashboard metadata.
  • Can manage announcements.
  • Can manage the FAQ.
  • Can manage the external documentation links.

BUSINESS_DOMAIN_ADMIN is automatically DATA_DOMAIN_ADMIN in all Data Domains within the Business Domain (see Data Domain Context).

Data Domain

A Data Domain encapsulates all data elements and tools that are of interest for a specific issue.
HalloDATA supports 1 - n Data Domains within a Business Domain.

The resources to be protected within a Data Domain are:

  • Schema of the Data Domain.
  • Data mart tables of the Data Domain.
  • The entire DWH environment of the Data Domain.
  • Data lineage documents of the DBT projects of the Data Domain.
  • Dashboards, charts, datasets within the superset instance of a Data Domain.
  • Airflow DAGs of the Data Domain.

The following three logical roles are available within a Data Domain:

  • DATA_DOMAIN_VIEWER    
  • DATA_DOMAIN_EDITOR
  • DATA_DOMAIN_ADMIN

Depending on the role assigned, users are given different permissions to act in the Data Domain.
A user who has not been assigned a role in a Data Domain will generally not be granted access to any resources of that Data Domain.

DATA_DOMAIN_VIEWER

  • The DATA_DOMAIN_VIEWER role is granted potential read access to dashboards of a Data Domain.
  • Which dashboards of the Data Domain a DATA_DOMAIN_VIEWER user is allowed to see is administered within the user management of the HelloDATA portal.
  • Only assigned dashboards are visible to a DATA_DOMAIN_VIEWER.
  • Only dashboards in "Published" status are visible to a DATA_DOMAIN_VIEWER. A DATA_DOMAIN_VIEWER can view all data lineage documents of the Data Domain.
  • A DATA_DOMAIN_VIEWER can access the links to external dashboards associated with its Data Domain. It is not checked whether the user has access in the systems outside the HelloDATA system boundary.

DATA_DOMAIN_EDITOR

Same as DATA_DOMAIN_VIEWER plus:

  • The DATA_DOMAIN_EDITOR role is granted read and write access to the dashboards of a Data Domain. All dashboards are visible and editable for a DATA_DOMAIN_EDITOR. All charts used in the dashboards are visible and editable for a DATA_DOMAIN_EDITOR. All data sets used in the dashboards are visible and editable for a DATA_DOMAIN_EDITOR.
  • A DATA_DOMAIN_EDITOR can create new dashboards.
  • A DATA_DOMAIN_EDITOR can view the data marts of the Data Domain.
  • A DATA_DOMAIN_EDITOR has access to the SQL lab in the superset.

DATA_DOMAIN_ADMIN

Same as DATA_DOMAIN_EDITOR plus:

The DATA_DOMAIN_ADMIN role can view the airflow DAGs of the Data Domain.
A DATA_DOMAIN_ADMIN can view all database objects in the DWH of the Data Domain.

Extra Data Domain

Beside the standard Data Domains there are also extra Data Domains
An Extra Data Domain provides additional permissions, functions and database connections such as :

  • CSV uploads to the Data Domain.
  • Read permissions from one Data Domain to additional other Data Domain(s).
  • Database connections to Data Domains of other databases.
  • Database connections via AD group permissions.
  • etc.

These additional permissions, functions or database connections are a matter of negotiation per extra Data Domain.
The additional permissions, if any, are then added to the standard roles mentioned above for the extra Data Domain.

Row Level Security settings on Superset level can be used to additionally restrict the data that is displayed in a dashboard (e.g. only data of the own domain is displayed).

System Role to Portal Role Mapping

System Role Portal Role Portal Permission Menu / Submenu / Page in Portal Info
HELLODATA_ADMIN SUPERUSER ROLE_MANAGEMENT Administration / Portal Rollenverwaltung
MONITORING Monitoring
DEVTOOLS Dev Tools
USER_MANAGEMENT Administration / Benutzerverwaltung
FAQ_MANAGEMENT Administration / FAQ Verwaltung
EXTERNAL_DASHBOARDS_MANAGEMENT Unter External Dashboards Kann neue Einträge erstellen und verwalten bei Seite External Dashboards
DOCUMENTATION_MANAGEMENT Administration / Dokumentationsmanagement
ANNOUNCEMENT_MANAGEMENT Administration/ Ankündigungen
DASHBOARDS Dashboards Sieht im Menu Liste, dann je einen Link auf alle Data Domains auf die er Zugriff hat mit deren Dashboards auf die er Zugriff hat plus Externe Dashboards
DATA_LINEAGE Data Lineage Sieht im Menu je einen Lineage Link für alle Data Domains auf die er Zugriff hat
DATA_MARTS Data Marts Sieht im Menu je einen Data Mart Link für alle Data Domains auf die er Zugriff hat
DATA_DWH Data Eng, / DWH Viewer Sieht im Menu Data Eng. das Submenu DWH Viewer
DATA_ENG Data Eng. / Orchestration Sieht im Menu Data Eng. das Submenu Orchestration
BUSINESS_DOMAIN_ADMIN BUSINESS_DOMAIN_ADMIN USER_MANAGEMENT Administration / Portal Rollenverwaltung
FAQ_MANAGEMENT Dev Tools
EXTERNAL_DASHBOARDS_MANAGEMENT Administration / Benutzerverwaltung
DOCUMENTATION_MANAGEMENT Administration / FAQ Verwaltung
ANNOUNCEMENT_MANAGEMENT Unter External Dashboards
DASHBOARDS Administration / Dokumentationsmanagement Sieht im Menu Liste, dann je einen Link auf alle Data Domains auf die er Zugriff hat mit deren Dashboards auf die er Zugriff hat plus Externe Dashboards
DATA_LINEAGE Administration/ Ankündigungen Sieht im Menu je einen Lineage Link für alle Data Domains auf die er Zugriff hat
DATA_MARTS Data Marts Sieht im Menu je einen Data Mart Link für alle Data Domains auf die er Zugriff hat
DATA_DWH Data Eng, / DWH Viewer Sieht im Menu Data Eng. das Submenu DWH Viewer
DATA_ENG Data Eng. / Orchestration Sieht im Menu Data Eng. das Submenu Orchestration
DATA_DOMAIN_ADMIN DATA_DOMAIN_ADMIN DASHBOARDS Dashboards Sieht im Menu Liste, dann je einen Link auf alle Data Domains auf die er Zugriff hat mit deren Dashboards auf die er Zugriff hat plus Externe Dashboards
DATA_LINEAGE Data Lineage Sieht im Menu je einen Lineage Link für alle Data Domains auf die er Zugriff hat
DATA_MARTS Data Marts Sieht im Menu je einen Data Mart Link für alle Data Domains auf die er Zugriff hat
DATA_DWH Data Eng, / DWH Viewer Sieht im Menu Data Eng. das Submenu DWH Viewer
DATA_ENG Data Eng. / Orchestration Sieht im Menu Data Eng. das Submenu Orchestration
DATA_DOMAIN_EDITOR EDITOR DASHBOARDS Dashboards Sieht im Menu Liste, dann je einen Link auf alle Data Domains auf die er Zugriff hat mit deren Dashboards auf die er Zugriff hat plus Externe Dashboards
DATA_LINEAGE Data Lineage Sieht im Menu je einen Lineage Link für alle Data Domains auf die er Zugriff hat
DATA_MARTS Data Marts Sieht im Menu je einen Data Mart Link für alle Data Domains auf die er Zugriff hat
DATA_DOMAIN_VIEWER VIEWER DASHBOARDS Dashboards Sieht im Menu Liste, dann je einen Link auf alle Data Domains auf die er Zugriff hat mit deren Dashboards auf die er Zugriff hat plus Externe Dashboards
DATA_LINEAGE Data Lineage Sieht im Menu je einen Lineage Link für alle Data Domains auf die er Zugriff hat

System Role to Superset Role Mapping

System Role Superset Role Info
No Data Domain role Public User should not get access to Superset functions so he gets a role with no permissions.
DATA_DOMAIN_VIEWER BI_VIEWER plus roles forDashboards he was granted access to i. e. the slugified dashboard names with prefix "D_" Example: User is "DATA_DOMAIN_VIEWER" in a Data Domain. We grant the user acces to the "Hello World" dashboard. Then user gets the role "BI_VIEWER" plus the role "D_hello_world" in Superset.
DATA_DOMAIN_EDITOR BI_EDITOR Has access to all Dashboards as he is owner of the dashboards  plus he gets SQL Lab permissions.
DATA_DOMAIN_ADMIN BI_EDITOR plus BI_ADMIN Has access to all Dashboards as he is owner of the dashboards  plus he gets SQL Lab permissions.

System Role to Airflow Role Mapping

System Role Airflow Role Info
HELLO_DATA_ADMIN Admin User gets DATA_DOMAIN_ADMIN role for all exisitng Data Domains and thus gets his permissions by that roles.

User additionally gets the Admin role.
BUSINESS_DOMAIN_ADMIN User gets DATA_DOMAIN_ADMIN role for all exisitng Data Domains and thus gets his permissions by that roles.
No Data Domain role Public User should not get access to Airflow functions so he gets a role with no permissions.
DATA_DOMAIN_VIEWER Public User should not get access to Airflow functions so he gets a role with no permissions.
DATA_DOMAIN_EDITOR Public User should not get access to Airflow functions so he gets a role with no permissions.
DATA_DOMAIN_ADMIN AF_OPERATOR plus role corresponding to his Data Domain Key with prefix "DD_" Example: User is "DATA_DOMAIN_ADMIN" in a Data Domain with the key "data_domain_one". Then user gets the role "AF_OPERATOR" plus the role "DD_data_domain_one" in Airflow.