About the Security Module

Users Page

The The "Users" page icon is a person icon. Users page gives you access to the platform’s user account library.

By default, the page opens when you click the The "Security" module icon is a shield with a person icon inside. Security module. It gives you the list of the existing user accounts and enables you to edit and delete them and create new ones.

Your members are listed with little information like their username and job title. You can view information about a user account and the groups it belongs to by selecting it from the list. On the page that opens, you will only be able to change the member’s password.

As an administrator, you cannot change the username, email address, and job title of a user account. For more information, see Managing User Accounts.
As a member, if you want to change your user account information, see Managing Your User Account.

User access rights are managed at the group level. Indeed, access to Saagie platforms, modules, and projects is not managed individually for each user account, but rather by the groups they belong to.

Groups Page

The The "Groups" page icon is an icon of three persons. Groups page gives you access to the platform’s group library.

The page gives you the list of the existing groups and enables you to edit and delete them and create new ones.

Groups enable you to manage the access rights. You assign roles to an entire group to allow members to perform some actions and not others. You can add as many members as you want and all members added to the group will have the same access rights.

Groups are listed with only their name. You can view and edit information about a group by selecting it from the list.

For more information on how to manage groups, see Managing Groups.

Saagie Default Groups

There are four default groups automatically created on all Saagie platforms that cannot be deleted.

hadoop_acl_admin: For the Sentry administrator who manages access rights via Hive/Impala and HDFS (Hadoop Distributed File System) files.
hadoop_admin: For the HDFS administrator with full rights to the file system.
saagie: For the Saagie support team.
platforms_admin: For your company’s Saagie administrators to manage your platforms. Members of this group can manage users, groups, and authorizations. They also have access to all platform features, but not necessarily to all data.

Roles

Roles are specified along with access rights. They allow you to control the actions that a groups is allowed to perform.

Table 1. Access Role Table
Roles	Description
Viewer	Has read access to the project.
Editor	Has read and edit access (example: edit jobs) to the project.
Manager	Has read and edit access (example: edit jobs) to the project, can delete it and modify its settings and configuration (example: run type, versions).

Group Access Rights

Access rights are specified when creating the group and can be changed afterward. They include global access and platform access.

Global Access
Platforms Access – Applications
Platforms Access – Projects
Lakehouse Access

Global access rights apply to all platforms that the group can access.

Screenshot of the "Global Access" tab in the group settings.

1 – Technology Catalog: Defines access to the Catalog module.
→ When the Can access Technology Catalog option is selected, it gives the user group access to the Catalog module and to the management of repositories and technologies.
2 – Monitoring: Defines access to the Monitoring module.
→ When the Can access to Cluster Overview option is selected, it gives the user group access to the Monitoring module and to the resource consumption data of your cluster.

Platform access rights apply to the projects and modules of a specified platform. Add the platform(s) the group can access, then specify the group’s access rights to modules and projects.

The Applications sub-tab of the Platforms Access tab allow you to manage access rights to modules (named Applications in the user interface) for the user group.

Screenshot of the "Applications" sub-tab in the "Platform Access" tab in the group settings.

1 – Projects

Defines access to the project Projects module.
→ When the Can access Projects option is selected, it gives group members read access to the project Projects module and enables the following sub-options:

Can edit global environment variables: select this option to give group members the rights to edit global environment variables.
Can create new projects: select this option to give group members the rights to create new projects.

You must fill in the Projects tab for these options to be taken into account.

Platform access rights apply to the projects and modules of a specified platform. Add the platform(s) the group can access, then specify the group’s access rights to modules and projects.

The Projects sub-tab of the Platforms Access tab allow you to manage access rights to projects for the user group.

To access this tab, you must have selected the Can access Projects option in the Applications sub-tab of the Platform Access tab.

Screenshot of the "Projects" sub-tab in the "Platform Access" tab in the group settings.

1 – Access all projects

Defines access to all projects in the platform.
→ When the Access all projects option is selected, it gives group members access to all projects in the platform with the role you choose.

For this option, the role you choose is the same for all project. If you need global access but different roles for different projects, you must add each project individually.

2, 3 – Add projects

Defines access to the added projects only.
→ Click Add projects to give group members access to specific projects only, then choose the role (3) with which they will be able to access them.

This tab is only available if the Lakehouse module is enabled and configured on your Saagie installation by your administrator during the configuration of the Saagie installer, saagiectl. They must have answered the prompt to use Lakehouse when configuring your cluster settings.

Lakehouse access rights allow users in this group to inherit the rights defined in this panel on a catalog and its associated selected access.
This panel allows to manage the different Lakehouse Catalog Access for the user group. You can add and delete access to catalogs, and view the list of existing accesses.

Screenshot of the "Lakehouse Access" tab in the group settings.

1 – List of accesses on a specific Catalog

Allow to affect a specific Lakehouse role on this catalog for this group. You can also remove this access to the Lakehouse selected catalog with the right button.
For each catalog, 3 roles are available: admin, write and read. Each role has the format: trino-catalog-<catalog_name>-<role_name>. Here an example with iceberg catalog where we can see:

trino-catalog-iceberg-admin
trino-catalog-iceberg-write
trino-catalog-iceberg-read

For more information on the roles of Lakehouse Catalog Access, see Managing Lakehouse Catalog Access.

2 – Add catalog access: Allow to add a new Lakehouse catalog access for this group. You can search and select the catalog to define associate role on this group.

Lakehouse Catalog Access Page

The The "Lakehouse" page icon is a database icon. Lakehouse page gives you access to the Lakehouse catalog access library.

Lakehouse must have been enabled by your administrator during the configuration of the Saagie installer, saagiectl. They must have answered the prompt to use Lakehouse when configuring your cluster settings.

This page displays a list of existing Lakehouse catalog accesses and allows you to edit and delete them, as well as create new.

To be able to list the various information in a catalog and perform SQL queries on it, the user must have a minimum role assigned based on the action associated with the executed SQL query.
These catalog roles are, for each catalog and in descending order of privileges: an administrator role, a writer role, and a reader role.
This page allows you to easily create access to a catalog via its name, which will automatically create the three associated roles: admin, write and read.
Catalogs are listed only by name. You can view and edit the name of a catalog. You can also delete them.

For more information on how to manage Lakehouse Catalog Access, see Managing Lakehouse Catalog Access.

Lakehouse user roles are managed at the group level. This is because access to catalogs is not managed individually for each user account, but by the groups to which they belong.