About the Security Module
Users Page
The 
Users page gives you access to the platform’s user account library.
By default, the page opens when you click the 
Security module.
It gives you the list of the existing user accounts and enables you to edit and delete them and create new ones.
Your members are listed with little information like their username and job title. You can view information about a user account and the groups it belongs to by selecting it from the list. On the page that opens, you will only be able to change the member’s password.
|
User access rights are managed at the group level. Indeed, access to Saagie platforms, modules, and projects is not managed individually for each user account, but rather by the groups they belong to.
Groups Page
The 
Groups page gives you access to the platform’s group library.
The page gives you the list of the existing groups and enables you to edit and delete them and create new ones.
Groups enable you to manage the access rights. You assign roles to an entire group to allow members to perform some actions and not others. You can add as many members as you want and all members added to the group will have the same access rights.
Groups are listed with only their name. You can view and edit information about a group by selecting it from the list.
For more information on how to manage groups, see Managing Groups.
Saagie Default Groups
There are five default groups automatically created on all Saagie platforms that cannot be deleted.
-
hadoop_acl_admin: For the Sentry administrator who manages access rights via Hive/Impala and HDFS (Hadoop Distributed File System) files. -
hadoop_admin: For the HDFS administrator with full rights to the file system. -
saagie: For the Saagie support team. -
platforms_admin: For your company’s Saagie administrators to manage your platforms. Members of this group can manage users, groups, and authorizations. They also have access to all platform features, but not necessarily to all data. -
lakehouse-administrators: For the Lakehouse administrators to manage Lakehouse catalogs. Allows to obtaintrino-adminrole on Trino.
Roles
Roles are specified along with access rights. They allow you to control the actions that a groups is allowed to perform.
| Roles | Description |
|---|---|
Viewer |
Has read access to the project. |
Editor |
Has read and edit access (example: edit jobs) to the project. |
Manager |
Has read and edit access (example: edit jobs) to the project, can delete it and modify its settings and configuration (example: run type, versions). |
Group Access Rights
Access rights are specified when creating the group and can be changed afterward. They include global access and platform access.
Global access rights apply to all platforms that the group can access.
- 1 – Technology Catalog
-
Defines access to the
Catalog module.
→ When the Can access Technology Catalog option is selected, it gives the user group access to the Catalog module and to the management of repositories and technologies. - 2 – Monitoring
-
Defines access to the
Monitoring module.
→ When the Can access to Cluster Overview option is selected, it gives the user group access to the Monitoring module and to the resource consumption data of your cluster.
Platform access rights apply to the projects and modules of a specified platform. Add the platform(s) the group can access, then specify the group’s access rights to modules and projects.
The Applications sub-tab of the Platforms Access tab allow you to manage access rights to modules (named Applications in the user interface) for the user group.
- 1 – Projects
-
Defines access to the
Projects module.
→ When the Can access Projects option is selected, it gives group members read access to the Projects module and enables the following sub-options:-
Can edit global environment variables: select this option to give group members the rights to edit global environment variables.
-
Can create new projects: select this option to give group members the rights to create new projects.
You must fill in the Projects tab for these options to be taken into account. -
Platform access rights apply to the projects and modules of a specified platform. Add the platform(s) the group can access, then specify the group’s access rights to modules and projects.
The Projects sub-tab of the Platforms Access tab allow you to manage access rights to projects for the user group.
| To access this tab, you must have selected the Can access Projects option in the Applications sub-tab of the Platform Access tab. |
- 1 – Access all projects
-
Defines access to all projects in the platform.
→ When the Access all projects option is selected, it gives group members access to all projects in the platform with the role you choose.For this option, the role you choose is the same for all project. If you need global access but different roles for different projects, you must add each project individually. - 2, 3 – Add projects
-
Defines access to the added projects only.
→ Click Add projects to give group members access to specific projects only, then choose the role (3) with which they will be able to access them.
This tab is only available if the Lakehouse module is enabled and configured on your Saagie installation by your administrator during the configuration of the Saagie installer, saagiectl. They must have answered the prompt to use Lakehouse when configuring your cluster settings.
|
Lakehouse access rights allow users in this group to inherit the rights defined in this panel on a catalog and its associated selected access.
This panel allows to manage the different Lakehouse Catalog Access for the user group. You can add and delete access to catalogs, and view the list of existing accesses.
- 1 – List of accesses on a specific Catalog
-
Allow to affect a specific Lakehouse role on this catalog for this group. You can also remove this access to the Lakehouse selected catalog with the right button.
For each catalog, 3 roles are available: admin, write and read. Each role has the format:trino-catalog-<catalog_name>-<role_name>. Here an example withicebergcatalog where we can see:-
trino-catalog-iceberg-admin -
trino-catalog-iceberg-write -
trino-catalog-iceberg-read
-
For more information on the roles of Lakehouse Catalog Access, see Managing Lakehouse Catalog Access.
- 2 – Add catalog access
-
Allow to add a new Lakehouse catalog access for this group. You can search and select the catalog to define associate role on this group.
Lakehouse Catalog Access Page
The 
Lakehouse page gives you access to the Lakehouse catalog access library.
Lakehouse must have been enabled by your administrator during the configuration of the Saagie installer, saagiectl. They must have answered the prompt to use Lakehouse when configuring your cluster settings.
|
This page displays a list of existing Lakehouse catalog accesses and allows you to edit and delete them, as well as create new.
To be able to list the various information in a catalog and perform SQL queries on it, the user must have a minimum role assigned based on the action associated with the executed SQL query.
These catalog roles are, for each catalog and in descending order of privileges: an administrator role, a writer role, and a reader role.
This page allows you to easily create access to a catalog via its name, which will automatically create the three associated roles: admin, write and read.
Catalogs are listed only by name. You can view and edit the name of a catalog. You can also delete them.
For more information on how to manage Lakehouse Catalog Access, see Managing Lakehouse Catalog Access.
Lakehouse user roles are managed at the group level. This is because access to catalogs is not managed individually for each user account, but by the groups to which they belong.