Roles

Cloudera Data Visualization provides URL access to the ArcViz server object, roles.

To support installations that store the users and groups information outside the ArcViz environment (such as LDAP), the role membership lists for users and groups only store names. During role update and create operations, ArcViz accepts the user and group names 'as is', without validating them.

Each entry in the privs list corresponds to a single privilege row in the ArcViz role edit screen. Each row contains fields for the privilege type (ptype), an identifier section, and a list of permissions (perms) for the identified objects, such as datasets or data connections. Each privilege type has a specific identifier, and set of possible permissions. ArcViz stores the dataset IDs and connection IDs within the identifier sections as a STRING, and uses the special value "-1" to indicate "All datasets" or "All connections".

This article includes the following topics:

Defining Roles Data Type
Privileges Types
Creating Roles

Defining Roles Data Type

The JSON fields for role's data type are defined as follows:

Table 1. JSON Fields for Roles Data Type
Field	Detail Only	Updatable	Description
`id`	No	No	Role ID
`name`	No	Yes	Role name
`desc`	No	Yes	Role description
`users`	No	Yes	List of usernames that belong to this role
`groups`	No	Yes	List of groups that belong to this role
`privs`	Yes	Yes	List of privilege structures for this role, as described in Privileges Types

Privileges Types

The Cloudera Data Visualization Role-Based Access Control system supports the following permission types:

ptype: "system"

Identifier

None

Permissions


Permission Name	Description
`sys_editperm`	Manage roles and users
`sys_styles`	Manage styles and settings
`sys_viewlogs`	View query logs
`sys_editconn`	Manage data connections

ptype: "dataconn"

Identifier


Field Name	Description	Example
`dclist`	List of data connection IDs, or `-1` for 'All data connections'	`"dclist" : ["-1"]`

Permissions


Permission Name	Description
`dc_aviews`	Manage analytical views
`dc_upload`	Import data
`dc_expore`	Create datasets and explore tables

ptype: "dataset"

Identifier


Field Name	Description	Example
`dcid`	Data connection ID for this privilege, or `-1` for 'All'	`"dcid" : "-1"`
`dslist`	List of dataset IDs for this privilege	`"dslist" : ["1", "2", "3"]`

Permissions


Permission Name	Description
`dc_aviews`	Manage analytical views
`dc_upload`	Import data
`dc_expore`	Create datasets and explore tables

Creating Roles

The following code creates a new role with groups dataconn_managers and arcviz_admins. The role has system-level permissions to view logs, and to create new datasets. It also has full permissions on all connections and all datasets.

The actual API Key and the method of retrieving the key depends on the user system.

curl -s \
 -X POST \
 -H "Content-Type: application/x-www-form-urlencoded" \
 -H "Authorization: apikey api_key" \
 -d 'data=[{
      "name": "Connection manager",
      "desc": "Data connection management",
      "groups": ["dataconn_managers", "arcviz_admins"],
      "privs": [
          {"ptype": "system",
           "perms": ["sys_viewlogs", "sys_editconn"]
          },
          {"ptype": "dataconn",
           "dclist": ["-1"],
           "perms": ["dc_aviews", "dc_upload", "dc_explore"]
          },
          {"ptype": "dataset",
           "dcid": "-1",
           "dslist": ["-1"],
           "perms": ["ds_manage", "ds_appedit", "ds_appview"]
          }
       ]
   }]' \
 127.0.0.1:7999/arc/adminapi/roles

When viewing this role through the ArcViz user interface, it appears on the edit screen like this: