Roles

Version Requirement:

This describes role management functionality only available in Dremio v18.X and later. For the new user management functionality used in tandem with roles, see the Users help topic.

Old Access Control:

Both user and role management features are used with the new privilege management functionality (i.e., access control) made available in Dremio 16.X+. For user and role management using instances of Dremio earlier than v18.0 or access control earlier than 16.0, see Users, Groups, and Roles.

Roles are groups of privileges that can be applied to users as needed. This helps in saving time tracking and applying access for individual objects to each Dremio user. Instead, you may define multiple roles based on the types of users at your organization that access Dremio. For example, many administrators label roles by company position, such as “Analyst.”

Types of Roles

Internal

By default, Dremio allows you to add and manage roles directly from the application, or locally, by an administrator.

External

External roles (also known as “groups”) are those created and managed by an external authentication service like Okta. These groups and their associated users are not created manually in Dremio, but rather are added automatically when a group is synchronized with Dremio from an integrated credentials manager. Likewise, external users are created by these services and their credentials may not be changed from the Dremio interface as they are controlled by the credential manager.

Dremio communicates directly with the external system to fetch and validate groups and their users as needed. The group name stored in Dremio and shown from the Roles screen when editing a role will display the associated members as governed by the identity manager.

If a group’s access to Dremio is revoked by a credential manager, this does not delete the role or its member accounts in Dremio. These must be removed manually.

Using SCIM

System for Cross-domain Identity Management (SCIM) is used to integrate Okta with Dremio for group/role and user provisioning. When properly configured, Okta atuomatically sends a group and its associated members' credentials securely via SCIM to your Dremio server, automatically creating user accounts. These new users may then log in on Dremo according to the policies set by your credential manager.

Dremio currently supports the following functionality regarding SCIM:

  • Nested Roles (Groups)
  • User activation/deactivation
  • Synchronized passwords without external authentication configured

The following functionality is not supported:

  • Search filters beyond equal filter by username
  • Azure AD
  • Etag

Note:

You cannot reset or change an external user’s password from Dremio as this is managed by your organization’s identity manager.

If you delete an external user from Dremio, Okta will re-add their account the next time that user attempts to log in. To properly revoke access to Dremio, follow these steps.

To integrate OKTA with Dremio, see the Integrating Dremio with Okta help topic. This outlines how to set up SCIM using Okta, link the service with Dremio, and assign or revoke users and groups.

Roles Screen

The Roles screen may be found by navigating to Settings > Roles.

From here, you may view and edit existing roles, which are listed in table format. The following actions may be performed:

  • To add a new role, click the Create Role button at the top-right corner of the screen. This launches the Create Role modal.
  • To edit an existing role, click on the role name or the Edit button (pencil) under the Actions column on the desired row. This launches the Roles screen, where you can edit details and privileges.
  • To delete a role, click the Delete icon (red circle) under the Actions column for the desired row. Dremio will prompt you to confirm this action. Once confirmed, the role is deleted and cannot be retrieved.

Create Role

From this modal, you may create a single role. Privileges for this role must be set from the desired object that the role is meant to interact with.

  • Name - The name associated with the role, such as a position title or type.
  • Description - Details regarding the purpose or privileges associated. Use of this field is optional.

Edit Role

From this screen, you may edit and add to a role, including the role name and description, sub-roles, users, and privileges.

Details Tab

  • Name - The name associated with the role, such as a position title or type.
  • Description - Details regarding the purpose or privileges associated. This field is optional.

Note:

Changes made here are not permanent until the Save button is clicked. So if you find you’ve made a mistake or wish to revert back to the previous state, simply click the Cancel button.

Roles Tab

Roles may be assigned to another role, creating a parent-child relationship of inheritance. When a child or sub-role is added to a role, the parent role (the one you’re editing) gains all of the privileges associated with the child role.

  • To add a role, click the drop-down menu and select a role, or enter a keyword in the search bar to the right to filter roles. Then click the Add Role button to the right. The child role appears in the table along the left side of the screen.
  • To remove a child role, click the Delete button (red circle) under the Action column for the desired entry. This removes the association between roles and any privileges inherited from the child will be removed when the changes are saved.

Important:

Changes made here are not permanent until the Save button is clicked. So if you find you’ve made a mistake or wish to revert back to the previous state, simply click the Cancel button.

Members Tab

Individual users, or members, may be added to or removed from a role here. Any users associated with the role gain all object privileges associated.

  • To add a member, enter a user’s full username in the search bar at the top of the screen. Then click the Add User button to include them as a member of this role. Their name will appear in the table below.
  • To remove a member, locate the desired row by username or name and click the Delete button (red circle). This removes them as a member of this role and they will no longer possess the privileges associated with that role. However, the user still retains membership with any other roles they’ve been added as members to.

Important:

Changes made here are not permanent until the Save button is clicked. So if you find you’ve made a mistake or wish to revert back to the previous state, simply click the Cancel button.

Privileges Tab

A role gains its utility through the privileges associated with it. This way, administrators can assign a predefined group of privileges to multiple users without having to manually add each user to each object. Objects are listed in table format, one privilege displaying for each entry. Oftentimes you will see duplicate objects, but with different privileges for each entry. If the user lacks privileges to any objects, then they will not appear on this list.

The table displayed here only shows up to 25 privileges. If you would like to see a full list of privileges for a user, click the Show privileges using SQL Runner link at the top-right corner of the screen. This launches the SQL editor and automatically inputs the SQL command needed to retrieve a full list of privileges.

You can add privileges to a role in one of two ways:

  • Add privileges for each object to a role, then add that role to the user account from the Users screen or add the user as a member of a role from the Roles screen.
  • Add all desired privileges on an object-by-object basis for each individual user.

We recommend using roles to grant privileges, as this provides a single location from which you may make changes that will affect one or more users' access.