Users

Version Requirement:

This describes user management functionality only available in Dremio v18.X and later. For the new role management functionality used in tandem with users, see the Roles help topic.

Old Access Control:

Both user and role management features are used with the new privilege management functionality (i.e., access control) made available in Dremio 16.X+. For user and role management using instances of Dremio earlier than v18.0 or access control earlier than 16.0, see Users, Groups, and Roles.

Dremio allows for the management of users locally as well as through third-party solutions like OAuth, LDAP, and Azure AD. It is from the user screen that you can grant and revoke privileges, assign roles, and change account details.

Users System Table

Administrators may view all users by accessing the sys.users table. The table is broken down by the following columns:

  • user_name - The user name for the identity.
  • source - The type of user. If created in Dremio, it will display as LOCAL. If created by an external service, it will display as EXTERNAL.
  • owner - The user’s owner, typically the account that created the user.
  • inherit - If the user inherits privileges from roles, the roles the user is a member of are listed.

Types of Users

Internal

By default, Dremio allows you to add and manage users directly from the application, or locally. These users' credentials are managed through Dremio by an administrator.

External

External users are those created and managed by an external application like Okta. These user accounts are not created manually in Dremio, but rather are added automatically when a user logs into Dremio for the first time using login information from an integrated credentials manager. Likewise, user credentials may not be changed from the Dremio interface as these are controlled by the credential manager.

Externally-managed users will not have their information stored locally in the users KVStore. Dremio communicates directly with the external system to fetch and validate users as needed. The username stored in Dremio and shown from the Users screen when editing a user account will display the username provided by the external service.

If a user’s access to Dremio is revoked by their credential manager, this does not delete their account in Dremio. These must be removed manually.

Using SCIM

System for Cross-domain Identity Management (SCIM) is used to integrate Okta with Dremio for user provisioning. When properly configured, Okta atuomatically sends the credentials of assigned users securely via SCIM to your Dremio server, automatically creating user accounts. These new users may then log in on Dremo according to the policies set by your credential manager.

Dremio currently supports the following functionality regarding SCIM:

  • Nested Roles (Groups)
  • User activation/deactivation
  • Synchronized passwords without external authentication configured

The following functionality is not supported:

  • Search filters beyond equal filter by username
  • Azure AD
  • Etag

Note:

You cannot reset or change an external user’s password from Dremio as this is governed by your organization’s identity manager.

If you delete an external user from Dremio, Okta will re-add their account the next time that user attempts to log in. To properly revoke access to Dremio, follow these steps.

To integrate OKTA with Dremio, see the Integrating Dremio with Okta help topic. This outlines how to set up SCIM using Okta, link the service with Dremio, and assign or revoke users.

Users Screen

This screen displays all existing users with access to your instance of Dremio. These may be managed externally or locally depending on your organization’s needs.

The Users screen can be reached by navigating to Settings > Users.

All user accounts will display here in table format.

  • To add one or more new users locally, click the Add User button at the top-right corner of the screen. This launches the Add Users modal.
  • To edit an existing user account, click on the user name or the Edit button (pencil) under the Actions column for the desired account. This launches the screen for editing a user account.
  • To delete or remove a local or external user, click the Delete icon (red circle) under the Actions column for the desired account. Dremio will prompt you to confirm this action. If this is an externally-managed account, it will automatically be created again when they log into Dremio next.

Dremio allows for the creation and management of two types of users: local and external. Both types of users may exist simultaneously from the same instance of Dremio.

Add Users

This modal appears when the Add User button is selected. It is from here that all local users are added by entering usernames (not email addresses).

  • Usernames - An alphaneumeric entry for each user account being created locally, separating each username with a comma, space, or line break. These are case-sensitive.
  • Dremio Role - The role each user account will be associated with automatically upon creation. You may only select one role from the drop-down menu at this time. Additional roles may be assigned to each user after creation from the Users screen by selecting the user name or Edit button.

To create accounts associated with the usernames entered here, click the Save button. These will now appear in the table of users on the Users screen.

Edit User

From this screen you can change user account details, add roles, and view existing privileges.

Details Tab

  • First Name - The first name of the associated user.
  • Last Name - The last name of the associated user.
  • Username - The username associated with the account, used when logging into Dremio. Once this has been set upon creating an account locally or externally, it cannot be changed.
  • Password - The password for a user account may be set from here. Any existing password will not display for security purposes. If this is a new account, you must set a password for the user to be able to access their account.

Important:

Changes made here are not permanent until the Save button is clicked. So if you find you’ve made a mistake or wish to revert back to the previous state, simply click the Cancel button.

Roles Tab

All assigned and available roles created from the Roles screen will display here. To add roles, you may select and add them individually via the drop-down menu, or you may use the search bar to search for specific roles. Simply select the checkbox next to each role to add it to the user’s account. Any privileges associated with these roles will now be granted to the user once the changes are committed.

Important:

Changes made here are not permanent until the Save button is clicked. So if you find you’ve made a mistake or wish to revert back to the previous state, simply click the Cancel button.

Privileges Tab

The privileges a user has granted to them for each Dremio object are listed from this tab. Objects are listed in table format, one privilege displaying for each entry. Oftentimes you will see duplicate objects, but with different privileges for each entry. If the user lacks privileges to any objects, then they will not appear on this list.

The table displayed here only shows up to 25 privileges. If you would like to see a full list of privileges for a user, click the Show privileges using SQL Runner link at the top-right corner of the screen. This launches the SQL editor and automatically inputs the SQL command needed to retrieve a full list of privileges.

When you add a role to a user account and save your changes, the privileges associated with that role will update what is shown here.

You can add privileges to a user account in one of two ways:

  • Add privileges for each object to a role, then add that role to the user account from the Users screen or add the user as a member of a role from the Roles screen.
  • Add all desired privileges on an object-by-object basis for each individual user.

We recommend using roles to grant privileges, as this provides a single location from which you may make changes that will affect one or more users' access.