On this page

    Roles

    Version Requirement:

    This topic describes role management functionality only available in Dremio 18.X+.

    Old Access Control:

    User and role management features are used with the new privilege management functionality (i.e., access control) that is available in Dremio 16.X+. For user and role management in Dremio versions earlier than 18.0 or access control earlier than 16.0, see Users, Groups, and Roles.

    Roles are groups of privileges that can be applied to users as needed. Instead of tracking and granting user access to individual objects in Dremio, you can define and apply roles based on the types of users in your organization that access Dremio. For example, many administrators label roles by company position, such as “Analyst.”

    Types of Roles

    Internal

    By default, Dremio allows you to add and manage roles directly from the application, or locally, by an administrator.

    External

    External roles (also known as “groups”) are those created and managed by an external authentication service like Okta. These groups and their associated users are not created manually in Dremio, but rather are added automatically when a group is synchronized with Dremio from an integrated credentials manager. Likewise, external users are created by these services and their credentials may not be changed from the Dremio interface as they are controlled by the credential manager.

    Dremio communicates directly with the external system to fetch and validate groups and their users as needed. The group name stored in Dremio and shown from the Roles screen when editing a role will display the associated members as governed by the identity manager.

    If a group’s access to Dremio is revoked by a credential manager, this does not delete the role or its member accounts in Dremio. These must be removed manually.

    Using SCIM

    System for Cross-domain Identity Management (SCIM) is used to integrate Okta with Dremio for group/role and user provisioning. When properly configured, Okta atuomatically sends a group and its associated members' credentials securely via SCIM to your Dremio server, automatically creating user accounts. These new users may then log in on Dremo according to the policies set by your credential manager.

    Dremio currently supports the following functionality regarding SCIM:

    • Nested Roles (Groups)
    • User activation/deactivation
    • Synchronized passwords without external authentication configured

    The following functionality is not supported:

    • Search filters beyond equal filter by username
    • Azure AD
    • Etag

    Note:

    You cannot reset or change an external user’s password from Dremio as this is managed by your organization’s identity manager.

    If you delete an external user from Dremio, Okta will re-add their account the next time that user attempts to log in. To properly revoke access to Dremio, follow these steps.

    To integrate OKTA with Dremio, see the Integrating Dremio with Okta help topic. This outlines how to set up SCIM using Okta, link the service with Dremio, and assign or revoke users and groups.

    Roles Screen

    The Roles screen may be found by navigating to Settings > Roles.

    From here, you can view and edit existing roles, which are listed in table format. The following actions may be performed:

    • To add a new role, click the Create Role button at the top-right corner of the screen. This launches the Create Role modal.
    • To edit an existing role, click on the role name or the Edit button (pencil) under the Actions column on the desired row. This launches the Roles screen, where you can edit details and nested roles.
    • To delete a role, click the Delete icon (red circle) under the Actions column for the desired row. Dremio will prompt you to confirm this action. Once confirmed, the role is deleted and cannot be retrieved.

    Create Roles

    From this modal, you may create a single role. Privileges for this role must be set from the desired object that the role is meant to interact with.

    Name Limitation:

    We recommend against using special characters in a role’s name (e.g., -, _, etc.). The SQL Editor cannot parse such values when using the GRANT or REVOKE commands and will return an error.

    • Name - The name associated with the role, such as a position title or type.
    • Description - Details regarding the purpose or privileges associated. Use of this field is optional.

    Edit Roles

    From this screen, you can edit a role and add or change details like the role name, description, sub-roles, users, and more.

    Details Tab

    • Name - The name associated with the role, such as a position title or type.
    • Description - Details regarding the purpose or privileges associated. This field is optional.

    Note:

    Changes made here are not permanent until the Save button is clicked. So if you find you’ve made a mistake or wish to revert to the previous state, simply click the Cancel button.

    Roles Tab

    Roles may be assigned to another role, creating a parent-child relationship of inheritance, also known as a nested role. When a nested role is added, the parent role (the one you’re editing) grants all its privileges to the nested role.

    From the Roles tab, you may view nested roles, which are listed in table format. The following actions may be performed:

    Members Tab

    Individual users, or members, may be added to or removed from a role here. Any users associated with the role gain all object privileges associated.

    • To add a member, enter a user’s full username in the search bar at the top of the screen. Then click the Add User button to include them as a member of this role. Their name will appear in the table below.
    • To remove a member, locate the desired row by username or name and click the Delete button (red circle). This removes them as a member of this role and they will no longer possess the privileges associated with that role. However, the user still retains membership with any other roles they’ve been added as members to.

    Important:

    Changes made here are not permanent until the Save button is clicked. So if you find you’ve made a mistake or wish to revert to the previous state, simply click the Cancel button.