Manage roles in Semarchy xDM

Roles define sets of privileges to Semarchy xDM features and to the data contained in the data location. When logging in, users are granted roles according to the identity provider configuration, along with assigned roles.

Create a role

To create a new role:

  1. In the navigation drawer of the Configuration module, select Roles.
    The Roles list opens.

  2. Click on the Add role Add Role floating action button in the lower-right corner of the screen.

  3. Provide a Name and a Label for the new role.

  4. Select the Privileges you want to grant to this role. For details on each privilege, see Privileges.

  5. Click Add.
    The role is created. You can now grant this role to users, and use the role in the model and applications.

Role names are case-sensitive

When using a third-party identity provider, the role names defined in Semarchy should exactly match the role or group names returned by the security provider, in order to apply the privileges based on the groups/roles defined in the third-party IDP.

Example

Suppose you create a group named BusinessUsers in your LDAP directory. Users who authenticate to Semarchy via LDAP and belong to this group will inherit the privileges of the BusinessUsers role within Semarchy, provided it exists.

Role mappings for each identity provider can be configured to align the IDP role or group names with corresponding role names defined in Semarchy xDM.

Manage roles using the REST API

Endpoints are available on the Semarchy xDM REST API to consult and set up roles.

For more details, see the REST API documentation.

Privileges

The following table describes the platform privileges you can grant to a role:

Platform privilege Description

Application Design

Grants access to all the components of the Model Design perspective in the Application Builder to view or design models.
Grants also access to the model creation/export, as well as model editions management (close model editions, create a branch, manage the translations), and the image library.

Application Management

Grants access to all components for model and application management (in the Management perspective of the Application Builder), including deploying model editions, creating and configuring the data locations (notification policies, continuous loads, data notifications, etc.), the batch poller, the execution engine, the job logs, and the purge schedules. This privilege also allows upgrading data locations and configuring variable value providers.

Dashboard Management

Grants full access to the Dashboard Builder to create applications, queries, charts, and dashboards.

Dashboard Design

Grants limited access to the Dashboard Builder to create charts and dashboards only.

Discovery Management

Grants access to xDM Discovery to define, profile, and browse datasources' profiling statistics.

Platform Administration

Grants access to the Configuration interface to view or configure the datasources, notification servers, variable value providers, image libraries, plugins, logging configuration, REST clients, custom translations, and application configuration. This privilege also allows managing the license.
This privilege does not grant access to the user and role configuration, or to repository upgrade.

User Management

Grants access to the Configuration interface to manage users as well as their role assignment. This privilege does not give access to role configuration.

To prevent privilege escalation, users possessing this privilege are restricted in the operations they can perform:

  • They cannot modify a user with privileges exceeding their own.

  • They cannot assign privileges higher than their own to a role.

These restrictions do not affect users with the semarchyAdmin role.

Role Management

Grants access to the Configuration interface to manage roles. This privilege does not give access to user configuration.

To prevent privilege escalation, users possessing this privilege are restricted in the operations they can perform:

  • They cannot modify a role with privileges exceeding their own.

  • They cannot assign privileges higher than their own to a role.

These restrictions do not affect users with the semarchyAdmin role.
Built-in roles

The semarchyAdmin role is a built-in role with full and unrestricted access to all platform features. This is the only role that grants access to the identity management and API key configuration. It is also required for repository upgrade operations.

The semarchyConnect role is necessary for user login and should be granted by default to all users connecting to Semarchy xDM.

Privilege precedence

Privileges apply in order of precedence: Read/Write, then Read, then None. As a consequence, a user always has the best privileges associated with all their roles.

Example

Consider a user who has been granted two roles:

  • The ModelDesigner role has Read privileges for Application Management and Read/Write for Application Design.

  • The ProductionManager has Read/Write privileges for Application Management and None for Application Design.

As a result, this user has Read/Write privileges for both Application Management and Application Design.

Sample roles

You can use the following role examples in a typical Semarchy xDM configuration:

Platform privilege Developer Production user Administrator

Platform Administration

Read

Read

Read/Write

Application Design

Read/Write

Read

Read

Application Management

Read

Read/Write

Read/Write

Dashboard Management

Read/Write

None

None

Discovery Management

Read/Write

None

None
These roles are given as examples and should be adapted to your environment’s requirements.