Identity Broker Default Roles
The AtScale Identity Broker provides a number of default realm roles that control the actions users can perform.
These roles can be divided into two groups: simple and complex roles. Simple roles define the actions users can perform, like deploy catalogs or access the Aggregates page. Complex roles are groups of simple roles.
The following sections describe the complex and simple roles available in the Ideneity Broker. For information on assigning roles in the Identity Broker, see Managing Users with the Identity Broker.
Complex roles
The following table describes the complex roles available in the Identity Broker, as well as the simple roles associated with each.
| Role | Description | Associated Roles |
|---|---|---|
admin | Access the AtScale Control Center, where the Identity Broker and other system configurations are managed; set global configuration properties; administer users, roles, and groups; administer runtime permissions on catalogs/models; grant or revoke the superuser_user role for other users; bypass all access control checks on catalogs/models. | repository_project_publish, superuser_user, application_admin, aggregates_view, datawarehouses_admin, support_logs_view, query_dataset_api_view, queries_view, aggregates_manage, repository_project_read |
application_admin | Perform all tasks covered by the admin role, except access the Identity Broker and manage users. | offline_access, queries_manage, repository_project_publish, superuser_user, application_admin, aggregates_view, uma_authorization, query_user, datawarehouses_admin, support_logs_view, impersonation_user, default-roles-atscale, designcenter_user, query_dataset_api_view, queries_view, aggregates_manage, repository_project_read |
designcenter_user | Access Design Center. | None |
query_user | Access models from BI tools and execute queries on them. This role is automatically assigned to all users via the everyone group. | queries_manage, queries_view |
Simple roles
The following table describes the simple roles available in the Identity Broker.
| Role | Description |
|---|---|
aggregates_manage | Activate/deactivate aggregates via the Aggregates page. Access to the Aggregates page requires the user to also have the aggregates_view role. |
aggregates_view | Access the Aggregates page, view aggregates. |
datawarehouses_admin | Access the Data Warehouses page; view, add, and manage the data warehouses connected to AtScale. |
default-roles-atscale | For system use only. |
impersonation_user | Impersonate other users when connecting to AtScale. This is used to configure impersonation for data warehouses, client BI tools, etc. |
offline_access | For system use only. |
queries_manage | Cancel queries via the Queries page. Access to the Queries page requires the user to also have the queries_view role. |
queries_view | Access the Queries page. |
query_dataset_api_view | Not currently in use. |
repository_project_publish | Publish catalogs. Read access to catalog repositories requires the user to also have the repository_project_read role. |
repository_project_read | Access and view catalog repositories. |
superuser_user | Set global configuration properties; administer runtime permissions on catalogs/models; bypass all access control checks on catalogs/models. AtScale requires that you always have at least one user with the superuser_user role. |
support_logs_view | View and download support logs. |
uma_authorization | For system use only. |