Access Manager

The Access Manager component in Timbr is where users can create users and roles in the platform. Users can define roles based on projects, business functions, and data assets, with granular permissions to support any type of access. Admins can assign unique permissions to users without using a role.

The Access Manager is equipped with enterprise-grade access control and can integrate with Azure AD, AD Roles, and SSO mechanisms. Everything supported in the Access Manager can also be done using GRANT statements in SQL for those who prefer to code. This allows users to generate automated scripts based on input from other applications and always maintain controlled and governed access to data.

---

The Access Manager can be accessed through the Manage tab by clicking on Access Manager.

Introduction

Access control in Timbr is divided into two main aspects

1. What a user can see - Access Permissions - The user's access to the knowledge graph, datasources (tables), concepts, mappings, views, and all other data elements that a user is exposed to and can view, query, create and edit. This also includes the ability to grant or revoke the creation or modification of users, and roles.
2. What a user can do - Platform Permissions - The user's access to the different pages and components in the platform. This includes which components or pages a user has access to. For example the Ontology Explorer, Data Mapper, Graph Explorer, Knowledge Lineage, Access Manager, etc.

---

Getting Started

The Access Manager component can be accessed by clicking on the Manage tab and choosing Access Manager.

Once selected a list of all users will appear including their: Name, Username, Roles, Status, and Last Activity.

Above the list of users are the two tabs that enable you to switch between viewing the Users and viewing the different Roles.

Beneath the two tabs is a search bar that can assist in finding specific users or roles from the list.

To the right of the search bar is + Create New User which when clicked on will open a new box to create a new user.

Beneath + Create New User, are different filtering options as well as bulk actions that can be done. This includes:

• Status - Filtering the graph based on Active/Inactive users.
• Roles - Filtering the graph based on specifically created roles.
• Bulk Actions - Enabling users to select multiple users to perform the following bulk actions on.

• Set role to users - The ability to add a specific role to multiple users chosen from the list all in one click.
• Set active - The ability to add the active status to multiple users chosen from the list all in one click.
• Set inactive - The ability to add the inactive status to multiple users chosen from the list all in one click.
• Delete users - The ability to delete multiple users chosen from the list all in one click.

To the right of each user, there are the three following buttons:

• View Permissions - This button will open a window with a detailed view of what roles the selected user has, as well as what permissions the selected user has in each aspect of the platform. In addition, here you will also be able to add permissions to the user by clicking on + Add Access Permissions.

• Edit User - This button which appears as a pencil will open a window in order to edit the chosen user. This includes the user's login information, the user's status, and the different roles the user has in the platform.

• Delete User - The third button appearing as a trash can, when clicked on will delete the selected user.

---

Creating a New User

1. In the main page of the access manager, click on + Create New User on the upper right side.

2. In the new window, you will be asked to fill in the new user's information that will be used when signing in to the platform using one of the two following tabs:

• User and Password - To create a user using this option, a First and Last Name of the user will be required, as well as a Username, Email, and Password for the new user, which is connected to the relevant server of the user's organization.

• Single-Sign-On - To create a user using this option, the only thing required is the user's Email used and authorized by the user's organization and supported by either Google or Microsoft Azure.

Once the new user's information is inserted, the user can now be added by clicking on Add New User on the bottom right of the screen.

If however while creating a user you would like to add various roles to the user which contain unique permissions, this can be accomplished in the two following ways:

• Choosing existing roles - Beneath the user information inserted to create the new user, is the list of roles (Custom Roles, Default Roles, Default Datasource Roles, and Default Knowledge Graph Roles) that can be assigned to the different users. Each role's permissions can be revealed by clicking on View Permissions to the right of the role.

• Creating new custom roles - The second option to add roles to a user is to create the new roles from scratch by clicking on + Create New Custom Role located on the top right of the list of roles.

The full process and options for creating user roles can be found in depth in the next section.

---

Creating User Roles

1. In the main Access Manager page switch from the default Users tab to the Roles tab.

You will now see all the different types of Roles that can be assigned to users divided by category which include:

Custom Roles - This category contains all the roles that were custom-made by the user.

Default Roles - This category contains Timbr's default roles which are included by default in the Timbr platform. The default roles are:

• Admin - Users given the Admin role will have full access and editing capabilities in the platform.
• Analyst - Users given the Analyst role will be able to query the specific datasources or knowledge graphs assigned by the admin.
• Editor - Users given the Editor role will be able to edit the specific datasources or knowledge graphs assigned by the admin.
• Public - Users given the Public role will have public access to the specific datasources or knowledge graphs assigned by the admin.
• Viewer - Users given the Viewer role will strictly have the ability to view the specific datasources or knowledge graphs assigned by the admin, without the ability to edit or query them.

Default Datasource Roles - When a user creates a new datasource in Timbr, the following three default roles are automatically created:

• Analyst - Users given the Analyst role will be able to query the specific datasources assigned by the admin.
• Editor - Users given the Editor role will be able to edit the specific datasources assigned by the admin.
• Viewer - Users given the Viewer role will strictly have the ability to view the specific datasources assigned by the admin, without the ability to edit or query them.

Default Knowledge Graph Roles - When a user creates a new knowledge graph in Timbr, the following three default roles are automatically created:

• Analyst - Users given the Analyst role will be able to query the specific knowledge graphs assigned by the admin.
• Editor - Users given the Editor role will be able to edit the specific knowledge graphs assigned by the admin.
• Viewer - Users given the Viewer role will strictly have the ability to view the specific knowledge graphs assigned by the admin, without the ability to edit or query them.

2. To create a new custom role click on + Create New Role located on the top right above all the category lists.

3. Once clicked, you will be asked to enter a Name for the role as well as an optional yet recommended description, describing the purpose of the created role.

Beneath the name and description is the platform permissions which decide What a user can do in the platform when he is assigned this role. Here there is the option to pinpoint the exact possibilities the users will have when maneuvering through the platform with the given role.

Every possibility in the platform is located in the different platform screen menus seen below, which include: Ontologies, Model, Visualize, Manage, and SQL Lab.

Each platform menu can be clicked on and opened in order to select which aspects of the chosen platform menu the user will have access to when assigned this role.

In cases where there are many options and you'd like to give access to all, you can use the bulk options on the right of each platform menu to select and give access to all by clicking on Can Access, or on the other hand, clicking on Reset to remove access to all.

4. Once the new roles information and permissions are in place, the role can now be added by clicking on Add New Role on the bottom right of the screen.

When returning to the main Access Manager page in the roles tab, to the right of each role on the list there are 3 options.

These 3 options are:

Assigned Vs. Not Assigned - This shows which roles are assigned to which users, as well as which roles have no users assigned to them.

View Permissions - This button will open a window with a detailed view of what platform permissions are attached to the selected role, as well as which users are assigned this role. Here you will be able to add permissions and edit the role.

Additional Options - This button will open a small pop-up with additional options that can be performed on each role.

The following options that appear include:

Edit role - When clicked on, a window will appear allowing users to edit the selected role by adding or editing existing permissions to the role.

Assign to new user - When clicked on a Create New User window will appear with the selected role highlighted beneath. All that would be needed is to fill in the new user's information and click on Add New User on the bottom right.

Assign to existing user - When clicked on, an Assign user window will appear with the option to assign the selected role to any of the users on the list.

Duplicate and Edit - Duplicates the selected role enabling users to edit a copy of the role as well as edit its permissions.

Delete - Deletes the selected role from the list of roles in the Access Manager.

The features and options above can be performed on all categories as well, which include Custom Roles, Default Roles, Default Datasource Roles and Default Knowledge Graph Roles.

---

Adding and Editing User Access Permissions

As mentioned above, a user's access permissions can be accessed and viewed in the Users tab to the right of each user by clicking on View Permissions.

In the window that appears, on top will be the user's name and roles. Each user role can be accessed and edited by clicking on the role name.

Please notice that when editing a role, it won't only affect the specific user you are trying to edit the role for, but will affect all users who were assigned that role.

Under the selected user's name and roles, will be the user's access permissions which define what a user can see in the platform. Existing permissions given to a specific user will have 3 options when hovering over the permission, which includes: Revoke, Copy Grant Query, and Information.

Revoke - Revokes the specific access given to the user.

Please notice that only permissions that were assigned to the specific user can be revoked from here. When a user is added to a role, revoking the permission is done by removing the user from the role he was assigned to through the roles tab.

Copy Grant Query - Copies the permissions SQL Grant query to the clipboard.

Information - When Information is hovered over, it will show all the information of the specific permission.

To add new access permissions to the user click on + Add Access Permissions below the list of existing permissions.

In the new window that appears, there are the initial 2 dropdowns that include Access Type and Resource.

The Access Type dropdown contains 3 options which are:

• Access - Users given the Access permission can only view the metadata of a chosen resource.
• Query - Users given the Query permission can view the metadata and query the chosen resource.
• Edit - Users given the Edit permission can create, edit or remove the chosen resource.

The Resource dropdown initially contains 4 options but the options change based on the first selection in the following way:

If the Access permission is given to the user which is the most basic permission then the Resource dropdown will show the following 4 options:

• Specific knowledge graph - Giving the user permission to view a specific knowledge graph.
• Specific datasource - Giving the user permission to view a specific datasource.
• All knowledge graphs - Giving the user permission to view all the knowledge graphs in the platform.
• All datasources - Giving the user permission to view all the datasources connected to the platform.

If the Query permission is given to the user then the Resource dropdown will show the following 6 options:

• Specific knowledge graph - Giving the user permission to view and query a specific knowledge graph.
• Specific datasource - Giving the user permission to view and query a specific datasource.
• All knowledge graphs - Giving the user permission to view and query all the knowledge graphs in the platform.
• All datasources - Giving the user permission to view and query all the datasources connected to the platform.
• View all users - Giving the user permission to view all users in the platform.
• View all roles - Giving the user permission to view all roles in the platform.

If the Edit permission is given to the user which includes the most advanced permissions then the Resource dropdown will show the following 12 options:

• Specific knowledge graph - Giving the user permission to view, edit or remove a specific knowledge graph.
• Specific datasource - Giving the user permission to view, edit or remove a specific datasource.
• All knowledge graphs - Giving the user permission to view, edit or remove all the knowledge graphs in the platform.
• Create knowledge graphs - Giving the user permission to create new knowledge graphs in the platform.
• All datasources - Giving the user permission to view, edit or remove all the datasources connected to the platform.
• Create datasources - Giving the user permission to create and add new datasources to the platform.
• Create new users - Giving the user permission to create new users in the platform.
• Edit all users - Giving the user permission to edit the details of all the users in the platform.
• Edit a specific user - Giving the user permission to edit a specific user in the platform.
• Create new roles - Giving the user permission to create new roles in the platform.
• Edit all roles - Giving the user permission to edit all roles in the platform.
• Edit a specific role - Giving the user permission to edit a specific role in the platform.

Notice that for the Edit permission only, there is a checkbox called with Grant Option below Resource that hands the specific user the ability to grant and revoke permissions from other users in the scope of the permission.

When the Access Type and Resource dropdowns are chosen, depending on the choices different dropdowns will appear to drill down to the intended selection. Once the dropdowns are chosen all that's left is to click on Save at the bottom right of the window. If before saving you would like to see the SQL syntax behind the grant query defining the permission, you can click on Show GRANT query beneath the with GRANT Option checkbox.

All the access permissions for both users and roles can also be granted or revoked in Timbrs SQL.