Versions Compared

Version Old Version 91 New Version Current
Changes made by

Matthew Girard

Matthew Girard

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Log in to Grouper using SSO

  2. Search for the DS folder

  3. When creating a group

    1. use the prefix grp_ds_denodo

    2. description should refer to a data steward

      1. members should all be run by the data steward before addition

    3. Add grp_ds_denodo-admin to the group with ADMIN privileges. This gives Denodo admins the ability to administer the group.

      image-20250212-201917.pngImage Added

    4. Create separate -dev and -read groups

      1. Add the dev group to the read group so all dev group members are synced with the read group automatically. This will ensure read access for devs will exist beyond dev, since only the read group should be promoted outside of dev.

    5. If developers need scheduler access, create a -scheduler group and associate that group with a scheduler project after importing into Denodo.

      image-20250203-203429.png

    6. If the developers need solution manager access, add the -dev group as a member of grp_ds_denodo-solution-manager-deploy.

    7. If a service account is going to be used, create -service group and give it the appropriate permissions after importing. Do not assign it the tts-facstaff role as this will create view clutter in applications like DBeaver and Tableau.

  4. Add members to groups

    1. Only add members that have been approved by the data steward

  5. Import groups into denodoDenodo using Design Studio. Note: You may need to wait up to 30 minutes for grouper changes to get synced to AD before importing.

    image-20250212-162555.pngImage Addedimage-20250212-162849.pngImage Added
    Code Block
    Role base: DC=tufts,DC=ad,DC=tufts,DC=edu
Attribute with role name: sAMAccountName
Attribute with description: description
Role search pattern: (&(cn=*denodo*)(objectcategory=group))

     

    Image Removedimage-20250212-163006.pngImage Added

  6. Assign roles and permissions as necessary. Add tts-facstaff role to give metadata access to all views.

...

  1. image-20250212-163139.pngImage Addedimage-20250212-163329.pngImage Addedimage-20250212-163419.pngImage Added

Denodo LDAP Configuration

...

Once a VDB is created, make sure you create and import a dev and read group by following the above AD group guide. Also, make sure you update the tts-facstaff role to include metadata Connect and Metadata access to the new VDB.

...

Auditing Privileges

In Denodo, you can run a query with privileges based on one or more roles by adding CONTEXT('impersonate_roles'='role1,role2,role3,...') to the end of any query.

...