Hybrid Data Pipeline user accounts are required to have at least one role. A user account with a given role inherits all the permissions associated with that role. Roles can be assigned and managed either through the Users API or the Web UI. However, the users API must be used to associate a permission directly with a user account. The permissions for a user account are the sum of the permissions granted to the role(s) associated with the account and the permissions granted explicitly on the account.

Hybrid Data Pipeline provides three default roles in the system tenant: System Administrator, Tenant Administrator, and User. As detailed in the table below, the System Administrator role has all permissions, the Tenant Administrator role has tenant and user permissions, and the User role has only user permissions. These roles cannot be deleted, and only the users associated with them can be modified.

When building out a Hybrid Data Pipeline environment, it can be useful for administrators to consider permissions in terms of the following categories.

  • User permissions support the ability of users to create and manage their own data sources directly through the Web UI, the Management API, or both.
  • Tenant permissions support the ability of administrators to provision and manage users on a tenant-by-tenant basis. The OnBehalfOf permission allows administrators to create and manage resources on behalf of users. This on-behalf-of functionality allows administrators to obscure or conceal the service from users.
  • Elevated permissions support the ability of administrators to use administrative features, such as throttling and logging. The operations associated with these permissions can affect all users of the system and may not be isolated on a tenant-by-tenant basis.
Important: To administer user accounts and other resources that belong to a tenant, a tenant administrator must be given explicit administrative access to the given tenant. In the Web UI, administrative access to a tenant can be granted by editing a user account via the Manage Users view. With the API, administrative access can be granted either by updating the tenants administered for a user via the Users API or by updating the list of administrators for a tenant via the Tenant API.
Note: A subset of permissions can be set on data sources. See Data source permissions for details.
Permission System admin Tenant admin User Category ID Description
CreateDataSource x x x user 1 May create new data sources
ViewDataSource x x x user 2 May view the details of any data source they own
ModifyDataSource x x x user 3 May modify or update any data source they own
DeleteDataSource x x x user 4 May delete any data source they own
UseDataSourceWithJDBC x x x user 5 May connect to any data source they own with the JDBC driver
UseDataSourceWithODBC x x x user 6 May connect to any data source they own with the ODBC driver
UseDataSourceWithOData x x x user 7 May make OData requests to any data source they own
WebUI x x x user 8 May use the Web UI with data sources they own. Operations on the data source through the Web UI will be limited based on the permissions they have been granted.
ChangePassword x x x user 9 May change their password. When using internal authentication, the ChangePassword permission is required in a number of scenarios.1
SQLEditorWebUI x x x user 10 May query the data sources they own with the SQL Editor in the Web UI
MgmtAPI x x x user 11 May use the Management API
Administrator x system admin 12 May use the Administrator API. A user with the Administrator permission has all permissions and access privileges across the system. This permission can only be granted to a user in the system tenant.
CreateUsers x x tenant 13 May create users in administered tenants
ViewUsers x x tenant 14 May get lists of users and their information in administered tenants
ModifyUsers x x tenant 15 May modify user information in administered tenants
DeleteUsers x x tenant 16 May delete users in administered tenants
CreateRole x x tenant 17 May create roles in administered tenants
ViewRole x x tenant 18 May get lists of roles and their information in administered tenants
ModifyRole x x tenant 19 May modify role information in administered tenants
DeleteRole x x tenant 20 May delete roles in administered tenants
OnBehalfOf x x tenant 21 May use ?user=<user> to manage user's data sources in administered tenants
Configurations x elevated 22 May view and modify system configuration values
CORSwhitelist x elevated 23 May view and modify the CORS whitelist
Logging x elevated 24 May view and modify logging settings
TenantAPI x elevated 25 May use the Tenant API to create, view, modify or delete tenants
RegisterExternalAuthService x elevated 26 May create, view, modify, or delete authentication services in administered tenants
Limits x elevated 27 May see and modify limit values for administered tenants, users in administered tenants, and data sources of users in administered tenants
OAuth x elevated 28 May specify and update OAuth information that a data source uses for authentication
IPWhiteList x elevated 29 May create, view, modify or delete IP whitelists
NoPasswordExpiration x elevated 30 Password does not expire
1 To use Hybrid Data Pipeline, users must have the ChangePassword permission in scenarios where they must change their passwords before logging in. These scenarios include: a new user created in the Web UI, a new user created with a password reset requirement via the Users API, and a user whose password has expired. If such a user tries to log into the Web UI, they will be prompted to change their password and cannot proceed until they have done so. The ChangePassword permission is not required for SSO implementations or other forms of external authentication. See also Authentication.