Platform Users

On This Page

Overview

To use the platform, you must be logged in as a user with relevant permissions. A user can optionally be a member of one or more user groups. When a user is a member of multiple groups, one of the groups is defined as the user’s primary group.

The platform has several predefined users. A security administrator — which is any user with the Security Admin management policy, including the predefined security_admin user — can manage platform users and user groups. A security administrator can create new local users and groups, import users and groups from a supported identity provider (IdP), and delete local or imported users and groups.

Note
All users can view information for their own user profile and edit relevant properties, such as the password, email address, or first and last names. But only a security administrator can view full user information for all users and edit secure properties such as the username, management policies, or groups.
The user management is done from the Identity page of the dashboard, as demonstrated in the following image:

Dashboard Identity Users tab

Every user has a username and a password, which can be used to authenticate the user’s identity. In addition, every user and user group must be assigned one or more management policies that determine user permissions to access resources and perform different operations. Users with the Application Admin management policy — including the predefined security_admin user — can define fine-grained data-access policies to restrict or allow user access to specific data resources. For more information, see the Security concepts documentation, and specifically the Authentication and Authorization sections.

Note
For username restrictions, refer to the Software Specifications and Restrictions.

Predefined Users

All Tenants

The following users are predefined for the default tenant and for any new tenant that you create:

pipelines
The predefined pipelines user has the default Data management policy and is used by the platform’s pipelines service to access ML pipeline data. Note that editing this user’s profile might cause the monitoring service to stop working.
monitoring
The predefined monitoring user has the default Application Admin and Data management policies and is used by the platform’s monitoring service to access performance logs. Note that editing this user’s profile might cause the monitoring service to stop working.
tenancy_admin
The predefined tenancy-administrator user has the IT Admin and Tenant Admin management policies, which enable performing cluster administration — including shutting down the cluster, monitoring events and alerts, triggering log gathering, and managing tenants.
The default password of the tenancy_admin user is “IGZTEN”. You must change this password after the first login.
Default-Tenant Only

The following users are predefined only for the default tenant:

security_admin
The predefined security-administrator user has the Security Admin management policy, which enables managing users and user groups — including creating and deleting users and user groups, integrating the platform with a supported IdP, and assigning management policies.
The default password of the security_admin user is “IGZSEC”. You must change this password after the first login.
sys

The predefined system user — known as “the backup user” — has the Application Admin and Data management policies and is used for performing backups.

Backup Notes
  • Data backups aren’t activated automatically on all systems. Contact Iguazio’s support team to check the backup status for your cluster.
  • To allow backups when using data-access policy rules, ensure that as part of these rules, preferably at the start, you also grant the “sys” backup user access to the data. For more information, see Data-Access Policy Rules in the Security documentation.

Using an External Identity Provider (IdP)

A user with a Security Admin management policy, such as the predefined security_admin user, can select to import users and user groups from an external identity provider (IdP) into the platform. When an IdP is configured, it is used to authenticate the identity of all its imported users in the platform. This doesn’t prevent you from also defining local users and using the platform to authenticate them. For more information, see Authentication in the security documentation.

IdP configuration is done from the IdP tab on the dashboard’s Identity page. Start by selecting an IdP from the drop-down list next to the Remote host settings label. (In v2.10.0, only Microsoft Active Directory is supported.)

Dashboard IdP remote-host Active Directory selection

Note
When you complete the IdP configuration (as detailed in the following sections), remember to select Apply Changes to save your configuration.

Configuring the Remote IdP Host

In the Remote host settings configuration section, enter the required information for working with your selected IdP — the username and password of an IdP user with the necessary permissions, the address of the remote IdP host, and the root IdP user directory.

Dashboard IdP Remote Host Settings

[Tech Preview] You can optionally use the Person filter field to add a Microsoft AD LDAP syntax filter for synchronizing only with specific user groups from the external IdP —

(&(objectClass=Person)(memberOf=<full LDAP group path>)

For example, to synchronize with a user group named AppA whose full group path is “IguazioDevUsers,OU=ApplicationAccess,OU=Groups,OU=GlobalProd,DC=GLOBAL,DC=ECOLAB,DC=CORP”, use this filter criteria:

(&(objectClass=Person)(memberOf=CN=AppA-IguazioDevUsers,OU=ApplicationAccess,OU=Groups,OU=GlobalProd,DC=GLOBAL,DC=ECOLAB,DC=CORP))

You can add multiple group search criteria to the filter.

Configuring IdP Synchronization

In the Sync mode configuration section, select the mode for synchronizing the imported IdP users in the platform with the IdP after the initial import. You can also optionally set an interval for performing periodic synchronizations in the Periodic sync section.

Dashboard IdP synchronization confifguration

You can select between two alternative modes of synchronization — Partial or Full:

Note
In either mode, the synchronization is always done in one direction: changes done in the IdP are applied locally in the platform, but the IdP is never modified to apply local platform changes.
Partial synchronization

Synchronize addition and removal of users in the IdP after the initial import, but do not synchronize field changes for previously imported users and user groups. During partial synchronization, the currently configured IdP default management policies are applied to all new imported users and user groups, but the management policies of local previously imported IdP users and groups remain unaffected. For example:

  • The following local changes to imported users or user groups in the platform are not overwritten during partial synchronization:
    • A user record field (such as an email address or job title) was added or removed, or a value of an existing field has changed. For example, you can disable an imported IdP user locally in the platform by changing the value of relevant user field without affecting the user’s status in the external IdP.
    • A user was added to or removed from an imported user group.
    • A user’s or user group’s management policies were modified.
  • The following IdP changes since the previous synchronization are not applied locally in the platform during partial synchronization:
    • A user record field was added or removed, or the value of an existing field has changed.
    • A user was added to or removed from an existing group.
  • The following IdP changes since the previous synchronization are also applied locally in the platform during partial synchronization:
    • A new user or user group was added. (The newly imported IdP users and groups will be assigned the default IdP management policies that are configured in the platform at the time of the synchronization.)
    • An existing user or user group was deleted or renamed.
Full synchronization

Synchronize all IdP user and user group additions, removals, and record updates by overwriting the current imported IdP user and user-group information with the updated IdP information.

Note
  • Empty IdP user groups are not imported to the platform. When users are added to a group, the group is imported as part of the next full or partial IdP synchronization and the related user information is updated accordingly.

  • As part of the full-sync import, the currently configured IdP default management policies will be applied to all imported users and user groups.

Modifying the IdP configuration (including an initial configuration) triggers an automatic synchronization cycle. Periodic synchronizations are triggered according to the configured periodic-sync interval (if configured), and you can also always trigger a manual synchronization by selecting the Sync option in the IdP tab. All synchronizations are done according to the configured IdP synchronization mode. However, note that modifying the IdP’s remote host address or root user directory essentially changes the configured IdP, so except for any common users or groups that might exist in both IdPs, any previous changes to the imported IdP users or groups will be overwritten as part of the synchronization even in the case of a partial synchronization.

Configuring Default Management Policies

In the Default management policies configuration section, select one or more management policies that will be applied to every imported IdP user and user group. For more information about management policies, see Management Policies.

Dashboard IdP default management polcies configuration
Note
You must select at least one default management policy. You can always change the management policies of an imported user or group after the import.

Deleting Users

Before deleting a platform user, check the need to reallocate their resources and responsibilities. If the user is the running user of managed application services (such as Spark or Presto), a service administrator should either delete these services or reassign them to a different running user.

See Also