Roles

Arcadia Enterprise provides URL access to ArcViz server object, roles.

To support environments where the users and groups information is stored outside the ArcViz environment, such as LDAP, the role membership lists for users and groups only store names. During role update and create operations, ArcViz accepts the user and group names 'as is', without validating them.

Each entry in the privs list corresponds to a single privilege row in the ArcViz role edit screen. Each row contains fields for the privilege type (ptype), an identifier section, and a list of permissions (perms) for the identified objects, such as datasets or data connections. Each privilege type has a specific identifier, and set of possible permissions. ArcViz stores the dataset IDs and connection IDs within the identifier sections as a STRING, and uses the special value "-1" to indicate "All datasets" or "All connections".

JSON Fields for Roles Data Type
Field Detail Only Updatable Description
id No No Role ID
name No Yes Role name
desc No Yes Role description
users No Yes List of usernames that belong to this role
groups No Yes List of groups that belong to this role
privs Yes Yes List of privilege structures for this role, as described in Privileges Types

Privileges Types

The Arcadia Enterprise Role-Based Access Control system supports the following permission types:

  • ptype: "system"
    Identifier
    None
    Permissions
    Permission Name Description
    sys_editperm Manage roles and users
    sys_styles Manage styles and settings
    sys_viewlogs View query logs
    sys_editconn Manage data connections
  • ptype: "dataconn"
    Identifier
    Field Name Description Example
    dclist List of data connection IDs, or -1 for 'All data connections' "dclist" : ["-1"]
    Permissions
    Permission Name Description
    dc_aviews Manage analytical views
    dc_upload Import data
    dc_expore Create datasets and explore tables
  • ptype: "dataset"
    Identifier
    Field Name Description Example
    dcid Data connection ID for this privilege, or -1 for 'All' "dcid" : "-1"
    dslist List of dataset IDs for this privilege "dslist" : ["1", "2", "3"]
    Permissions
    Permission Name Description
    dc_aviews Manage analytical views
    dc_upload Import data
    dc_expore Create datasets and explore tables

Creating Roles

The following code creates a new role with groups dataconn_managers and arcviz_admins. The role has system-level permissions to view logs, and to create new datasets. It also has full permissions on all connections and all datasets.

The example in this article use an APIKey obtained through the Manage API Keys interface, on the host:port/arc/apps/apikeys browser page of the ArcViz installation (see Creating New API Keys). The actual APIKey and the method of retrieving the key depends on the user system.

curl -s \
 -X POST \
 -H "Content-Type: application/x-www-form-urlencoded" \
 -H "Authorization: apikey api_key" \
 -d 'data=[{
      "name": "Connection manager",
      "desc": "Data connection management",
      "groups": ["dataconn_managers", "arcviz_admins"],
      "privs": [
          {"ptype": "system",
           "perms": ["sys_viewlogs", "sys_editconn"]
          },
          {"ptype": "dataconn",
           "dclist": ["-1"],
           "perms": ["dc_aviews", "dc_upload", "dc_explore"]
          },
          {"ptype": "dataset",
           "dcid": "-1",
           "dslist": ["-1"],
           "perms": ["ds_manage", "ds_appedit", "ds_appview"]
          }
       ]
   }]' \
 127.0.0.1:7999/arc/adminapi/roles

When viewing this role through the ArcViz GUI, it appears on the edit screen like this:

Role definition