Skip to content

Default Altair SLC Hub Groups

An Altair SLC Hub installation contains a set of default groups. Each group has one or more role that defines allowed actions associated with Altair SLC Hub objects.

The object name is displayed as part of an Access Control log entry and can be used to determine which groups a user should be associated with to access the required hub functionality. For example, if a user has attempted to use a defined LIBNAME connection (a published library) but does not have the required access to published libraries, the Access Control log will have an entry such as:

Decision  Namespace   Object               Action
Deny      Namespace1  /PublishedLibraries  Read
The combination of Object and Action can be used to determine which of the default Altair SLC Hub groups should be associated with the user to create an allow decision. In the above example, adding the user to the PublishedLibraryConsumer group will enable Read access for published libraries.

Groups

The following list provides details of all default Hub groups, the roles in the group, which Objects the roles affect and the action the role can perform with that object.

  • If the object name contains an asterisk (*) wildcard, the permitted action is allowed for the role on all sub objects defined within the object.
  • If the action contains an asterisk (*) wildcard, all actions supported by the object are allowed for the role.

ArtifactDevelopers group

This group contains the following role:

  • ArtifactDeveloper. This role that enables users to upload artifacts to hub. The role provides the following object permissions:
Object name Action
/ArtifacteRepositories/*
  • Read
/Artifacts/*
  • Upload
  • Delete

ClusterAdministrators group

This group contains the following role:

  • ClusterAdministrator. This role enables users to manage the nodes that make up the Altair SLC Hub cluster. The role provides the following object permissions:
Object name Action
/ClusterNodes *
/ClusterNodes/* *
/PortalApplication/Administration *
/PortalRoute/Administration *
/PortalRoute/Administration/hub-management *
/PortalRoute/Administration/hub-management/* *

CredentialManagers group

This group contains the following roles:

  • PortalCredentialManager. This role enables users to access to the parts of the portal necessary for administering authorisation domains and credentials. The role provides the following object permission:
Object name Action
/PortalRoute/enterprise/auth-domains *
  • CredentialManager. This role enables users to manage Authentication Domains and related credentials. The role provides the following object permission:
Object name Action
/AuthDomains/* *

DataAccessAdministrators group

This group contains the following roles:

  • PortalPublishedLibraryConsumer. This role enables users to access the parts of the portal necessary to browse published libraries. The role provides the following object permissions:
Object name Action
/PortalRoute/enterprise/browse-published-libraries *
  • PortalDataAccessAdministrator. This role enables users to access the parts of the portal necessary for perform data access administration tasks. The role provides the following object permissions:
Object name Action
/PortalRoute/enterprise/browse-published-libraries *
/PortalRoute/enterprise/library-definitions *
/PortalRoute/enterprise/published-libraries *
  • PublishedLibraryConsumer. This role enables users to access any published library. The role provides the following object permissions:
Object name Action
/PublishedLibraries
  • Read
  • DataAccessAdministrator. This role enables users to manage Library Definitions and Libname bindings. The role provides the following object permissions:
Object name Action
/LibraryDefinitions/* *
/PublishedLibraries/*
  • Managed
/PublishedLibraryConfig/* *

DataAccessConsumers group

This group contains the following role:

  • DataAccessConsumer. this role provides users with read access to Library Definitions. The role provides the following object permissions:
Object name Action
/LibraryDefinitions/*
  • Read

DeploymentServicesAdministrators group

This group contains the following roles:

  • PortalDeploymentServicesAdministrator. This role enables users to access all parts of the Deployment Services application in the portal. The role provides the following object permissions:
Object name Action
/PortalApplication/DeploymentServices *
/PortalRoute/deployment-services *
/PortalRoute/deployment-services/* *
  • ArtifactAdministrator. This role enables users to administer artifact repositories and artifacts. The role provides the following object permissions:
Object name Action
/ArtifactRepositories/* *
/Artifacts *
/Artifacts/* *
  • DeploymentServicesAdministrator. This role enables users to manage and administer the Deployment Services application. The role provides the following object permissions:
Object name Action
/Deployments/* *
/Directory/* *
/Jobs *
/PipelineRuns *
/Pipelines/* *

ExecutionProfileUsers group

This group contains the following role:

  • ExecutionProfileUser that enables read access to the Execution Profiles. This role provides the following object permissions:
Object name Action
/ExecutionProfiles/*
  • Read
  • Use

GeneralConsumers group

This group is designed as an example of aggregated group memberships to create users who would consume data, run pipelines and run programs, but not have and administration rights. For example, a user who is a member of GeneralConsumers (and has no other direct group memberships) would be able to run a pipeline, but not edit it.

GeneralConsumers has memberships to the following groups:

HubAdministrators group

This group contains the following role:

  • HubAdministrators. This role enables users to manage and administer all Altair SLC Hub functionality. Group members can perform all supported actions available on all objects defined in Altair SLC Hub.

HubUsers group

This group contains the fundamental roles that provide minimal access to Altair SLC Hub functionality. Further roles can be added to a member of this group by assigning other groups to the user to provide the required permissions The group contains the following roles:

  • PortalCredentialUser. This role enables users to access to the "my credentials" parts of the Altair SLC Hub portal. The role provides the following object permissions:
Object name Action
/PortalApplication/Enterprise
  • Read
  • Use
/PortalRoute/enterprise *
/PortalRoute/enterprise/my-credentials *
  • ExecutionProfileUser. This role enables users to use execution profiles previously-defined in the Altair SLC Hub. The role provides the following object permissions:
Object name Action
/ExecutionProfiles/*
  • Read
  • Use
  • CredentialUser. This role enables users to use execution profiles previously-defined in the Altair SLC Hub. The role provides the following object permissions:
Object name Action
/AuthDomains/* * Read
  • User. This role enables users to use execution profiles previously-defined in the Altair SLC Hub. The role provides the following object permissions:
Object name Action
/Groups/*
  • ReadSimple
/PortalRoute/ *
/PortalRoute/settings/* *
/Users/*
  • ReadSimple
  • NamespaceUser. This role enables users to use a namespace. The role provides the following object permissions:
Object name Action
/NamespaceRead
  • Use

InvocationPortalUsers group

This group contains the following role:

  • InvocationPortalUser. This role enables users to access to the invocation portal. The role provides the following object permissions:
Object name Action
/FavouriteJobs *
/FavouritePrograms *
/PortalApplication/Invocation *
/PortalRoute/ *
/PortalRoute/invocation *
/PortalRoute/invocation/* *
/PortalRoute/settings/* *

LinkSessionUsers group

This group contains the following role:

  • LinkSessionUser. This role enables users to create link sessions and manage their own sessions. The role provides the following object permissions:
Object name Action
/LinkSessions
  • Create

PipelineDevelopers group

This group contains the following roles:

  • PipelineDeveloper. This role enables users to develop pipelines. The role provides the following object permissions:
Object name Action
/PipelineRuns *
/Pipelines/* *
  • PortalPipelineUser. This role enables users to access the relevant parts of the Altair SLC Hub portal to make use of pipelines. The role provides the following object permissions:
Object name Action
/PortalApplication/DeploymentServices *
/PortalRoute/deployment-services *
/PortalRoute/deployment-services/pipeline-editor/* *
/PortalRoute/deployment-services/pipelineruns *
/PortalRoute/deployment-services/pipelineruns/* *
/PortalRoute/deployment-services/pipelines/* *
/PortalRoute/deployment-services/pipeline-triggers *

PipelineUsers group

This group contains the following roles:

  • PipelineUser. This role enables users to view and submit pipelines and pipeline runs. The role provides the following object permissions:
Object name Action
/PipelineRuns *
/Pipelines/*
  • Read
  • Submit
  • ListTriggers
  • ReadTrigger
  • PortalPipelineUser. This role enables users to access the relevant parts of the Altair SLC Hub portal to make use of pipelines. The role provides the following object permissions:
Object name Action
/PortalApplication/DeploymentServices *
/PortalRoute/deployment-services *
/PortalRoute/deployment-services/pipeline-editor/* *
/PortalRoute/deployment-services/pipelineruns *
/PortalRoute/deployment-services/pipelineruns/* *
/PortalRoute/deployment-services/pipelines/* *
/PortalRoute/deployment-services/pipeline-triggers *

PublishedLibraryConsumers group

This group contains the following roles:

  • PortalPublishedLibraryConsumer. This role enables users to access the parts of the Altair SLC Hub portal necessary to browse published libraries. The role provides the following object permissions:
Object name Action
/PortalRoute/enterprise/browse-published-libraries *
  • PublishedLibraryConsumer. This role enables users to consume any published library. The role provides the following object permissions:
Object name Action
/PublishedLibraries
  • Read