Skip to content

Groups

Groups provide a mechanism for collecting together Altair SLC Hub users based on their role or function.

Altair SLC Hub contains a set of default groups that can be used to a apply roles to Altair SLC Hub users.

A Hub role can be associated with groups enabling composition of roles for a user though using their group memberships.

Groups are not namespaced entities, so all access control checks for operations relating to groups are made without specifying a namespace. Role bindings must therefore be for all namespaces to be effective.

The Groups page displays a list of current Altair SLC Hub groups.

If the required action is not available through a default group, the page can be used to create new groups profiles by clicking the New button. Existing groups can be modified by clicking the displayed name. This opens the the Edit Group pages. Clicking the more (...) button at the end of the group row enables the profile to be renamed or deleted.

Note

The groups a user is a member of are captured when an authentication token is created or refreshed. Changing the group memberships of a user does not have an effect until the authentication token is refreshed, either due to expiry or because the user logs out and logs back in.

Group membership and roles

Group membership and roles associated with the selected group can be added or modified using the Edit Group pages.

The Group Members tab displays existing users and groups that are members of the selected group. Both users and groups can be added directly to the selected group or be added indirectly by being members of a group that is added to the selected group.

The Group Membership tab displays existing direct and indirect groups that the selected group is a member of.

The Role Bindings tab shows the Hub roles directly added to the group. This tab does not display roles associated with the direct or indirect groups added to the selected group.

Default Altair SLC Hub Groups

An Altair SLC Hub installation contains a set of default groups. Each group has one or more role that defines allowed actions associated with Altair SLC Hub objects.

The object name is displayed as part of an Access Control log entry and can be used to determine which groups a user should be associated with to access the required hub functionality. For example, if a user has attempted to use a defined LIBNAME connection (a published library) but does not have the required access to published libraries, the Access Control log will have an entry such as:

Decision  Namespace   Object               Action
Deny      Namespace1  /PublishedLibraries  Read
The combination of Object and Action can be used to determine which of the default Altair SLC Hub groups should be associated with the user to create an allow decision. In the above example, adding the user to the PublishedLibraryConsumer group will enable Read access for published libraries.

The following list provides details of all default Hub groups, the roles in the group, which Objects the roles affect and the action the role can perform with that object.

  • If the object name contains an asterisk (*) wildcard, the permitted action is allowed for the role on all sub objects defined within the object.
  • If the action contains an asterisk (*) wildcard, all actions supported by the object are allowed for the role.

Altair SLC Hub contains the following default groups:

ArtifactDevelopers group

This group contains the following role:

  • ArtifactDeveloper. This role enables users to upload artifacts to hub. The role provides the following object permissions:
Object name Action
/ArtifactRepositories/*
  • Read
/Artifacts/*
  • Upload
  • Delete

ClusterAdministrators group

This group contains the following role:

  • ClusterAdministrator. This role enables users to manage the nodes that make up the Altair SLC Hub cluster. The role provides the following object permissions:
Object name Action
/ClusterNodes *
/ClusterNodes/* *
/PortalApplication/Administration *
/PortalRoute/Administration *
/PortalRoute/Administration/hub-management *
/PortalRoute/Administration/hub-management/* *

CredentialManagers group

This group contains the following roles:

  • PortalCredentialManager. This role enables users to access to the parts of the portal necessary for administering authorisation domains and credentials. The role provides the following object permission:
Object name Action
/PortalRoute/enterprise/auth-domains *
  • CredentialManager. This role enables users to manage Authentication Domains and related credentials. The role provides the following object permission:
Object name Action
/AuthDomains/* *

DataAccessAdministrators group

This group contains the following roles:

  • PortalPublishedLibraryConsumer. This role enables users to access the parts of the portal necessary to browse published libraries. The role provides the following object permissions:
Object name Action
/PortalRoute/enterprise/browse-published-libraries *
  • PortalDataAccessAdministrator. This role enables users to access the parts of the portal necessary for perform data access administration tasks. The role provides the following object permissions:
Object name Action
/PortalRoute/enterprise/browse-published-libraries *
/PortalRoute/enterprise/library-definitions *
/PortalRoute/enterprise/published-libraries *
  • PublishedLibraryConsumer. This role enables users to access any published library. The role provides the following object permissions:
Object name Action
/PublishedLibraries
  • Read
  • DataAccessAdministrator. This role enables users to manage Library Definitions and Libname Bindings. The role provides the following object permissions:
Object name Action
/LibraryDefinitions/* *
/PublishedLibraries/*
  • Managed
/PublishedLibraryConfig/* *

DataAccessConsumers group

This group contains the following role:

  • DataAccessConsumer. this role provides users with read access to Library Definitions. The role provides the following object permissions:
Object name Action
/LibraryDefinitions/*
  • Read

DeploymentServicesAdministrators group

This group contains the following roles:

  • PortalDeploymentServicesAdministrator. This role enables users to access all parts of the Deployment Services in the portal. The role provides the following object permissions:
Object name Action
/PortalApplication/DeploymentServices *
/PortalRoute/deployment-services *
/PortalRoute/deployment-services/* *
  • ArtifactAdministrator. This role enables users to administer artifact repositories and artifacts. The role provides the following object permissions:
Object name Action
/ArtifactRepositories/* *
/Artifacts *
/Artifacts/* *
  • DeploymentServicesAdministrator. This role enables users to manage and administer Deployment Services. The role provides the following object permissions:
Object name Action
/Deployments/* *
/Directory/* *
/Jobs *
/PipelineRuns *
/Pipelines/* *

ExecutionProfileUsers group

This group contains the following role:

  • ExecutionProfileUser that enables read access to the Execution Profiles. This role provides the following object permissions:
Object name Action
/ExecutionProfiles/*
  • Read
  • Use

GeneralConsumers group

This group is designed as an example of aggregated group memberships to create users who would consume data, run pipelines and run programs, but not have administration rights. For example, a user who is a member of GeneralConsumers (and has no other direct group memberships) would be able to run a pipeline, but not edit it.

GeneralConsumers has memberships to the following groups:

HubAdministrators group

This group contains the following role:

  • HubAdministrator. This role enables users to manage and administer all Altair SLC Hub functionality. Group members can perform all supported actions available on all objects defined in Altair SLC Hub.

HubUsers group

This group contains the fundamental roles that provide minimal access to Altair SLC Hub functionality. Further roles can be added to a member of this group by assigning other groups to the user to provide the required permissions The group contains the following roles:

  • PortalCredentialUser. This role enables users to access to the "my credentials" parts of the Altair SLC Hub portal. The role provides the following object permissions:
Object name Action
/PortalApplication/Enterprise
  • Read
  • Use
/PortalRoute/enterprise *
/PortalRoute/enterprise/my-credentials *
  • ExecutionProfileUser. This role enables users to use execution profiles previously defined in the Altair SLC Hub. The role provides the following object permissions:
Object name Action
/ExecutionProfiles/*
  • Read
  • Use
  • CredentialUser. This role enables users to use execution profiles previously defined in the Altair SLC Hub. The role provides the following object permissions:
Object name Action
/AuthDomains/* * Read
  • User. This role enables users to use execution profiles previously defined in the Altair SLC Hub. The role provides the following object permissions:
Object name Action
/Groups/*
  • ReadSimple
/PortalRoute/ *
/PortalRoute/settings/* *
/Users/*
  • ReadSimple
  • NamespaceUser. This role enables users to use a namespace. The role provides the following object permissions:
Object name Action
/NamespaceRead
  • Use

InvocationPortalUsers group

This group contains the following role:

  • InvocationPortalUser. This role enables users to access to the invocation portal. The role provides the following object permissions:
Object name Action
/FavouriteJobs *
/FavouritePrograms *
/PortalApplication/Invocation *
/PortalRoute/ *
/PortalRoute/invocation *
/PortalRoute/invocation/* *
/PortalRoute/settings/* *

LinkSessionUsers group

This group contains the following role:

  • LinkSessionUser. This role enables users to create link sessions and manage their own sessions. The role provides the following object permissions:
Object name Action
/LinkSessions
  • Create

PipelineDevelopers group

This group contains the following roles:

  • PipelineDeveloper. This role enables users to develop pipelines. The role provides the following object permissions:
Object name Action
/PipelineRuns *
/Pipelines/* *
  • PortalPipelineUser. This role enables users to access the relevant parts of the Altair SLC Hub portal to make use of pipelines. The role provides the following object permissions:
Object name Action
/PortalApplication/DeploymentServices *
/PortalRoute/deployment-services *
/PortalRoute/deployment-services/pipeline-editor/* *
/PortalRoute/deployment-services/pipelineruns *
/PortalRoute/deployment-services/pipelineruns/* *
/PortalRoute/deployment-services/pipelines/* *
/PortalRoute/deployment-services/pipeline-triggers *

PipelineUsers group

This group contains the following roles:

  • PipelineUser. This role enables users to view and submit pipelines and pipeline runs. The role provides the following object permissions:
Object name Action
/PipelineRuns *
/Pipelines/*
  • Read
  • Submit
  • ListTriggers
  • ReadTrigger
  • PortalPipelineUser. This role enables users to access the relevant parts of the Altair SLC Hub portal to make use of pipelines. The role provides the following object permissions:
Object name Action
/PortalApplication/DeploymentServices *
/PortalRoute/deployment-services *
/PortalRoute/deployment-services/pipeline-editor/* *
/PortalRoute/deployment-services/pipelineruns *
/PortalRoute/deployment-services/pipelineruns/* *
/PortalRoute/deployment-services/pipelines/* *
/PortalRoute/deployment-services/pipeline-triggers *

PublishedLibraryConsumers group

This group contains the following roles:

  • PortalPublishedLibraryConsumer. This role enables users to access the parts of the Altair SLC Hub portal necessary to browse published libraries. The role provides the following object permissions:
Object name Action
/PortalRoute/enterprise/browse-published-libraries *
  • PublishedLibraryConsumer. This role enables users to consume any published library. The role provides the following object permissions:
Object name Action
/PublishedLibraries
  • Read