Skip to main content
Skip table of contents

Users and roles

The Delphix Masking Service has a flexible and robust users and roles system that allows you to give users fine-grain privileges over what environments they have access to and what tasks they can and can not perform.

What are roles?

A defined role is what is used to give certain users privileges over certain environments and tasks. Roles can be defined by selecting a subset of actions that can be taken on certain objects.

Navigate to Admin > Roles to view all roles. From here, the User can view and modify roles.

The roles on the screen can be filtered or sorted by fields Name and Type by clicking on the respective fields. More information on grid filtering and sorting can be found here.

Role Type

With the 13.0.0.0 release, a New parameter Role type has been added to the product. There are 2 types of roles. CUSTOM and DEFAULT. All built-in system roles will have a type of DEFAULT and others will be the type of CUSTOM.

There have been 5 roles added to the product with the role type DEFAULT.

  1. IT Security Analyst

  2. DBA

  3. SME

  4. Operator

  5. Environment Owner

If a role with the name ‘All Privileges’ exists on the product then it will be marked as a DEFAULT role type.

If a role with any of the above names already exists then the role being added will be renamed by appending sequence number. For example, If ‘DBA’, and ‘DBA 1’ are already present in the system then the role with the name 'DBA 2' will be added to the product with DEFAULT role type.

Actions

When defining a role, you can select one or more of the following actions for the role to be able to perform:

  • View: Be able to view the object and important information about the object.

  • Add: Be able to add an instance of an object.

  • Update: Be able to update/edit an instance of an object.

  • Delete: Be able to delete an instance of an object.

  • Copy: Be able to create a copy of an object.

  • Export: Be able to export an object from a Delphix Engine.

  • Import: Be able to import an exported object into a Delphix Engine

Please note that not all of these actions are available for all objects in the masking service.

Objects

While defining a role, permission to perform the above actions can be defined on a per-object basis. These objects include:

General

Jobs

Settings

Report

Approval Workflow

Environment

Profile Job

Domains

Inventory Report

Approve Inventories

Connection

Masking Job

Algorithms

Ruleset

Tokenize Job

Plugins

Inventory

Re-identify Job

Classifier

Profiler Set

File Format

JDBC Drivers

Password Vault

User

Diagnostic

Refer to Delphix Masking Terminology for definitions of these objects.
View privilege for Plugins and JDBC Drivers should be always true for any type of role.
Environment Export privilege permission is no longer supported.

Adding a role

To add a role follow these steps:

  1. Login into the Masking Engine, and select Admin > Roles.

  2. Click the + Role button from the top-right corner just above the roles grid.

  3. A full-screen dialog will appear for adding a new role. Enter a Role Name. The far-left column lists the items for which you can set actions.

  4. Select the checkboxes for the corresponding actions that you want to apply. If there is no checkbox, that action is not available. For example, if you want this role to have View, Add, Update, Delete, and Run actions for masking jobs, select the corresponding checkboxes in the Masking Job row.

  5. If you are removing any actions with dependents selected then, a dialog box will appear asking for confirmation for removing actions with all its dependents.

    1. For example, Masking Job [View, Add, Update, Delete, Run] depends on Environment - View. Therefore, if the user tries to remove Environment - View, it will ask for confirmation to remove it with the list of dependents. If users do not wish to remove it then they can select the Cancel or Close icon else can select OK and move forward with changes.

  6. When you are finished assigning privileges for this Role, click Save.

Recommended roles

While every organization will differ in what users and roles they define, Delphix uses these common/popular roles. Please note that each defined user can only have one role assigned to them.

  • Administrator: This role is assigned by enabling a user's Administrator setting in either the UI or API. A user with this role has unrestricted access to all the engine functions. Specifically, the user has all privileges available through the roles system and the following additional, Administrator-only privileges:

    • Sync

    • A User's apiAccess and userStatus setting

    • Audit Page

    • Admin > Users Generate Key Button

    • Admin > Email Notification

    • Admin > Utilization

    • Deletion of any object: An Admin can delete any object, such as any Algorithm, Domain, Classifier, or Profile Set. In contrast, a user with the All Privileges role can only delete objects they created.

    • Settings > Roles

  • IT Security analyst: Unrestricted access for all settings functions; access to all application functions except environment and environment create, delete, update.

  • All Privileges: Unrestricted access to an application environment; central admin or security analyst will determine if this role can modify settings.

  • DBA: Manage connections for the application database, scripting, and scheduling (no settings).

  • SME/Analyst/Developer: Manage inventories, create, and view jobs.

  • Operator: All job privileges.

  • Environment Owner: Approve workflow and inventories, privileges to view for settings and environment.

Modifying Roles

Users can perform 4 types of action on this screen by clicking the () button to the right of the corresponding row under the Actions column.

1. View Role

The user can view the role details. Everything on the dialog form will be disabled in case of view is selected.

2. Edit Role

The user can edit the actions of roles. The role name is not allowed to be edited. It will be disabled.

3. Duplicate Role

On selecting a duplicate option, actions will be pre-selected to the new role screen dialog, and the user can give a new name and duplicate the role.

4. Delete Role

  • Roles with CUSTOM type can be added, edited, deleted, duplicated, and viewed.

  • Roles with DEFAULT type cannot be added, edited, or deleted. It can only be viewed and duplicated.

To Modify or Add a role using Masking API, follow these steps:

  1. Access the API client on your Masking Engine, from http://myMaskingEngine.myDomain.com/masking/api-client.

  2. Login into the Masking Engine and select the Role endpoint.

  3. Execute API requests by providing request parameters and body as mentioned in the example. (Sample JSON for Add/Update role API)

What are users?

Once you have your roles defined, it is time to create users with those roles. We highly recommend creating independent users for each individual who will have access to the masking service.

Navigate to Admin > Users to view all users. The users on the screen can be filtered or sorted by the various informational fields by clicking on the respective fields. More information on grid filtering and sorting can be found here.

Sortable and Filterable columns are User Name, Last Name, First Name, Email, and Admin.

Adding a user

To create a new user using the Masking UI follow these steps:

  1. Login into the Masking Engine, and select Admin > Users.

  2. Click the + User button from the top-right corner just above the user grid.

  3. A dialog will appear for adding a new user.

  4. You will be prompted for the following information:

    • First Name: (Optional) The user's given name

    • Last Name: (Optional) The user's surname

    • User Name: The login name for the user

    • Email: The user's e-mail address (mailable from the Delphix Masking Engine server for purposes of job completion e-mail messages)

    • Principal: Identifies this user on external identity services. Used for OAuth2 API authentication when the principal is selected as the field to match users with access tokens.

    • Password: The password that the Delphix Masking Engine uses to authenticate the user on the login page. The password must be at least eight characters long, but no longer than 65 characters. It must also contain a minimum of one uppercase character, one unique character (!@#$%^&*), and one number.

    • Confirm Password: Confirm the password with double-entry to avoid data entry errors.

    • Administrator: (Optional) Select the Administrator checkbox if you want to give this user Administrator privileges. (Administrator privileges allow the user to perform all Delphix Masking Engine tasks, including creating and editing users in the Delphix Masking Engine.) If you select the Administrator checkbox, the Roles and Environments fields disappear because Administrator privileges include all roles and environments.

    • Role: Select the role to grant to this user. The choices here depend on the custom roles that you have created. You can assign one role per user name.

    • Environments: Enter as many environments as this user will be able to access. Granting a user access to a given environment does not give them unlimited access to that environment. The user's access is still limited to their assigned role.

  5. When you are finished, click Save.

When a user is created, it's Account Status is Active by default.

To create a new user using the Masking API follow these steps:

  1. Access the API client on your Masking Engine, from http://myMaskingEngine.myDomain.com/masking/api-client.

  2. Login into the Masking Engine and select the User endpoint.

  3. Click Create users using the POST /users section and refer to the Example Value for parameters required for new users.

  4. Enter valid User creation JSON in the body section, refer to sample create users JSON (Sample New User Create JSON)

  5. Click on Execute.

Modifying User

Users can perform 3 types of action on this screen by clicking the () button to the right of the corresponding row under the Actions column.

View User

For viewing user details. Everything on the dialog form will be disabled in case of view is selected.

Edit User

The Edit user dialog will appear with existing user details.

The following user information can be modified through the Edit User screen:

  1. First Name

  2. Last Name

  3. Email Address

  4. Principal

  5. Password

  6. Administrator Status

  7. Welcome Page Status

  8. Account Status (cannot be changed to Locked)

  9. User Roles (non-admin users only)

  10. User Environments (non-admin users only)

To update user information using Masking API, follow these steps:

  1. Access the API client on your Masking Engine, from http://myMaskingEngine.myDomain.com/masking/api-client.

  2. Login into the Masking Engine and select the User endpoint.

    Click Update user by ID and refer to the Example Value for parameters required for updating users.

  3. Enter valid User creation JSON in the body section, refer to sample create users JSON. (Sample User JSON)

  4. Click on Execute.

User's Account Status will be automatically changed to Locked on 3 invalid login attempts.

Delete User

On clicking the Delete option, The confirmation dialog will appear for deleting the user. If do not wish to remove it then they can select the Cancel or Close icon else can select Confirm and move forward with changes.

To delete a user using Masking API follow these steps:

  1. Access the API client on your Masking Engine, from the http://myMaskingEngine.myDomain.com/masking/api-client.

  2. Login into the Masking Engine and select the User endpoint.

  3. Click Delete user by ID and enter the user ID for the user to be deleted.

  4. Click on Execute.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close