Once a user is added, a role should be assigned based on the privileges that should be granted to a specific role.
NOTE | Only a superuser user can assign roles as well as grant privileges to users. Users can only view the privileges granted but cannot edit/delete them. |
Let us understand how to add a new role, edit and delete the role as well as assign roles to users based on the privileges granted to roles.
Adding a New Role
To add a new role:
Click Security > Role Management and the following screen appears.
Figure 337: List of security roles
A list of already created roles will appear.
Click Add and the following screen appears.
Enter the Role Name and Role Description (the description can briefly list the privileges specific to the role). For example; Schema Admin is the Role Name and Role Description can provide description of the role such as ‘Managing schemas’.
Click Add and the role is added as shown in the following figure.
Hover the mouse on the icon as shown below to view the role description.
Editing a Role
Once a role is added, you can edit the details of the role.
To edit role details:
Hover the mouse on the user role and click the Edit Role icon next to the name of the role as shown in the following figure.
The following screen appears.
Edit the Role Name and Role Description as needed.
Click Submit and the changes are updated successfully.
Deleting a Role
You can delete a role from PCC. However, a role will have certain privileges with users assigned to it. Thus, deleting a role will remove users assigned to it and they will no longer be able to perform actions assigned to the deleted role.
To delete a role:
Hover the mouse on the user role and click the Delete Role icon next to the name of the role as shown in the following figure.
The following screen appears.
Click Yes and the role is deleted successfully.
Once a new role is added, it is important to grant privileges to the role based on what actions the users assigned to the role need to do in PCC. As you click the role, the following three panels are displayed as shown in the following figure.
Figure 345: Security role management screen
The three panels are:
Catalog Independent Privileges
Catalog Level privileges
Users
Let us understand how to grant privileges and assign users to a role in the following sections.
Granting Catalog Level and Catalog Independent Privileges
There are two types of privileges that can be granted to a role which are as follows:
Catalog Independent Privileges – As the name states, these privileges are not specific to any catalog. The actions included in this list will not impact the catalog. This includes privileges related to digital assets, UoMs, security and adding a catalog. By default, none of the privileges are selected as shown in the following figure.
Figure 346: List of catalog independent privileges
For example, for Schema Admin role, the Catalog Add privilege is required.
Select Schema Admin role and then select Catalog privilege. Click Save as shown below.
Figure 347: Granting privileges to a role
The changes are updated successfully. Thus, a user with the Schema Admin role can now add a catalog as the privilege is granted. Thus, you can grant multiple privileges to a role. Similarly, you can remove the privileges by clicking Discard Changes. You can grant any privilege based on the role identified.
Hover the mouse on the icon next to the privilege name to view the details of what each privilege will allow a user to do in PCC as shown in the following figure.
Figure 348: View details of each privilege
The privileges are grouped into categories depending on the actions being performed in various modules. For example, let us consider the module Digital Asset and the list of privileges are as shown below.
Figure 349: Various categories of privileges
You can assign all privileges under Digital Asset or choose the privileges to be assigned. However, if you choose a privilege that is dependent on any other privilege, an error is displayed as shown below. For example, let us select DA Delete.
Figure 350: Error message related to privilege.
As displayed, you cannot grant DA Delete privilege until DA Edit is granted. The simple reason being that you cannot delete an asset unless you have edited or modified the asset properties. Once you select DA Edit, you can then select DA Delete too.
Catalog Level Privileges – As the name states, these privileges are specific to a catalog. A complete list of catalogs created in PCC are displayed. By default, none of the privileges are selected in any catalog as shown in the following figure.
Figure 351: Catalog level privileges
For example, for Schema Admin role, the catalog level privileges need to be set in all catalogs for schema related functions. Let us select the Catalog, PCC Test Catalog as shown in the figure above.
Select the Schema related actions and click Save as shown below.
Figure 352: Grant catalog level privileges to a role
The changes are updated successfully. Similarly, you can remove the privileges by clicking Discard Changes. Thus, for a role selected, you can choose the catalog as well as select specific actions applicable for the role from the catalog. However, if you choose a privilege that is dependent on any other privilege, an error is displayed as mentioned here.
Both the catalog level as well as catalog independent privileges will be granted based on the role. For example, a superuser will have all privileges whereas a Schema Admin will be provided privileges that are required to perform Schema related actions only.
Assigning Users to Roles
Once a user role is defined, you need to assign users to roles who will perform actions based on the privileges granted to the role.
To assign a user to a role:
Select the role. For example, in this case, Schema Admin.
Click Add User in the last panel as shown in the following figure.
The following screen appears.
Figure 354: Add user to the role
Select the user from the list of Available User(s). The users are displayed based on users added as explained in Adding a New User to Access PCC section.
Click 
to move the selected user to the right panel. In case, you need to move all the users, click 
.
While moving users, if a wrong user is moved to the right panel, select the user in the right panel and click 
to move the user back to the left panel. You can also click 
to move all users.
Once the user is selected and added to the right panel, click Submit and the user is added successfully for the role. The user will now have all privileges granted to the role.
Removing a User
You can also remove a user from the role assigned. Removing a user will not delete the user. The user will continue to exist in other roles assigned, if any.
To remove a user:
Hover the mouse on the user and click the Remove User icon as shown in the following figure.
The following screen appears.
Click Yes. The access is revoked and the user is removed successfully from the role assigned.