Skip to main content
Pentaho Documentation

Use Pentaho Security

If you choose to use Pentaho Security as your security provider, you define users and roles through the User Console. The Default Users and Roles section provides an overview of the out-of-box users and roles, along with the permissions that are included with each role. Permissions can be further refined on the file- or folder-level from the Browse perspective of the User Console.

Before changing security settings, play it safe and back up these relevant files.
  • If you installed using the Installation Wizard or the Archive Installation, back up the Pentaho Business Analytics or BA Server directories.
  • If you installed manually, back up the Pentaho .war and solutions.

When you are done, please go on to the next stop on the Guide Post graphic.

Default Users and Roles

Viewing default users and roles gives you an idea of how you can define your specific users and roles. To view the default users and roles, log into the User Console, click the Administration perspective link on the right, then Users and Roles from the items on the left, and the Manage Users tab. Highlighting a user in the Users list shows which roles are available for that user, as well as which role is currently defined for that user.

ssDefaultUsers.png

 

The Manage Roles tab shows similar information as the Manage Users tab, with the roles listed in the pane on the left, and the associated Operation Permissions for each role listed on the right.

ssDefaultRoles.png

 

Each default role and user comes with a standard set of permissions. These roles are added for your convenience and can be removed or altered based on your needs.

The default role for all users is Authenticated. If you want to restrict permissions, the Authenticated role must be restricted or the Authenticated role must be removed from the user.

Table 1. Default Pentaho Security Settings
Out-of-Box Role Out-of-Box User Default Operation Permissions
Administrator admin
  • Administer Security
  • Read Content
  • Publish Content
  • Manage Data Sources
  • Schedule Content
  • Create Content
Business Analyst Role pat
  • Publish Content
Power User Role suzy
  • Read Content
  • Publish Content
  • Schedule Content
  • Create Content
Report Author Role tiffany
  • Publish Content
  • Schedule Content

 

Each operation permission gives a specific set of permissions for Pentaho tools and the BA Server.

 

Table 2. Operation Permissions Defined
Operation Permission Definition
Administer Security The default Administrator role automatically conveys all operation permissions to users assigned to that role, even if the check box next to it is cleared. This includes the Read and Create Content permissions, which are required for accessing the Administration perspective.
  • Gives access to the Administration perspective of the User Console.
  • Allows access to and the ability to manage all content in the Browse perspective.
  • Allows the ability to view and work with all user schedules in the Schedules perspective.
  • Gives the ability to create server block out times in the Schedules perspective.
Read Content
  • Gives the user the ability to view content in the Browse perspective.
  • Gives the user the ability to view content through the File > Open dialog.
Publish Content This permission includes tools such as Report Designer, Agile BI, Schema Workbench, and Metadata Editor.
  • Allows client tools to store reports or data models in the Pentaho repository.
Manage Data Sources
  • Allows the user to create, edit, or delete new data sources.
  • Gives the user the ability to see a list of data sources that are used to create reports or dashboards.
Note: This operation permission does not include Metadata data sources. This Metadata Security article gives specific information on how to give permissions to manage Metadata data sources.
Schedule Content
  • Allows the user to schedule reports and content.
  • Gives the user the ability to view, edit, or delete their own schedules using the Schedules perspective.
Create Content
  • Allows the user to create, import, delete, and save reports to the repository.
  • Gives the user the ability to see a list of data sources that are used to create reports or dashboards.

 

Add Users

  1. Click on the Administration perspective link on the upper right toolbar of the console, then click on Users & Roles. The Users & Roles interface appears.
  2. Make sure the Manage Users tab is selected, then click the plus (+) sign above the list of users. The New User dialog box appears.
  3. Type to enter a new User Name, Password, and Confirm Password, then click OK.
The new user account is active, and appears in the Users list.

Change User Passwords

  1. Click on the Administration perspective link on the upper right toolbar of the console, then click on Users & Roles. The Users & Roles interface appears.
  2. Make sure the Manage Users tab is selected. From the Users list, click to select the user whose password you want to edit. The user's information populates to the right of the Users field.
  3. Click Edit, then enter and confirm the new password. Click OK.
The password is changed and the user is able to login with the new password.

Delete Users

  1. Click on the Administration perspective link on the upper right toolbar of the console, then click on Users & Roles. The Users & Roles interface appears.
  2. Make sure the Manage Users tab is selected, then in the Users field, click to select the user or users you want to delete from the server.
  3. Click the x to delete the user or users. The Delete User confirmation dialog box appears.
  4. Click Yes, Delete to delete the user(s) and refresh the user list.
The selected user accounts are deleted and the users are no longer able to log into the BA Server.

Assign Users to Roles

  1. Click on the Administration perspective link on the upper right toolbar of the console, then click on Users & Roles. The Users & Roles interface appears.
  2. Make sure the Manage Users tab is selected, then click to highlight the user from the Available user list that you want to associate with a role.
  3. In the Role Available list, click to highlight the role that you want to associate with the selected user.
  4. Click the right arrow to move the role to the Role Selected list.
  5. You can remove a role from the Role Selected list by highlighting that role and clicking on the left arrow. The role moves from the Role Selected to Role Available list, and the user no longer has the permissions associated with that role.
The user now has all of the permissions associated with the role in the Role Selected list.

Add Roles

  1. Click on the Administration perspective link on the upper right toolbar of the console, then click on Users & Roles. The Users & Roles interface appears.
  2. Make sure the Roles tab is selected, then click the plus (+) sign above the list of roles. The New Role dialog box appears.
  3. Type to enter a new Name for the role, then click OK.
The new role is created, and appears in the Available roles list.

Assign Permissions to Roles

  1. After you add a new role, you need to assign operation permissions to it.
  2. Make sure that the role is highlighted in the Roles list.
  3. Assign permissions to the role by selecting from the Operation Permissions list to the right.
The role has permissions assigned to it, and users associated with that role have those permissions.

Delete Roles

  1. Click on the Administration perspective link on the upper right toolbar of the console, then click on Users & Roles. The Users & Roles interface appears.
  2. Make sure the Roles tab is selected, then from the Available field, click to select the role or roles you want to delete from the server.
  3. Click the x to delete the role(s). The Delete Role confirmation dialog box appears.
  4. Click Yes to delete the role(s) and refresh the role list.
The selected role is deleted and is no longer available on the server. The users that were associated with that role are no longer associated with that role. This will not affect the other roles assigned to users.

If users have only one role assigned to them and that role is deleted, then the users have no role assigned to them. The default role is Authenticated and all users have that role unless you remove it.

Assign Roles to Users

  1. Click on the Administration perspective link on the upper right toolbar of the console, then click on Users & Roles. The Users & Roles interface appears.
  2. Make sure the Roles tab is selected, then click to highlight the role from the Available roles list that you want to associate with a user or users.
  3. In the Members Available list, click to highlight the user or users that you want to associate with the selected role.
  4. Click the right arrow to move the selected users to the Members Selected list. You can click the double-right arrow to move all users from the Members Available to the Members Selected list.
  5. You can remove users from the Members Selected list by highlighting that user and clicking on the left arrow. The user moves from the Members Selected to Members Available list, and no longer has the permissions associated with the highlighted role.
The users that appear in the Members Selected list are now tied to the highlighted role, and have all of the permissions associated with that role.