Skip to main content
Pentaho Documentation

Manage Users and Roles in PUC

This section provides an overview of the default assignments for users and roles, the permissions included, and the management of users and roles in the Pentaho User Console (PUC). You must login to PUC as an administrator (or be assigned to a role that has Administer Security permission) to manage users and roles for Pentaho Security.

Here is how you can manage users:

Here is how you can manage roles:

Before changing security settings, play it safe and back up these relevant files:

  • If you installed Pentaho using the Installation Wizard, back up the Pentaho Business Analytics and the Pentaho Server directories.
  • If you installed Pentaho using the manual process, back up the Pentaho Business Analytics, the Pentaho Server directories, and the Pentaho.war files and solutions.

You can control users and roles in PUC with a point-and-click user interface. The Users & Roles page allows you to switch between user and role settings. You can add, delete, and edit users and roles from this page.

Access to files or folders can also be refined using the Browse Files perspective in PUC. Each file or folder can use the default permissions or permissions can be customized for specific users and roles. For more information, see Restrict or Share Files and Folders.

Sample Users, Default Roles, and Permissions

By viewing the sample user and default role examples you can get ideas about ways to define actual users and specific roles.

  1. Login to PUC. Click Home > Administration. The Administration perspective opens the Users & Roles page with the Manage Users tab selected.
  2. Highlight a user in the users list to display which roles are available for that user, as well as which role is currently defined for that user.
  3. Select the Manage Roles tab to display the Operation Permissions for the user's role, as defined by the checked boxes. These roles, added for your convenience, can be removed or altered based on your needs (see Table 1). Each default role and sample user comes with a standard set of permissions, which provides for a specific set of capabilities when using Pentaho tools and the Pentaho Server (see Table 2).
  4. Select the System Roles tab to display the user's system role. System Roles are built-in roles used to control default behaviors and permissions in PUC, handled implicitly or through system configuration, with automatic assignments. The default system role for all users is Authenticated. If you want to restrict permissions, the Authenticated role must be restricted or removed from the user.

Table 1. Default Pentaho Security Settings
Default Role Sample User Default Operation Permissions
Administrator admin
  • Administer Security
  • Schedule Content
  • Read Content
  • Publish Content
  • Create Content
  • Execute
  • Manage Data Sources
Business Analyst pat
  • Publish Content
Power User suzy
  • Schedule Content
  • Read Content
  • Publish Content
  • Create Content
  • Execute
Report Author tiffany
  • Schedule Content
  • Publish Content
Table 2. Operation Permissions Defined
Operation Permission Definition
Administer Security The default Administrator role automatically conveys all operation permissions to users assigned to that role, even if the check box next to it is cleared. These permissions include the Read and Create Content permissions, which are required for accessing the Administration perspective.
  • Gives access to the Administration perspective of PUC.
  • Allows access to and the ability to manage all content in the Browse perspective.
  • Allows the ability to view and work with all user schedules in the Schedules perspective.
  • Gives the ability to create server block out times in the Schedules perspective.
Schedule Content
  • Allows the user to schedule reports and content.
  • Gives the user the ability to view, edit, or delete their own schedules using the Schedules perspective.
Read Content
  • Gives the user the ability to view content in the Browse perspective.
  • Gives the user the ability to view content through the File > Open dialog box.
Publish Content This permission includes tools such as Report Designer, Schema Workbench, and Metadata Editor.
  • Allows client tools to store reports or data models in the Pentaho Repository.
Create Content
  • Allows the user to create, import, delete, and save reports to the repository.
  • Gives the user the ability to see a list of data sources which are used to create reports or dashboards.
Execute
  • Enables the Run, Preview, Debug, Reply, and Verify buttons and menu entries in Spoon, Kitchen, Pan, and Carte.
  • Allows the user to save, copy, or schedule transformations and jobs.
  • Gives the user the ability to use export buttons and associated menu entries.
Manage Data Sources
  • Allows the user to create, edit, or delete new data sources.
  • Gives the user the ability to see a list of data sources that are used to create reports or dashboards.
  • In Analyzer, allows the user to make inline model editing changes including modifying existing (base) measures.
  • In Analyzer, allows the user to add and edit calculated measures to the data model.
  • In Analyzer, allows the user to hide and show fields.

Operation permission does not include Metadata data sources. This Metadata Security article gives specific information on how to give permissions to manage Metadata data sources.

Add Users

  1. With the Manage Users tab selected, click the plus (+) sign. The New User dialog box appears.
  2. Enter a new User Name and Password, then Confirm Password and click OK. The new user account is active and displays in the Users list.

Change User Passwords

  1. With the Manage Users tab selected, click the user for whose password you want to edit. The user's information populates to the right of the Users field.
  2. Click Edit. Enter the New Password and Confirm Password then click OK. The password is changed and the user is able to login with the new password.

After you have logged into PUC for the first time, it is a best practice to change the default administrator password.

Delete Users

  1. With the Manage Users tab selected, click the user or users in the Users list that you want to delete.
  2. Click the X to delete the user or users. The Delete User confirmation dialog box appears.
  3. Click Yes, Delete to delete the user(s) and refresh the user list. The selected user accounts are deleted and the users are no longer able to login to the Pentaho Server.

Set the Authentication Method

By choosing the authentication method, you can choose where the users and their login credentials will be managed.

  1. Click Authentication. 
  2. Select the associated radio button for the desired method:

Assign Users to Roles

  1. With the Manage Users tab selected, click to highlight the user from the Users list that you want to associate with a role.
  2. In the Available list, click to highlight the role that you want to associate with the selected user.
  3. Click the right arrow (>) to move the role to the Selected list. 
  4. You can remove a role from the Selected list by highlighting that role and clicking on the left arrow (<). The role moves from the Selected to Available list, and the user no longer has the associated permissions. The user now has all of the permissions associated with the role in the Selected list.

Add Roles

  1. With the Manage Roles tab selected, click the plus (+) sign. The New Role dialog box appears.
  2. Enter a new Name for the role, then click OKThe new role is created, and appears in the Available roles list. After adding a new role, you need to assign operation permissions to it, see Assign Permissions to Roles, below, for details. 

Assign Permissions to Roles

  1. Make sure that the role is highlighted in the Roles list.
  2. Click in the check boxes in the Operation Permissions list. The role has permissions assigned to it, and users associated with that role have those permissions.

Delete Roles

  1. With the Manage Roles tab selected, click the role or roles you want to delete.
  2. Click the x to delete the role(s). The Delete Role confirmation dialog box appears.
  3. Click Yes to delete the role(s) and refresh the role list. The selected role is deleted and is no longer available on the server. The users who were associated with that role are no longer associated with it. Other roles assigned to users are not affected. If users have only one role assigned to them and that role is deleted, then the users have no role assigned to them. The default role is Authenticated and all users have that role unless you remove it.

Assign Roles to Users

  1. Make sure the Manage Roles tab is selected, then click the role in Roles list that you want to associate with a user or users.
  2. In the Available list, click the user or users that you want to associate with that role.
  3. Click the right arrow (>) to move the users to the Selected list. You can click the double-right arrow (>>) to move all users from the Available list to the Selected list.
  4. You can remove users from the Selected list by highlighting that user and clicking on the left arrow (<). The user moves from the Selected list to the Available list, and no longer has the permissions associated with that role. The users that appear in the Selected list are now tied to the highlighted role and have all of the permissions associated with that role.