Skip to main content
Pentaho Documentation

Manage Users and Roles in PUC

Parent article

This article provides an overview of the default assignments for users and roles, the permissions included, and the management of users and roles in the Pentaho User Console (PUC). You must log on to PUC as an administrator (or be assigned to a role that has the Administer Security permission) to manage users and roles for Pentaho Security.

Before changing security settings, back up these relevant files:

  • If you installed Pentaho using the Installation Wizard, back up the Pentaho Business Analytics and the Pentaho Server directories.
  • If you installed Pentaho using the manual process, back up the Pentaho Business Analytics, the Pentaho Server directories, and the Pentaho WAR files and solutions.

You can control users and roles in PUC with a point-and-click user interface. The Users & Roles page allows you to switch between user and role settings. You can add, delete, and edit users and roles from this page.

Access to files or folders can also be refined using the Browse Files perspective in PUC. Each file or folder can use the default permissions or permissions can be customized for specific users and roles. For additional security in multi-tenancy organizations, you can hide individual users' Home folders. See Hiding user folders in PUC and PDI for more information.

View sample users, default roles, and permissions

By viewing the sample user and default role examples, you can get ideas about ways to define actual users and specific roles.

Procedure

  1. Log in to PUC. Click Home Administration.

    The Administration perspective opens the Users & Roles page with the Manage Users tab selected.
  2. Highlight a user in the users list to display which roles are available for that user, as well as which role is currently defined for that user.

  3. Select the Manage Roles tab to display the Operation Permissions for the user's role, as defined by the checked boxes.

    These roles, added for your convenience, can be removed or altered based on your needs (see Table 1: Default Pentaho Security Settings). Each default role and sample user comes with a standard set of permissions, which provides for a specific set of capabilities when using Pentaho tools and the Pentaho Server (see Table 2: Operation Permissions).
  4. Select the System Roles tab to display the user's system role.

    System Roles are built-in roles used to control default behaviors and permissions in PUC, handled implicitly or through system configuration, with automatic assignments. The default system role for all users is 'Authenticated'. If you want to restrict permissions, the 'Authenticated' role must be restricted or removed from the user. Users and Roles Page the User Console
    Table 1: Default Pentaho Security Settings
    Default RoleSample UserDefault Operation Permissions
    Administratoradmin
    • Administer Security
    • Schedule Content
    • Read Content
    • Publish Content
    • Create Content
    • Execute
    • Manage Data Sources
    Business Analystpat
    • Publish Content
    Power Usersuzy
    • Schedule Content
    • Read Content
    • Publish Content
    • Create Content
    • Execute
    Report Authortiffany
    • Schedule Content
    • Publish Content
    Table 2: Operation Permissions
    Operation PermissionDefinition
    Administer SecurityThe default Administrator role automatically conveys all operation permissions to users assigned to that role, even if the check box next to it is cleared. These permissions include the Read and Create Content permissions, which are required for accessing the Administration perspective.
    • Gives access to the Administration perspective of PUC.
    • Allows access to and the ability to manage all content in the Browse perspective.
    • Allows the ability to view and work with all user schedules in the Schedules perspective.
    • Gives the ability to create server block out times in the Schedules perspective.
    Schedule Content
    • Allows the user to schedule reports and content.
    • Gives the user the ability to view, edit, or delete their own schedules using the Schedules perspective.
    Read Content
    • Gives the user the ability to view content in the Browse perspective.
    • Gives the user the ability to view content through the File Opendialog box.
    Publish ContentThis permission includes tools such as Report Designer, Schema Workbench, and Metadata Editor.
    • Allows client tools to store reports or data models in the Pentaho Repository.
    • When held in conjunction with Write permission on the target folder, allows a user to upload supported content types.
    Create Content
    • Allows the user to create, import, delete, and save reports to the repository.
    • Gives the user the ability to see a list of data sources which are used to create reports or dashboards.
    Execute
    • Enables the Run, Preview, Debug, Reply, and Verify buttons and menu entries in PDI client, Kitchen, Pan, and Carte.
    • Allows the user to save, copy, or schedule transformations and jobs.
    • Gives the user the ability to use export buttons and associated menu entries.
    Manage Data Sources
    • Allows the user to create, edit, or delete new data sources.
    • Gives the user the ability to see a list of data sources that are used to create reports or dashboards.
    • In Analyzer, allows the user to make inline model editing changes including modifying existing (base) measures.
    • In Analyzer, allows the user to add and edit calculated measures to the data model.
    • In Analyzer, allows the user to hide and show fields.

    Operation permission does not include Metadata Editor data sources. This Metadata security article gives specific information on how to give permissions to manage Metadata Editor data sources.

Add Users

Use this task to add users in the Pentaho User Console.

Procedure

  1. With the Manage Users tab selected, click the Plus Sign (+).

    The New User dialog box appears.
  2. Enter a new User Name and Password, then Confirm Password and click OK.

    The new user account is active and displays in the Users list.

Change User Passwords

Use this task to change passwords for users in the Pentaho User Console.

Procedure

  1. With the Manage Users tab selected, click the user for whose password you want to edit.

    The user's information populates to the right of the Users field.
  2. Click Edit. Enter the New Password and Confirm Password then click OK.

Next steps

If you are unable to change an administrator password, see Cannot change Administrator password in PUC in Troubleshooting.

Delete Users

Use this task to delete users in the Pentaho User Console

Procedure

  1. With the Manage Users tab selected, click the user or users in the Users list that you want to delete.

  2. Click the X to delete the user or users.

    The Delete User confirmation dialog box appears.
  3. Click Yes, Delete to delete the user(s) and refresh the user list.

    The selected user accounts are deleted and the users are no longer able to log in to the Pentaho Server.

Set the Authentication Method

By choosing the authentication method, you can choose where the users and their login credentials will be managed.

Procedure

  1. Click Authentication.

  2. Select the option for the method you want to use:

Assign Users to Roles

Use this task to assign users to roles in the Pentaho User Console.

Procedure

  1. With the Manage Users tab selected, click to highlight the user from the Users list that you want to associate with a role.

  2. In the Available list, click to highlight the role that you want to associate with the selected user.

  3. Click the Right Arrow (>) to move the role to the Selected list.

    The role moves from the Selected to Available list, and the user no longer has the associated permissions. The user now has all of the permissions associated with the role in the Selected list.

Add Roles

Use this task to add custom roles to the Manage Roles tab in the Pentaho User Console.

Procedure

  1. With the Manage Roles tab selected, click the Plus Sign (+).

    The New Role dialog box appears.
  2. Enter a new Name for the role, then click OK.

  3. The new role is created, and appears in the Available roles list.

Next steps

After adding a new role, you need to assign operation permissions to it. For more information, see Assign Permissions to Roles.

Assign Permissions to Roles

Use this task to assign permissions to roles in the Pentaho User Console.

Procedure

  1. Make sure that the role is highlighted in the Roles list.

  2. Click in the check boxes in the Operation Permissions list.

    The role has permissions assigned to it, and users associated with that role have those permissions.

Delete Roles

Use this task to delete roles from the Manage Roles tab in the Pentaho User Console.

Procedure

  1. With the Manage Roles tab selected, click the role or roles you want to delete.

  2. Click the X to delete the role(s).

    The Delete Role confirmation dialog box appears.
  3. Click Yes to delete the role(s) and refresh the role list.

    The selected role is deleted and is no longer available on the server. The users who were associated with that role are no longer associated with it. Other roles assigned to users are not affected. If users have only one role assigned to them and that role is deleted, then the users have no role assigned to them.
    NoteThe default role is Authenticated and all users have that role unless you remove it.

Assign Roles to Users

Use this task to assign roles to users in the Pentaho User Console

Procedure

  1. Make sure the Manage Roles tab is selected, then click the role in Roles list that you want to associate with a user or users.

  2. In the Available list, click the user or users that you want to associate with that role.

  3. Click the Right Arrow (>) to move the users to the Selected list. You can click the Double-Right Arrow (>>) to move all users from the Available list to the Selected list.

  4. You can remove users from the Selected list by highlighting that user and clicking on the Left Arrow (<).

    The user moves from the Selected list to the Available list, and no longer has the permissions associated with that role. The users that appear in the Selected list are now tied to the highlighted role and have all of the permissions associated with that role.