Skip to main content
Pentaho Documentation

Metadata security

Parent article

If you need to restrict access to certain portions of a metadata model that you are using as a data source, you must edit the model with Metadata Editor and add restrictions. The Pentaho metadata model offers table, column, and row-level authorization control. If you need to prevent certain users or roles from accessing it, you must change and republish the model.

Configure the security service

The Pentaho Metadata Editor must be configured to connect to your Pentaho Server so that it can retrieve usernames, roles, and access control lists. You must know the base URL for the Pentaho Server (the default URL is http://localhost:8080/pentaho), as well as the name of the service to execute security information retrieval. The service that retrieves security information is ServiceAction.

Perform the following steps to define your security settings:

Procedure

  1. From the Pentaho Metadata Editor main window, select Tools Security.

    The Security Service dialog box appears.
  2. Type the correct URL in the Service URL text box.

  3. Select the level of detailed security information you want: All, Users, or Roles.

    If you have hundreds of users in your system, you probably only want to return the roles, then use roles for security information properties. The access control lists are returned with all three options.
  4. Type admin in the User Name text field.

    This is the default Admin user for the Pentaho User Console.
  5. Type password in the Password text field.

    This password is associated with the default Admin user.
  6. Click Test.

    If the information you entered is correct, a listing of users and roles appears, as shown in the following example:Security Service dialog box
  7. Click OK to exit the test results, and then click OK to exit the Security Service dialog box.

Retrieve security settings offline

If you want to work on your model and do not have access to the Pentaho Server, you can save your security information in a file. The Pentaho Metadata Editor retrieves your settings from the file instead of accessing the server every time you open your domain.

Procedure

  1. After you click Test, all of the XML between the <content> and </content> tags, including the tags, is provided in the XML dialog box.

  2. Copy and paste the XML code into a text editor, and save the file as metadata_security.xml in a location of your choice.

  3. Click OK to close the dialog box.

  4. Click the File tab in the Security Service dialog box.

  5. Browse to the file that you just saved.

  6. Click OK to exit the dialog box.

Change security constraints

Perform the following steps to change security constraints on a specific business table or column:

Procedure

  1. Open the Properties dialog box that contains the table or column you want to change.

  2. Click the Plus Sign to add a property.

    Add Property button, Properties dialog box The Add New Property dialog box appears.
  3. Select the Security Information property and click OK.

  4. Scroll down to the Metadata Security section of the Settings panel and add the individual role or user permissions to the business model, table, or column.

    These permissions will be enforced in the Pentaho Server after publishing the new metadata model.

Add column-level security constraints

Before you begin

You must have a connection to a data source in Metadata Editor and have one or more tables selected.
Perform the following steps to add user-based or role-based restrictions to your data source.

Procedure

  1. In the left pane, right-click the table or column you want to modify, then click Edit from the context menu.

    The Physical Table Properties dialog box appears.
  2. Click Add Property above the Available field in the middle of the screen.

    The Add New Property dialog box appears.
  3. Select Metadata Security, then click OK.

  4. Click the new Metadata Security item in the General category.

  5. Click the Plus Sign icon next to the Selected Users/Groups field in the right pane.

    A list of users and/or roles (depending on what you selected when configuring the security service earlier) appears.
  6. Select the user or role in the Available list, and then click the Right Arrow in the middle of the window to assign permissions.

    The user or role moves from the Available list on the left to the Assigned list on the right.
  7. Repeat this process for other users or roles you want to assign metadata permissions to, then click OK.

  8. Change any other relevant metadata options, then click OK to return to the Metadata Editor main window.

  9. When you are finished, save the metadata configuration as a domain using the Save As button, then publish it to the Pentaho Server as an XMI schema by selecting Publish from the File menu.

Add global row-level security constraints

Before you begin

You must have a connection to a data source in Metadata Editor and have one or more tables selected.
A global constraint is an MQL formula statement that institutes a global restriction on the data you specify, down to the row level. Follow the instructions below to add custom global user- or role-based restrictions to your data source.

Procedure

  1. In the left pane, right-click the table or column you want to modify, then click Edit from the context menu.

    The Physical Table Properties dialog box appears.
  2. Click the Plus Sign icon above the Available field in the middle of the screen.

    The Add New Property dialog box appears.
  3. Select Data Constraints, then click OK.

  4. Click the new Data Constraints item in the General category.

  5. Select the Global Constraint option in the right pane.

  6. Type in your constraint in the text box.

  7. Change any other relevant metadata options, then click OK to return to the Metadata Editor main window.

  8. When you are finished, save the metadata configuration as a domain using the Save As button, then publish it to the Pentaho Server as an XMI schema by selecting Publish from the File menu.

    When using the Global Constraint, a single MQL formula is used to define security for all users. In addition to the standard MQL functions available, there are also two additional functions:

    • USER(): Returns the name of the current user.
    • ROLES(): Returns a list of roles associated with the current user.

    The following example defines an MQL formula that allows administrators full access:

    IN("Admin"; ROLES())

    NoteAll other users have no access.

Add user or role row-level security constraints

Before you begin

You must have a connection to a data source in Metadata Editor and have one or more tables selected.
A role-based constraint is an MQL formula statement that restricts access (on the row level) only to certain users or roles. Follow the instructions below to add fine-grained user- or role-based restrictions to your data source.

Procedure

  1. In the left pane, right-click the table or column you want to modify, then click Edit from the context menu.

    The Physical Table Properties dialog box appears.
  2. Click the Plus Sign above the Available field in the middle of the screen.

    The Add New Property dialog box appears.
  3. Select Data Constraints, then click OK.

  4. Click the new Data Constraints item in the General category.

  5. Select Role Based Constraints option in the right pane.

  6. Click the Plus Sign next to the Selected Users/Groups field in the right pane.

    A list of users and/or roles (depending on what you selected when configuring the security service earlier) appears.
  7. Click the user or role in the left pane that you want to assign permissions to, then click the Right Arrow in the middle of the window.

    The user or role moves from the Available list on the left to the Assigned list on the right.
  8. Click the checkboxes for the permissions that you want to assign to the selected user or role.

  9. Repeat this process for other users or roles you want to assign metadata permissions to, then click OK.

  10. Change any other relevant metadata options, then click OK to return to the Metadata Editor main window.

  11. When you are finished, save the metadata configuration as a domain using the Save As button, then publish it to the Pentaho Server as an XMI schema by selecting Publish from the File menu.

Add role model-level security constraints

Row-level security allows you to control the results that are returned in a query based on a user's security level. You can specify which rows of data each User Role or User ID is allowed to retrieve from the database, based on a column of data or combination of columns of data. This is only valid at the business model-level.

In the Pentaho Metadata Editor, select the model to which you want to add row-level security, right-click the model, and select Edit.

Business Model Properties dialog box

Any data constraints defined below the model level, such as in a business table or business column, is ignored and not used. In the Business Model Properties dialog box, select the General Data Constraints.

If you are using Role Based Constraints, the metadata engine determines which MQL constraints are appropriate for the current user and applies them to the current query. Constraints may be added for each Role and User in a system. If zero constraints match a user and his or her roles, no data is returned by the MQL query. If more than one constraint applies to a user, the constraints use the OR function to determine row visibility.

This example below defines an MQL formula for three different roles. The Admin role has full row visibility, the Sales and Engineering roles can access data that joins to rows associated with their specific department only.

RoleConstraint
AdminTRUE()
Sales[BC_DEPARTMENT]="Sales"
Engineering[BC_DEPARTMENT]="Engineering"

Row-level security constraints are applied at the MQL layer. The business columns referenced in the MQL security constraints will be resolved down to SQL table columns. The tables which contain column references included in security constraints will be joined to your query, based on the relationships defined in the business model. It is recommended that you do not use outer-joined business columns for the purposes of security constraints.

Remove security from the metadata domain repository

This procedure changes your default metadata domain repository so that it is no longer security-aware. It is a necessary step in completely removing security from the BA platform; however, this procedure does not, in itself, remove all security. To do that, start with Remove security by enabling anonymous access.

Procedure

  1. Stop the Pentaho Server and User Console.

  2. Edit the /pentaho-solutions/system/pentahoObjects.spring.xml file.

  3. Comment out the IMetadataDomainRepositoryImpl line, and uncomment the similar line below it. Alternatively, you can switch the value of IMetadataDomainRepositoryImpl from org.pentaho.platform.plugin.services.metadata.SecurityAwareMetadataDomainRepository to org.pentaho.platform.plugin.services.metadata.PentahoMetadataDomainRepository.

    <!-- <bean id="IMetadataDomainRepositoryImpl" 
      class="org.pentaho.platform.plugin.services.metadata.
        SecurityAwareMetadataDomainRepository" 
          scope="singleton"/> -->
    <!--  Use this schema factory to disable PMD security -->
    <bean id="IMetadataDomainRepositoryImpl" 
      class="org.pentaho.platform.plugin.services.metadata.PentahoMetadataDomainRepository" 
        scope="singleton"/>
  4. Save and close the file.

  5. Restart the Pentaho Server and User Console.

Results

You have now switched the metadata domain repository to one that is not security aware. Access controls will no longer be enforced on various metadata objects.