You are viewing the RapidMiner Legacy documentation for version 9.9 -Check here for latest version
User Management
One key benefit of RapidMiner Server is the ease and granularity of user management. User management is part of theAdministrationmenu of the RapidMiner Server web interface:
You register users to the server and assign them to groups. By assigning permissions to a group, those rights are propagated to all the group's users. In addition:
- A user can belong to one or more groups. By default, each user is assigned to severalpredefined groupsfor easy management
- There arespecial user designationsfor administration and anonymous access
- You canassign access rightsfrom either RapidMiner Server or RapidMiner Studio.
Defining terms
The following sections define the terms used in RapidMiner Server user management.
What is a user and what is a group?
Auseris an individual registration for using RapidMiner Server. Each user must be added individually. A user is assigned to RapidMiner Server'spredefined groupsand can then be assigned to any number of admin-created groups. When a user is assigned to multiple groups with access to a resource, the more permissive access rights take precedence. Note that a user may be software, as is the case with web services, in which the software querying RapidMiner Server is the user; this type of user also needs an account and access rights.
Agroupin RapidMiner Server is a collection of users with the same access rights; different groups can distinguish between purposes. For example, you can add all members of the sales team to a project-specific group and provide them all with rights to the data, connections, and web apps related to that project. Or, you could create two Sales groups, one with full and one with limited access to those same resources. With user groups, you only have to assign user rights once and then add or remove defined users, allowing you to assign permissions to more than one person at a time.
Whether to start bycreating usersorcreating groupsis really a "chicken or the egg" question. Either way is equally efficient. You can view configured users and groups by clicking the appropriate tab in theUser Managementpage:
There are two methods for adding users to a group:
- From within the group configuration, add users (add users to a group)
- From within the user configuration, add groups (add groups to a user configuration)
Defining access rights
Access rights in RapidMiner Server control access to processes and data (any entry in the server repository), and are defined as follows:
Right | Description |
---|---|
Read (View) | The user can only read (view) data. |
Write | The user can modify data. |
Execute | The user can execute any process within the project that the right applies to. This setting is only applicable to web services. |
Ignore | The user inherits permissions from the folder or parent. That is, do not explicitly grant or reject. |
Grant | Allows access to this resource by the specified group. |
Reject | Prohibits the specified group from accessing this resource. Any member of the denied group havingGrantprivileges in a different group will still have access. |
The following are some general points about access rights:
- Access to a resource requires access to the resource itself and to all folders above.
- A user needsExecuterights to run web services.
- A user needsRead(and potentiallyWrite) permissions to run scheduled executions or web apps.
Propagating rights over directories and groups
访问权限总是基于组(s)ser belongs to. If a user belongs to a group with the needed permission to a resource, they will have access to that resource. Access takes precedence over denial when group permissions conflict. So, if a user is in two groups, and, for example, one group is explicitly permitted to a resource and one group is explicitly denied — the permissions take precedence and the user will have access.
Every process execution (scheduler, web service, web apps) is triggered by a user and, therefore, every execution is linked to that user's specified access rights. All resulting actions of an execution require the user to have the appropriate rights. If a process needs to write data to a location, for example, the user needs the specified write permissions to that location. If a user triggers a web service that does not have the defined execute permission, the service request is terminated.
Managing users
You create a RapidMiner Server user from theAdministration > User Managementpage. ClickUser Managementto display a list of configured users and their assigned groups. Initially, you see only the admin user.
Creating a user account
When you create a user, RapidMiner Server creates a folder for that user in the installation /home directory (the repository). To create a new user:
ClickAdd userin theActionsbox on the right side of the screen.
Complete the fields of the resultingAdd userdialog:
Field Description Username Required. This is the name you assign to the user, used internally by RapidMiner Server. Password/Repeat password Required. Enter (and repeat) a password to assign to the user. The password must be a minimum of eight alphanumeric characters. Special characters are allowed. Display name This is the name RapidMiner Server displays to represent the user. If not supplied, RapidMiner Server displays the value forUsername. 电子邮件地址 Enter the user's email address. This is the address that RapidMiner Server uses to send email notifications based on triggers, process results, and password resets. When you complete the fields, clickSubmit. The dialog returns with empty fields for the next addition and displays a message that the user was created. The user is added, alphabetically by username, to theUser List.
Enter each additional user. When finished adding users, click the smallin the upper right corner.
Changing user account information
To change the configuration for a created user:
From theUser Listtab of theAdministration > User Managementpage, click on the name of a user you wish to update in theUsernamecolumn. A dialog appears.
Update any of the following fields and clickSubmit.
- display name
- password
Please note thatLDAP usersandSAML userscannot change their display name, email, passwords. Display name and email are synchronized automatically from LDAP and SAML server at every logon. Passwords for these accounts must be changed in the LDAP/SAML service the user is associated with.
You can alsomanage group membershipfrom this dialog.
Changing groups in a user configuration
This section describes adding or removing groups in a user configuration. You can alsoadd users to a group.
Once you have created a user, add created groups to it from theAdministration > User Managementpage. (RapidMiner Server adds sixpredefined user groupsand a
From theUser Listtab, click on the name of a user in theUsernamecolumn. The group management dialog appears.
(You can alsochange user configurationfrom this dialog.)
The lowerGroupscolumn lists configured groups the user is not part of (left side) and groups that the user is assigned to (right side). Manage group assignments by moving groups between the sides.
To move a group, clickCopyto assign or clickRemoveto remove the user from the selected group. Alternatively, add (or remove) all listed groups to the user configuration with theCopy AllorRemove Allbuttons.
ClickSubmitto add the group to the user configuration.
Please note that users can't be added toMirror groups. Mirror group membership is managed automatically.
RapidMiner Server returns to theUser Listdisplay.
Deleting a user account
To delete a user account, simply click the删除icon next to the username and clickOKwhen prompted.
Managing groups
RapidMiner Server uses groups to simplify administration. Instead of allowing or denying access to a resource on a user-by-user basis, simply assign a user to a group, and control each group's access.
Creating a group is nothing more than defining a tag that you can apply to users. You assign different privileges for each resource that the group should access. In this way, you can allow a group to have, for example, read access to a web app but write access to a data set.
You create a RapidMiner Server group from theAdministration > User Managementpage. To create a group:
Click添加组in theActionsbox on the right side of the screen:
输入组名称和可选的描述for the new group.
ClickSubmit. If you then select theGroupstab, you can see the group listed.
Notice in the image above, the user defined groups hava a删除icon for removing the group. (Thepredefined groupsdo not because they cannot be deleted.) To delete a group, simply click the.
Adding users to a group
This section describes adding users to a group. You can alsoadd groups to a user configuration.
Once you have created a group, add configured users to it from theAdministration > User Managementpage. To add users:
From theGroupstab, click on the name of the group in theGroup namecolumn. A dialog for adding members appears.
Select a user name in the leftMemberscolumn.
Double-click the username or clickCopyto move the user to the right column. (To remove users, highlight the name in the right column and double-click or clickRemove. Note that the removed users are then listed at the end of theMembersregister.)
Additional actions include:
- add all listed users to the group with theCopy Allbutton (or delete all users from the group withRemove All).
- assign all future users automatically by checking theNew users are assigned to this group automaticallybox.
- Change the group's description (displayed in the group list on theGroupstab) by editing the text in the description box.
ClickSubmitto add the user to the group.
Please note thatLDAP/SAMLauthenticated users appear only after a successful first login on the list of available users, but they can be assigned to groups as any other local users.
RapidMiner Server returns to theUser Listdisplay.
Predefined user groups
RapidMiner Server comes preconfigured with six special user groups. Every user is automatically added to each of these groups and a seventh group,
The predefined groups are defined below:
Group name | Description |
---|---|
User | All configured users on the instance of RapidMiner Server are part of this group. |
Administrator | Members have access to everything (files, web apps, connections, configuration). |
Analyst | Members can connect to RapidMiner Server via RapidMiner Studio and can connect to the admin web interface (/RA). A user who is not part of this group cannot access the admin web interface or connect via RapidMiner Studio. Access to resources and services is dependent on the rights granted to Analyst on the specific object. |
Execute | Members can execute processes on RapidMiner Server either from RapidMiner Studio (by clicking on theRun Remote Nowbutton) or from RapidMiner Server directly (when opening a process entry via the repository web interface). Users do not need to be part of the Execute group to view reports. |
Report viewer | Members can view web apps (read access only), but must also have read access to the corresponding database connection. Additionally, users must be part of the Report viewer group to access the App Designer web interface. |
Report editor | Members can edit web apps (read and write access). Additionally, Report editors can create new apps and ad-hoc reports and edit style bundles. |
Report manager | Members can manage web apps and domains. |
Scheduler | Members can create triggers in the process scheduler on RapidMiner Server (via RapidMiner Studio or the web UI), but must also have read access to the corresponding database connection. |
Service | Members can create web services. |
A group containing only the named user. |
Mirror groups
Regular groups can be turned to mirror groups to enable automatic LDAP/SAML user management. If a group is turned to mirror group then you can no longer assign users to them directly. You can find more information aboutLDAP authentication,SAML authentication, and managingmirror groupsin the documentation.