Categories

Versions

Users, Groups and Roles

This page will guide you through the most common tasks ofuser,groupandrolemanagement. The scenarios described on this page apply for the default identity and security configurations shipped with our RapidMiner Platformdeployment templates. See below for the defaults we chose and how to manage them.

For a quick recap on concepts and terminology, read oursecurity overview.

Pre-requisites

执行管理任务below, you need to be logged in with a user that has the appropriate role assigned. In our default configuration, this role is covered by theplatform-adminrealm role, which is assigned to the pre-provisionedadminuser.

After logging in, navigate toIdentity and Securityon your deployment'slanding pageto access the admin interface. All instructions below assume that you are already logged in and navigated to this page.

Managing users

By default, only a singleadminuser is created in a RapidMiner platform deployment. This user has admin privileges across all platform components. We strongly encourage provisioning users for each person that will interact with the RapidMiner Platform, either as a user or an admin. This is a good practice that also enables clear audit trails.

User database and identity provider federationis also supported, which removes the administrative burden of managing users and is tipically a requirement in enterprise environments.

If you are upgrading from a previous version of the RapidMiner Platform, or from a standalone RapidMiner Server installation, please consult ourUpgrade and Migration Guideto provision your previously existing users.

Adding users

Adding users is a two-step process: first you have to create the user, then you have to assign (temporary) credentials so the user can log in.

Go to theUsersmenu and click onAdd User.

The only mandatory field you need to provide is the username (we will provide the initial password in the next step). Here's a short list of the other settings you can choose:

  • If you are filling out the user's e-mail address and you know it to be valid then go ahead and setEmail verifiedtoOn.
  • If you want the user to fill in their profile information (name and email) then addUpdate Profileto the list ofRequired User Actions. This will display a form for the user when logging in for the first time to provide their data.
  • If you want the user to change their password on the next login, addUpdate Passwordto the list ofRequired User Actions.
  • If you want the user to configure two-factor authentication on the next login, addConfigure OTPto the list ofRequired User Actions.

When you clickSave, the user is created and the user details page is shown.

The second step is to set a (temporary) password for the user. To do this, go to theCredentialstab and add the user's new password to thePasswordandPassword confirmationfields. By default, the password you set will be a temporary one and the user will have to change it on their first login. To change this, setTemporarytoOff.

When you clickSave, the user's initial password is stored, and they now should be able to log in.

By default, users are assigned theplatform-usersrole, which gives them access to all components of the RapidMiner Platform as regular, non-privileged users. See thechapter on rolesif you wish to change this default.

Removing users

Go toUsers, and find the user to be deleted. You can either use the search box, or click onView all usersand find them on the displayed list.

Click on删除in the user's row and confirm the action.

Resetting a user's password

It's a typical administration task to trigger a password reset for a user, in case they forgot their credentials (and this is not possible in a self-service fashion becauseemails and password resetsare not configured).

Go toUsers, and find the user who needs a password reset. You can either use the search box, or click onView all usersand find them on the displayed list. Click onEdit.

On theCredentialstab, in theReset Passwordsection, add the user's new password to thePasswordandPassword confirmationfields. By default, the password you set will be a temporary one and the user will have to change it on their next login. To change this, setTemporarytoOff.

Impersonating users

扮演一个时可以是一个非常有用的工具re trying to identify an authentication or authorization problem for a specific user. It allows you to see the "world" of the RapidMiner Platform with that user's eyes, without needing to ask for their password, or scheduling a timeslot with the user.

Go toUsers, and find the user to be deleted. You can either use the search box, or click onView all usersand find them on the displayed list.

Click onImpersonatein the user's row.

You need to log out and log back in with your own user to stop impersonating.

Managing groups

Groups manage groups of users. You can maprolesto a group. Users that become members of a group inherit the role mappings that group defines.

Groups can be nested to an arbitrary level, if such level of granularity is desired.

By default, no groups are provisioned.

Adding groups

Go toGroups, and click onNew. Provide the group name and clickSave.

To assign a role to this group, click on theRole Mappingstab and add the desired roles. To add realm roles, select them from the list ofAvailable Rolesand clickAdd Selected >. To add client specific roles (e.g. you only want to allow the group to access Dashboards), first find that client in theClient Rolesdropdown (you need to start typing its name), and then adding the desired roles by selecting them and clicking onAdd Selected >>.

To add a sub-group that is nested in an existing group, the process is very similar. Go toGroups, then make sure to select the parent group before clicking onNew. Follow the instructions above to complete your task.

Removing groups

Go toGroups, select the group or sub-group you wish to delete, then click on删除. Confirm your action to complete the task.

Note: deleting a group will also delete its nested sub-groups without any additional warnings.

Changing default groups

You can choose which group newly created users are added to automatically.

Go toGroups, then click on theDefault Groupstab. Find the group in the list ofAvailable Groups(either by using the search box or theView all groupsbutton) and click on it to select it. Finally, clickAddto complete the task.

Adding and removing users to groups

Go toUsers, and find the user you wish to add. You can either use the search box, or click onView all usersand find them on the displayed list. Click onEditin the user's row.

To add the user to a group, click on theGroupstab. Find the group in the list ofAvailable Groups(either by using the search box or theView all groupsbutton) and click on it to select it. Finally, clickJointo complete the task.

To remove the user from a group, click on theGroupstab. Find the group in the list ofGroup Membership(either by using the search box or theView all groupsbutton) and click on it to select it. Finally, clickLeaveto complete the task.

Managing roles

Roles describe what components users have access to in the RapidMiner Platform, and what specific actions they can do in these components. Various components (called clients in KeyCloak terminology) can have their own set of roles, and the entire deployment also defines a set of roles, called realm roles. To simplify role definition and management, the concept of composite roles exists, which allows a realm role to "bundle" a set of realm and client roles together.

By default, we provision three composite realm roles:platform-users,platform-adminandplatform-webservice-access.

  • platform-usersrole authorizes users to access all RapidMiner Platform components as regular, non-privileged users.
  • platform-adminrole authorizes users as administrators for each component, and it provides privileges to access theIdentity and Securitycomponent.
  • platform-webservice-accessis a restricted role which should only be used forsecure web service access.

The table below summarizes the various client roles and their relationship to these realm roles.

Component Role platform-admin platform-users
Dashboards admin Check Icon 删除Icon
editor Check Icon Check Icon
viewer Check Icon Check Icon
JupyterHub administrator Check Icon 删除Icon
user Check Icon Check Icon
Landing Page view-landing-page Check Icon Check Icon
Platform Admin python-env-admin Check Icon 删除Icon
python-env-viewer Check Icon Check Icon
rts-admin Check Icon 删除Icon
rts-deployment-admin Check Icon 删除Icon
rts-viewer Check Icon Check Icon
RapidMiner Server administrator Check Icon 删除Icon
analyst Check Icon Check Icon
connection manager Check Icon 删除Icon
execute Check Icon Check Icon
report editor Check Icon Check Icon
report manager Check Icon Check Icon
report viewer Check Icon Check Icon
scheduler Check Icon Check Icon
service Check Icon Check Icon
users Check Icon Check Icon
Token Generator users Check Icon Check Icon

Adding roles

If your organization needs roles to be more restrictive on which users get access to what components of the RapidMiner Platform, you can define your own.

You should use composite realm roles for this purpose. The components of the RapidMiner Platform operate with a predefined set of client roles and changing them may cause problems. The one exception to this rule is RapidMiner Server. See the chapter below onhow to configure roles and RapidMiner Server groups.

To add a new role, go toRolesand click onAdd Role. Enter the new role's name and clickSave.

On theDetailstab, setComposite RolestoOn. The Composite Roles section will appear below.

To add realm roles, select them from the list ofAvailable Rolesand clickAdd Selected >. To add client specific roles (e.g. you only want to allow the group to access Dashboards), first find that client in theClient Rolesdropdown (you need to start typing its name), and then adding the desired roles by selecting them and clicking onAdd Selected >>.

Assigning roles to users

Go toUsers, and find the user you wish to assign a role to. You can either use the search box, or click onView all usersand find them on the displayed list.

Click onEditin the user's row, then click on theRole Mappingstab. You will see all the realm roles and client roles that the user is assigned to (to see client roles for a specific client, you need to select it from theClient Rolesdropdown by typing the client's name).

To add realm roles, select them from the list ofAvailable Rolesand clickAdd Selected >. To add client specific roles, first find that client in theClient Rolesdropdown (you need to start typing its name), and then adding the desired roles by selecting them and clicking onAdd Selected >>.

You can use the same interface to remove assigned roles.

Changing the default roles for new users

Newly created users get theplatform-usersrole by default.

To change this, go toRolesand click on theDefault Rolestab.

To add realm roles, select them from the list ofAvailable Rolesand clickAdd Selected >. To add client specific roles, first find that client in theClient Rolesdropdown (you need to start typing its name), and then adding the desired roles by selecting them and clicking onAdd Selected >>.

Roles and their relationship to RapidMiner Server

There's a mismatch in terminology between the RapidMiner Platform's Identity and Security component and RapidMiner Server, when it comes to groups. Roles in the Platform correspond toGroups in RapidMiner Server.

One typical use-case for creating a new group is restricting execution queues to members of certain RapidMiner Server Groups. To make sure that this correctly maps to users and roles defined in RapidMiner Identity and Security, please follow the steps below.

First, log in with a user who has theplatform-adminrole and go toIdentity and Security.

Go toClients, findurn:rapidminer:serverand click onEditin its row.

On theRolestab, click onAdd Roleand provide a name for your new role. ClickSave.

Next, go to RapidMiner Server, and click onUser ManagementunderAdministration. Click onAdd groups. Use the same name for your group as you used for the client role and clickSubmit.

On theGroupstab, click on your newly created group's name to open the group details page. On the following screen, click on theManage LDAP/SAML/Keycloak groupsaction. Enter the name of the new group and clickAdd.

回到组详细信息页面,检查Group managed by LDAP/SAML/Keycloak(If selected, members of the LDAP/SAML/Keycloak groups specified below are automatically added to this group upon login). The panel below will change to one that lists groups.

On this panel, select the newly created group and clickCopy. ClickSubmitto save your changes.

Now your RapidMiner Server group is ready to use and configured correctly as a client role inIdentity and Security.