Groups

Group is an abstract set of users, which gives assigned users some permissions. So it is not necessary to specify permissions for each single user.

There are independent levels of permissions implemented in CloverETL Server

Table 20.3. Default groups created during installation

Group nameDescription
adminsThis group has operation permission "all" assigned, which means, that it has unlimited permission. Default user "clover" is assigned to this group, which makes him administrator.
all users Every single CloverETL user is assigned to this group by default. It is possible to remove user from this group, but it is not a recommended approach. This group is useful for some permissions to sandbox or some operation, which you would like to make accessible for all users without exceptions.

Web GUI - section "Groups"

Figure 20.5. Web GUI - section "Groups"


Users Assignment

Relation between users and groups is N:M. Thus in the same way, how groups are assignable to users, users are assignable to groups.

Web GUI - users assignment

Figure 20.6. Web GUI - users assignment


Groups permissions

Groups permissions are structured as a tree, where permissions are inherited from the root to leafs. Thus if some permission (tree node) is enabled (blue dot), all permissions in sub tree are automatically enabled (white dot). Permissions with red cross are disabled.

Thus for "admin" group just "all" permission is assigned, every single permission in sub tree is assigned automatically.

Tree of permissions

Figure 20.7. Tree of permissions


With no of the following privileges, user can: login to the server console, create server project (in Designer) from its own sandbox, create a file in its own existing sandbox, and run graphs.

  • all

    A user with this permission has all available permissions. Admin group has all permissions by default.

    • Unlimited access to sandboxes

      This permission allows user to perform operations on all sandboxes, even if the sandbox accessibility is not specified explicitly.

      Unlimited access to sandboxes permission does not include the suspend sandbox permission.

      • Sandboxes

        This permission allows user work with sandboxes. This permission contains all the permissions below. The user can perform operations only on sandboxes owned by himself or on sandboxes with explicitly added access to him.

        See Chapter 21, Sandboxes - Server Side Job Files.

        • List sandbox

          In server web interface, this permission allows user to list her sandboxes and list sandboxes with read permission granted to the user's group.

          In server web interface, this permission is necessary to create, edit, or delete sandboxes.

          Within a sandbox with write access granted, user can edit or remove files and create or delete directories even without this permission.

        • Create sandbox

          This permission allows user to create a new sandbox.

          If the sandbox is to be created in web interface, the user is required to have the list sandbox permission.

        • Delete sandbox

          This permission allows user to delete a sandbox.

          If the sandbox is to be deleted in web interface, the user is required to have the list sandbox permission.

        • Edit sandbox

          This permission allows user to edit a sandbox.

          If the sandbox is to be modified in web interface, the user is required to have the list sandbox permission.

        • May delete files missing in uploaded ZIP

          In SandboxUpload ZIP, this permission allows user to use a checkbox to delete files missing in the ZIP to be uploaded. If the user does not have this permission, the checkbox to delete mission files in ZIP is not displayed.

          If the sandbox is to be uploaded from a ZIP file in server web interface, it is required to have the list sandbox permission.

    • Scheduling

      This permission allows user to manage schedules.

      See Chapter 28, Scheduling.

    • Event listeners

      This permission allows user to manage event listeners.

      See Chapter 30, Listeners.

    • Unlimited access to execution history

      This permission allows user to perform the same operations as unlimited access to execution history list permission.

      • Unlimited access to execution history list

        This permission allows user to view execution history of all jobs.

        • Limited access to execution history list

          This permission allows user to view execution history of jobs from sandboxes the user can read from. In Designer, this permission is required to be able to view Execution log in Designer's console and execution history in Execution tab.

    • Launch Services

      This permission allows user to list, create, edit, and delete launch services.

      See Chapter 37, Launch Services.

  • Tasks history

    This permission allows user to access Tasks history section.

    See Chapter 26, Tasks.

  • Monitoring

    Monitoring permission grants user all its subpermissions.

    • Monitoring section

      This permission allows user to access the monitoring section.

      See Chapter 17, Monitoring .

    • Suspend

      This permission allows user to suspend the server, a cluster node, or a sandbox.

      The user needs to have the monitoring section permission to access the Monitoring section.

    • Reset caches

      Deprecated.

    • Running jobs unlimited

      If the graph is to be run from server web interface, the user needs to have the list sandbox permission to list the graphs.

      • Running jobs limited

        If the graph is to be run from server web interface, the user needs to have the list sandbox permission to list the graphs.

  • Configuration

    This permission allows user to access the configuration section.

    • Users

      This permission allow user to access the Users section and configure user accounts.

      • List user

        This permission allows user to list users and access to the Users administration section (ConfigurationUsers)

      • Change passwords

        This permission allows user to change his password and to change password of another user.

        To see list of users, the user needs the list user permission.

      • Edit user

        This permission allows user to change group assignment.

        To see the list of users, the user needs to have the list user permission.

        • Edit own profile and password

          This permission allows user to change his profile (first name, last name, email, and password).

          The user can access her profile in main web console view under username, in upper right corner of the page.

      • Delete user

        This permission allows user to disable a user.

        The user needs to have the list user permission to list available users.

      • Create user

        This permission allows user to create a new user.

        If the user is to be created in server web interface, the creating user needs to have the list user permission to list users to access this option.

      • Groups assignment

        This permission allows user to assign users to groups.

        The user needs to have the edit user permission to successfully finish the assignment of users to groups.

        If the user is to be created in server web interface, the creating user needs to have the list user permission to list users to access this option.

    • Groups

      This permission allows user to manage groups: user can list groups, create groups, delete groups, edit the group, assign users to the group, and change permissions of the group.

      • List groups

        This permission allows user to list groups. This permission is necessary for use of other options from the Groups group.

      • Create group

        This permission allows user to create a new user group.

        If the user group is to be created in server web interface, the user needs to have the list groups permission to view a list of groups and to access this option.

      • Delete group

        This permission allows user to delete a user group.

        Only empty groups can be deleted. You need to have the list groups permission to view list of groups and to access this option.

      • Edit group

        This permission allow user to edit user groups.

        This permission does not include User assignment and Permission assignment.

        If the user group is to be edited from server web interface, the user needs to have the list groups permission.

      • Users assignment

        This permission allows user to assign users to groups.

        The user needs Edit group permission to commit the changes in the assignment.

        If the assignment is to be edited in server web interface, the user needs to have the list groups permission to list the groups.

      • Permission assignment

        This permission allows user to configure group Permissions.

        The user needs have the Edit group permission to commit the changes.

        If the permissions are to be edited in server web interface, the user needs to have the list groups permission to list the groups.

    • Secure parameters administration

      • Secure params

        This permission allows user to change the value of a secure parameter.

        The user can use secure parameters in graphs even without this permission.

    • CloverETL/System info sections

      This permission allows user to view System Info and CloverETL Info sections.

    • CloverETL Server properties

      This permission allows user to view Server Properties tab and Data Profiler properties tab in CloverETL Info section.

      The user needs to have the CloverETL/System info sections permission to access CloverETL Info section.

    • Reload license

      This permission allows user to reload and view the server license.

      The user needs to have the CloverETL/System info sections permission to access the Configuration section.

    • Upload license

      This permission allows user to update the server license.

      The user needs to have the CloverETL/System info sections permission to access the Configuration section.

      See Activation.

    • Server Configuration Management

      This permission allows user to import and export the server configuration.

      See Chapter 22, Server Configuration Migration.

    • Temp Space Management

      This permission allows user to access Temp Space Management section.

      See Chapter 18, Temp Space Management.

    • Server Setup

      This permission allows user to access the server setup.

      See Chapter 12, Setup.

    • Heap Memory Dump

      This permission allows user to create a Thread dump and a Heap Memory Dump.

      See Chapter 23, Diagnostics.

  • Groovy Code API

    This permission allows user to run Groovy scripts.

  • Open Profiler Reporting Console

    This permission allows user to login to the Profiler reporting console.

    The permission is necessary to view the results of Clover Profiling Jobs in Designer.

    Even without this permission, a user can create and run .cpj jobs from Designer.