Connections security

Securing access to connections

It is possible to restrict access to connections. If access to a DSS connection is restricted, only members of selected groups may “freely use” this connection.

This can be configured in the settings of each individual connection.

“Freely using” a connection means being able to:

  • Create new datasets on the connection
  • Modify the settings of a dataset using the connection
  • Browse in any way the connection
  • Send code (liek SQL) which may be used indirectly to browse in any way the connection.

Note that this does NOT restrict the ability to read datasets which have already been defined on a connection.

For example, with a SQL database, you may may want a few people to be able to create datasets based on specific tables of the connection, and then have a larger group of analysts using this data, but who are not allowed to read other tables in this database.

In that configuration, you would have the small group being granted the “freely use” permission on the database connection, create the datasets in a project, and grant read/write access to the project to the larger group. The analysts are able to read thae data, but cannot access other tables from the database in any way.

Per-user credentials for connections

Note

While this feature is distinct from the multi-user-security feature, it is only available for multi-user-security enabled DSS licenses.

This feature is experimental as of DSS 4.0

For DSS connections which require credentials (most SQL connections, MongoDB, FTP, ...), the administrator can configure the connection so that instead of having a global service credential, each user can enter his personal credentials. Each action on the database performed by this user will use his personal credential.

User credentials are stored encrypted, but since DSS needs to send them to the external systems, DSS administrators are technically able to decrypt these credentials.

To configure a connection with per-user credentials:

  • Go to Administration > Connections and select the connection
  • In “Connections credentials”, select “Per-user”
  • Save the connection

Users can then enter their personal credentials by going to their profile > connection credentials.

Note that in this mode, there is no global credential at all anymore. Thus, it is not possible to test a connection immediately, because no credentials available. The proper initialization sequence for a new connection is thus:

  • The admin enters connection details, but no credentials, and enables per-user credentials
  • The admin saves the new connection
  • The admin goes to his profile and enters his credentials
  • The admin can then go back to the connection’s page and test the connection

Personal connections

You can grant to user groups the permission to create their own connections. Connections are normally only created by the DSS administrator. By granting this “personal connection” permission, end users can create their own connections.

This feature is only available for connections for which a credential is required (most SQL connections, MongoDB, FTP, ...). The connection can only be “freely used” by its creator (since beginning of this section).