Security

Warning

Important note about copy.fail (CVE-2026-31431)

Like all Linux-based machines since 2017, virtual machines and containers running Dataiku are affected by the copy.fail vulnerability. This notably affects the isolation provided by UIF, allowing regular users to break out of the isolated Unix user.

For Dataiku Cloud, the mitigation has already been applied on our whole infrastructure. No further action is required.

For Dataiku Custom installs, the OS is not managed by Dataiku. Please liaise with your OS provider. The “rmmod” mitigation shown at https://copy.fail/#mitigation may work. Note that it’s known not to work on RedHat 9 and derived distributions since the module is builtin

For Dataiku Cloud Stacks installs, please use the following procedure:

Run, as root:

dnf update --security
reboot

Note that if you reprovision, you must run it again.

For containerized execution and Dataiku itself running in containers, please refer to instructions from your Kubernetes cluster provider.

Warning

Important note about dirtyfrag.io / Copy Fail 2 (CVE-2026-43284 / CVE-2026-43500)

Like all Linux-based machines since 2017, virtual machines and containers running Dataiku are affected by the dirtyfrag.io vulnerabilities. This notably affects the isolation provided by UIF, allowing regular users to break out of the isolated Unix user.

For Dataiku Cloud, the mitigation has been applied on our whole infrastructure. No further action is required.

For Dataiku Custom installs, the OS is not managed by Dataiku. Please liaise with your OS provider. The mitigations shown at https://dirtyfrag.io may work.

For Dataiku Cloud Stacks installs, please use the following procedure:

Run, as root:

dnf update --security
reboot

Note that if you reprovision, you must run it again.

For containerized execution and Dataiku itself running in containers, please refer to instructions from your Kubernetes cluster provider.

• Authentication
  • Multi-Factor Authentication
  • Configuring LDAP authentication
    • Connecting to a LDAP directory
      • Connection parameters
      • User mapping parameters
      • Group mapping parameters
      • On-demand provisioning
    • LDAP directory configuration templates
      • Standard LDAP directory using RFC2307 schema
      • Standard LDAP directory using RFC2307bis schema
      • Microsoft Active Directory
      • RedHat Identity Management and FreeIPA servers
    • Using secure LDAP connections
    • Managing users
    • Managing groups
  • Single Sign-On
    • Users supplier
      • Using SSO provisioning
      • Using an other external user source
      • Using local users
    • OpenID Connect (OIDC)
      • About OIDC
        • Glossary
        • Compatibility
        • OIDC features supported by DSS
        • How OIDC looks like with DSS
      • Setup OIDC in DSS
        • Registering a service provider entry for DSS on the identity provider.
        • Configuring DSS for OIDC authentication.
          • IDP configuration
          • OIDC Client configuration
          • Examples of scopes by IDPs
        • Mapping to the DSS user
        • User Supplier
        • Testing OIDC SSO
    • SAML
      • About SAML
        • Compatibility
      • Setup SAML in DSS
        • Registering a service provider entry for DSS on the identity provider.
        • Configuring DSS for SAML authentication.
          • Optional: configuring signed requests
        • Choosing the login attribute
        • Login remapping rules
        • User Supplier
        • Testing SAML SSO
      • Troubleshooting
        • Assertion audience does not include issuer
        • Response is destined for a different endpoint
        • DSS would not start after configuring SAML SSO
        • Login fails with “Unknown user <SOME_STRING>”
        • No acceptable Single Sign-on Service found
    • SPNEGO / Kerberos
      • Keytab mode
      • Custom JAAS mode
      • Login remapping rules
      • Configuring SPNEGO SSO
      • Troubleshooting
  • Azure AD
    • Configuration
      • Azure portal
      • DSS security settings
        • Connection credential
        • User Mapping
        • On-Demand Provisioning
        • User Profiles
        • Testing
        • Permissions
    • Troubleshooting
  • Custom Authenticator and/or User Supplier
    • Packaging the plugin
    • DSS security settings
  • Authentication and user provisioning
  • Supported authenticators and user suppliers
    • Authenticators
    • User suppliers
  • Mapping profiles and groups
  • Synchronizing user attributes
  • Advanced functionalities
    • Supporting multiple authenticators and user suppliers
    • Example scenarios
      • Situation 1: Alice connects to DSS
      • Situation 2: Bob connects to DSS
      • Situation 3: Charlie connects to DSS
• Project Access
  • Discoverable projects
  • Private projects
  • Access Requests
    • Initiating a project access request
    • Managing a project access request
• Project folders - defaults and access
  • Project folder access and permissions
  • Project folder visibility rules
  • Folder creation configuration
    • Per-user folders
• Main project permissions
  • Per-project group permissions
    • Admin
    • Edit permissions
    • Read project content
    • Write project content
    • Publish to Data Collections
    • Publish on workspaces
    • Export datasets
    • Run scenarios
    • Read dashboards
    • Write dashboards
    • Manage authorized objects
    • Manage shared objects
    • Execute app
  • Project owner
  • Project visibility
  • Per-project single user permissions
  • Sharing project via email
  • Sharing dashboards via email
  • Global group permissions
    • Projects creation
    • Workspaces
    • Data Collections
    • Code execution
    • Code envs & Dynamic clusters
    • Advanced permissions
    • Write unisolated code: details
      • Regular security mode
      • User isolation enabled
  • Multiple group membership
• Connections security
  • Securing access to connections
  • Reading details of a connection
  • Per-user credentials for connections
  • Personal connections
• User profiles
• Shared objects
  • Quick and managed sharing
  • Sharing objects between projects via managed sharing
  • Sharing objects between projects via quick sharing
  • Permissions on shared objects
    • Dataset
    • Managed folder
    • Saved model
    • Agents & Agent tools
    • Other objects
  • Initiating an object-sharing request
  • Managing an object-sharing request
• Authorized objects
  • Scope
  • Adding objects to “Authorized objects” list
  • Details by object type
    • Dataset
    • Saved model
    • Managed folder
    • Jupyter notebook
    • Web app
    • Scenario
• User secrets
  • Entering user secrets
  • Using user secrets
    • Python
    • R
• Audit Trail
• Govern Security: Permissions
  • Global Permissions: Administrator & Govern Architect
  • Roles and Permissions
    • User actions
    • Roles Assignment
      • Roles Assignment Rules
        • User & API Keys selection
        • Criteria
      • Roles Inheritance
        • Blueprint Inheritance
        • Artifact Inheritance
    • Permissions
      • Artifact Permissions
        • Configuration per Role
        • Configuration for Everyone
      • Blueprint and Blueprint Version Permissions
• Passwords security
  • Local passwords database or not
  • Passwords complexity
  • Encryption of the local passwords database
  • 3rd party system credentials
• Advanced security options
  • Hiding error stacks
  • Hiding version info
  • Using secure cookies
  • Expiring sessions
    • DSS version ≥ 14.3.0
    • DSS version < 14.3.0
  • Forcing a single session per user
    • DSS version ≥ 14.3.0
    • DSS version < 14.3.0
  • Restricting visibility of groups and users
  • Redirecting to a custom URL after logout
  • Example general-settings.json file
  • Restricting types of files that can be uploaded in wikis
  • Restricting exports
  • Setting security-related HTTP headers
  • Allowing DSS to be hosted inside an iframe
  • Preventing links to be clickable in data tables
  • Allowing DSS users to edit their display names and emails
• Stories security
  • Authentication
  • Authorization
  • Internal databases credentials
  • Audit trail
• Messaging Channels Permissions