DataWarehouse LDAP Groups

Synchronizing LDAP groups with DataWarehouse permissions

Datawarehouse uses a system of permissions (table based) and authorizations (object based) to limit the read and write access users have across the platform.

For more information about permissions and authorizations, check DataWarehouse permissions documentation.

To manage these permissions it’s possible to synchronize them with LDAP groups. On our DataWarehouse instance, these groups are mirrored from Rover groups. This means that to give an user certain permission it’s necesary to add them to the correct Rover group and wait for these to be synchronized (currently this happens hourly).

Groups

The following groups are currently defined:

Being member of this group gives the user authorization to write objects related to the internal policy.

Being member of this group gives the user authorization to write objects related to the public policy. These are already readable by anyone.

Being member of this group gives the user permission to write tables related to triaging issues.

Granting Internal access

To allow users to read internal checkouts and issues, the users need to be added to the following group:

  • bz_redhat

Granting Triaging permissions

For users to be able to perform write operations -for example triaging- they need to have both permission and authorization.

The cki-datawarehouse-triager group grants users belonging to it permission to edit the issue-related tables, but that doesn’t grant the user the authorization necessary to edit the objects.

Triaging Public Issues

To grant users permission to only triage public checkouts and issues, the following groups are necessary:

  • cki-datawarehouse-triager
  • cki-datawarehouse-public-write

Triaging Internal Issues

To grant users permission to only triage internal checkouts and issues, the following groups are necessary:

  • bz_redhat
  • cki-datawarehouse-triager
  • cki-datawarehouse-internal-write

Triaging All Issues

To grant users permission to triage all checkouts and issues, the following groups are necessary:

  • bz_redhat
  • cki-datawarehouse-triager
  • cki-datawarehouse-internal-write
  • cki-datawarehouse-public-write
Last modified September 8, 2021: Update DW internal read group (9b7a3ea)