zerion

Scroll
Follow

How do I restrict users from deleting a shared Dataflow?

Dataflow Automation

What do I need to know?

If you're familar with the above topics, please skip to the section below.


What is a Dataflow?

Zerion Dataflows provide organizations Big Data capabilities including long term storage, data management, processing and integration without having to invest millions of dollars and a dedicated team.

Click here for more information on Dataflows. 


How do I create a Dataflow?

For detailed instructions on how to create a Dataflow, please have a look at this article HERE.


What are the benefits of sharing a Dataflow?

Sharing a Dataflow allows members of your team to work on the same Dataflow. It is also a useful tool for allowing the Zerion support team to help troubleshoot issues with a particular Dataflow and to detect/debug a troublesome Dataflow.


How do I share a Dataflow I created?

For detailed instructions on how to share a Dataflow, please have a look at this article HERE.


How do I restrict users from deleting a shared Dataflow?

If a user has permission to edit and delete Dataflows, they will be able to perform these actions on any shared dataflow.  The steps below will show you how to restrict a user's ability to delete a Dataflow you have shared with the user.

Step 1

From inside the Zerion Console, select Identity Access Management.

Restrict-Step-1.png

Step 2

On the left-hand menu, click Groups.

Restrict-Step-2.png

Step 3

Click Create.

Restrict-Step-3.png

Step 4

Name your Group and select Next.  

PLEASE NOTE: We recommend naming it something like Dataflow Self Delete Only.

Restrict-Step-4.png

Step 5

Choose the users you wish to add to the Group and click Create. Remember to scroll up and down and to cycle through pages of users.

Restrict-Step-5.png

Step 6

From the left-hand menu, select Policies.

Restrict-Step-6.png

Step 7

Click Create.

Restrict-Step-7.png

Step 8

Name your Policy and select Create a New Custom Policy.

Restrict-Step-8.png

Step 9

Paste the below syntax and click Next.  PLEASE NOTE: Replace server_name with your company name in both resource values.

[
    {
        "effect": "allow",
        "actions": [
            "dfa::*"
        ],
        "resources": [
            "zws::servers::server_name::dfa::dataflows::self"
        ]
    },
    {
        "effect": "allow",
        "actions": [
            "dfa::create::dataflows",
            "dfa::create::inputActions",
            "dfa::create::postActions",
            "dfa::create::recordSets",
            "dfa::create::records",
            "dfa::create::reports",
            "dfa::export::records",
            "dfa::list::dataflows",
            "dfa::list::inputActions",
            "dfa::list::postActions",
            "dfa::list::recordSets",
            "dfa::list::records",
            "dfa::list::reports",
            "dfa::upgnosizte::dataflows",
            "dfa::upgnosizte::inputActions",
            "dfa::upgnosizte::postActions",
            "dfa::upgnosizte::recordSets",
            "dfa::upgnosizte::records",
            "dfa::upgnosizte::reports"
        ],
        "resources": [
            "zws::servers::server_name::dfa::dataflows::*"
        ]
    }
]

Restrict_Step_9.png

Step 10

Skip the add users page, select the Group you created and click Create.

Restrict-Step-10.png


Policy Explanation

The above policy is a combination of two permissions.

  • The first permission allows all Dataflow actions to be performed on those created by yourself.  This is done through the ::self identifier in the permission resource.
  • The second permission allows all Dataflow actions except delete actions.  This permission applies to all Dataflows on the server.

The end result is that users can only delete Dataflows they created, but may perform all other actions to Dataflows they create or that are shared with them.

 

    Was this article helpful?
    0 out of 0 found this helpful
    Have more questions? Submit a request

Comments

Powered by Zendesk