Authorization Enhancements

The following authorization enhancements were made in Zoomdata 4:

  1. Roles are no longer used to authorize the use of Zoomdata data sources and other features. The concept of roles has been removed from the product and the Admin, User, and Groups Only roles have been removed.

    Instead all users must now be assigned to groups that determine their ability to use data sources and other Zoomdata features. Two non-deletable groups are supplied by Zoomdata:

    • Administrators: Users that are assigned to the Administrators group for an account are administrators of the account. This group is functionally synonymous with the legacy Admin role. Management of this group can now only be performed by another member of the Administrators group or by a user in a group with all of the following privileges: Can Administer Users, Can Administer Groups, and Can Administer Dashboards.
    • View All: Users assigned to the View All group are allowed to view all existing data sources and shared dashboards in the account. This group is functionally synonymous with the legacy User role.

    You can define additional groups, with different authorization settings to provide the different authorization levels required by your organization.

    When you upgrade to Zoomdata 4, the upgrade code automatically converts your existing user definitions:

    • Any users assigned the Groups Only role are migrated unchanged, but without the role assignment. They remain assigned to the groups you had assigned them to before.
    • Any users who had been assigned the User role, are assigned to the new View All group.
    • Any users who had been assigned the Admin role are assigned to the new Administrators group. In addition, if you already had a group defined that was named "Administrators," the upgrade code will rename it to a name in the format Administrators-<uuid>, where <uuid> is the universal unique identifier of the group definition.

    See Authorize Zoomdata v4 Access.

  2. A new Zoomdata-supplied superaccount is now visible in the list of Zoomdata accounts. It is a dedicated and permanent account that cannot be deleted. Its sole purpose is for the maintenance of other Zoomdata accounts and other supervisory Zoomdata functions.

    The supplied supervisor user can only be assigned to the superaccount. Other users can also be assigned to the superaccount. Users assigned to the superaccount have full access to the Zoomdata supervisor UI and its supervisory functions.

    See Managing Zoomdata Account Definitions, About the Supplied Zoomdata Accounts, and Supplied User Definitions.

  3. The following new group privileges were added:

    Privilege Description
    Can Administer Dashboards Lets group members add, modify, or remove dashboards in the account, including dashboards created by other users.
    Can Administer Groups

    Lets group members add or remove group definitions as well assign and remove users in a group definition. This privilege also lets group members restrict the ability to read, edit, and delete specific data source configurations in group definitions and authorize users in groups to perform specific Zoomdata functions.

    This privilege does not allow group members to add or otherwise maintain user definitions.

    Can Administer Users

    Lets group members add, disable, and removed user definitions as well as reset user passwords and define user custom attributes and regional settings.

    This privilege does not allow group members to update groups or the groups to which a user is assigned.

    Can Invoke Actions Lets groups members invoke an action from a chart. Users in the Administrators group are granted permission for this privilege by default.
    Can Manage Action Templates Lets group members define and manage the application integration with Zoomdata using an action template. Action templates are data source-specific and provide specifics about the integration between the external application and the data source. Users in the Administrators group are granted permission for this privilege by default. See Defining an Action Template.
    Can Manage Connections Lets group members add, modify, or remove data store connection definitions.

    A user without the Can Manage Connection privilege cannot add a data source configuration to Zoomdata if data store connections have not previously been defined.

    See Group Privilege Reference and Managing Group Definitions.

  4. The following changes to supervisor functions were made.

    • More than one Zoomdata supervisor user can now be defined. In past releases, only a single supervisor existed. If a user definition is assigned to the superaccount, the user becomes a Zoomdata supervisor. See Adding and Removing Supervisors and About the Supplied Zoomdata Accounts.

    • The supplied supervisor definition can now be enabled and disabled. See Enabling and Disabling the Supplied Supervisor User. In addition, the supplied supervisor user can only be assigned to the superaccount. It cannot be assigned to any other accounts.

    • The ability for a supervisor to manage data source, dashboards, and charts for an account has been deprecated. Data source, dashboard, and chart management for an account can still be performed by administrators and by users with the appropriate permissions, but the supervisor can no longer perform these functions.

    • Zoomdata supervisors can no longer create group definitions. Only Zoomdata administrators can maintain group definitions.

    • Zoomdata supervisors can still create and remove user definitions and can assign users to accounts, but only in the Manage Users section of the supervisor UI, not in the account management section.

    • Zoomdata supervisors can no longer change or reset user passwords. They can only provide an initial password for a new user definition and can change their own password.

    • When supervisors create a new user, the user is not assigned to any groups, by default. Only Zoomdata account administrators can assign the user to groups.

      The only exception is when a supervisor creates a new account. In this case, the supervisor can assign an existing user or create a new user to act as an administrator of the account, which automatically assigns that user to the Administrators group. After the account has been created, only Zoomdata administrators can change the administrators of an account. See Modifying Account Administrators.

  5. The zoomdata scheduler user has been removed and is no longer used for scheduled data source refreshes. Instead, the controls for scheduled data source refreshes are now set in the connection definitions used by Zoomdata to connect to your data stores.

See Authorize Zoomdata v4 Access.