Security and Access Control

Each Deephaven end-user requires a unique private key, or username and password. Users are created in the Deephaven Console. Only users with Deephaven admin rights can create new users.

To access the ACL Editor from the Deephaven Console, click the Advanced button and select ACL Editor. (Note: A user must be a member of the acl-editors group to view or open the ACL Editor.)

img

Enter a new panel title if desired, or click OK to accept the default.

img

The ACL DB Editor can then be used to add or update users, groups, and table permissions.

img

Note

See: Access Control Lists

MySQL vs. LDAP

By default, Deephaven user permissions are stored in a local MariaDB (MySQL) database. Alternatively, the Authentication Server allows the use of Lightweight Directory Access Protocol (LDAP) to validate usernames and passwords. This is convenient for customers who already have users in a directory server such as Microsoft Active Directory.

Please refer to the LDAP Configuration Guide for instructions on how to configure Deephaven to use LDAP instead of MariaDB (MySQL).

Group List

When creating persistent queries or dashboards, Deephaven provides drop down lists of available groups (and users as each user belongs to a group with the same name). This cannot be disabled for the Swing UI. Users with access to code studios can also retrieve these lists. By default, users will see all groups and users.

For web-only users that do not have access to the Swing UI or Code Studio, the list of groups shown by the Query Monitor permissions tab and Dashboard sharing menu may be filtered to include only the groups that the current user belongs to. To enable filtering, set the property webapiservice.allowUnfilteredGroupList to the list of groups that should have access to the full user list. Other users only have access to the filtered group list. For example: webapiservice.allowUnfilteredGroupList=iris-acleditors,iris-superusers would allow ACL editors and superusers to view the full list and share queries with any user or group. Users who are not in those groups could only see those groups to which they belong.