Manage Access Control with Dashboard

Managing access control with the TerminusDB local dashboard

This article is a beginner's guide to managing organizations/teams and users with the TerminusDB dashboard.

In this article, we’ll do the following:

Install the local TerminusDB dashboard
Provide an overview of the default admin login and screens
Go through the administration and access control mechanisms to create new roles, users, and teams and connect them to data products.

Install the Dashboard

Install and run TerminusDB as a Docker container, also referred to as TerminusDB bootstrap.

When installed, TerminusDB creates by default, an admin user and admin team. The admin user has the privileges to manage data products, and create teams and users.

Go to http://localhost:6363/dashboard and start to build your teams, users, and data products.

Login to the TerminusDB Dashboard using your admin credentials. if you did not change it, the default admin password is root.

Fill the form with the user (admin) and your admin password
Press "Login"
You'll be redirected to the dashboard home page

Dashboard Home Page

On the home page, you'll find a list of teams (referred to as Organizations in the TerminusDB System Database)

Select an existing team or create a new one. If no team is created or selected, some of the dashboard functionalities are disabled.

The Create a new Team button is enabled only for the admin user.

Admin can create a new personal team where they are the admin and can also create additional Teams and Users and configure user roles using the administrator interface.

Creating a new team for the admin user

Click the button Create a new Team
The Create new team window will pop up
Insert the team name in the input field (the team name must be unique)
Click Create Team button
You will be redirected to the Team home page

Team Home Page

The top bar from right to left displays:

The user role
The user name
The team name

Create a New Data Product

Select the New Data Product button
Enter the Data Product ID and name
Click Create Data Product button

Administration and Access Control

The administrator interface provides a visual console to easily administer TerminusDB teams and data products. In order to create roles, users, and teams, you need to be logged in as the admin.

Access the User Management section from the top bar.

Full documentation and all the definitions can be found here

Create a new Role

We are going to create four different roles: appAdmin, reader, writer, and schema_writer.

Navigate to the User Management section
Select the Roles tab
Select Create a new Role and a pop-up window will appear
Insert the role name and select the role permissions
Click Create Role button and a new role will be created

repeat all the steps for the others roles, you can see the actions for every roles in the image below

Create New Users

We are going to create three new Users:

User_01, User_02, and User_03 , all with the default password "NO_KEY"

Select the Users tab
Select Create a new User and a pop-up window will appear
Insert the user name and NO_KEY as the password
Click Create User Button and a new User will be created

Repeat these steps for the three users.

The new users are currently unrelated to any teams.

Next, we’ll get your teams up and running.

Create a New Team

We are going to create three new teams: team_01, team_02, and team_03

Select the Teams tab
Select Create New Team and a pop-up window will appear
Insert the team name
Click the Create Team button and a new Team will be created
Repeat these steps for the other two teams.

The new teams are not currently linked with any users.

Add Users to Team_01

We are going to add users to team_01, assigning them roles:

Choose the Teams tab
In the team_01 row, Select the Show Team Users icon
Select Add Users to team_01 Team
From the drop-down list, select User_01 and check the appAdmin role
Click Send, the User01 can now access the team team01 and all the data product under the team with role appAdmin

Repeat the same steps for the other users:

User_01 -> role -> reader

User_02 -> role -> reader /writer

Then do the following:

Connect team_03 with User_01 with a role appAdmin
Connect team_02 with User_02 with a role appAdmin

Log in with the User_01

Now we are going to log in with User_01:

From the top bar, select Logout
You will redirect to the login page
Insert the user name and password - User_01 and NO_KEY
Press the Login button

User_01 teams Homepage

When you first sign in, you will see a list of the teams associated with this user, select team_01.

There are no data products associated with the team, so first we’ll create two new data products.

Press the New Data Product button and name it dataproduct_01
Repeat the process and name this one dataproduct_02

On the top bar, you will see from right to left:

the user team role/s "appAdmin",
the user name, User_01
the selected team name team_01

User_01 has the access privileges to create new data products and manage them.

Create a Schema

Select the Data Product Model icon from the icons menu on the left
Select JsonView on the Data Product Model page and copy the following schema
Select the save icon

[
    {
        "@base": "terminusdb:///data/",
        "@schema": "terminusdb:///schema#",
        "@type": "@context"
    },
    {
        "@id": "Person",
        "@key": {
            "@fields": [
                "name"
            ],
            "@type": "Lexical"
        },
        "@type": "Class",
        "name": "xsd:string"
    }
]

User_01 has ‘appAdmin’ privileges, so if navigating around the dashboard you can see that they can perform all the actions. For example, select the "document explorer" button on the left and insert a new Person Document.

Connect with User_02

Select Logout for the upper user menu
You'll redirect to the login page
Insert the credentials - User_02, password NO_KEY
Press Login button
For the teams home page select team_01
You'll arrive on the team_01 main page
From the left menu, Select dataproduct_01

On the top bar from right to left you can see the user role "reader", the user name User_02, and the team name team_01

The user does not have permission to create databases within team_01 so the New Data Product button is hidden.

The user has schema_read permission level, and from the "Data Product Model" section, they can see the schema graph in view mode.

Data product level permissions.

Select Logout from the top menu bar,
You'll redirect to the login page
Insert admin and your admin password (default is root)
Select User Management from the top user menu to navigate to the access control management interface
From the team list table, select the green icon in the team_01 row

From the "team_01 -- Team Users Roles" table list, select the green icon in the User_02 row

The user has no specific permissions at the data product level, but each data product inherits the team access level, in this instance a reader role.

In the User_02 Dataproducts Roles table list, in the dataproduct_02 row:

Select the green Add database user roles icon
The Add Database new_data_product_02 roles window displays
Select schema_writer and writer roles for the list
Click Send

Check the new User_02 Permission

On the team_01 home page, select the dataproduct_02 from the data products pane
On the top bar, from right to left you will see:
- User roles - reader + schema_writer + writer
- The user name User_02
- The selected Team team_01