Teradata Data Mover Portlet: Job level security

Tools
Tools covers the tools and utilities you use to work with Teradata and its supporting ecosystem. You'll find information on everything from the Teradata Eclipse plug-in to load/extract tools.
Teradata Employee

Teradata Data Mover Portlet: Job level security

Teradata Data Mover (version 13.10) introduced job level security management which allows users to specify access rights at job level. Through the Teradata Data Mover Portlet, a Viewpoint user with access to Data Mover Portlet can grant/revoke access rights of individual Data Mover job to other Viewpoint users with access to Data Mover portlet. 

This article will use the term “Data Mover user”, which will be equivalent to a "Viewpoint user with Data Mover portlet (TDM Portlet) access". It will also use the term “Data Mover Admin user”, which will be equivalent to a "Viewpoint user with Data Mover Setup portlet (TDMS Portlet) access".

Different levels of access rights

There are three different levels of access rights provided in TDM Portlet. The three levels are:

  1. View-Only: A user with ‘view-only’ permission can preview a job & view the job status of previous executed job instance. A user with this permission cannot run a job.
  2. Execute:  A user with ‘execute’ permission inherits all the rights specified in ‘view-only’ level; as well as ability to run/stop a job.
  3. Owner: A user who creates a job automatically becomes the owner of that job; The ‘owner’ inherits all the rights specified in ‘execute’ & ‘view-only’, as well as the ability to edit job & its permissions. The job ‘owner’ cannot be modified.

Every Data Mover user has the ability to create a job via the New Job link found on the top-right of the ‘Saved Jobs’ screen. 

Every Data Mover Admin user has 'owner' level permissions on all Data Mover jobs.

Specifying Access rights when creating a TDM job via Portlet

After the overview above, let’s go through the steps to specify access rights when creating a TDM job via the Portlet. 

Enable the security management checkbox located in TDMS Portlet. If the checkbox is not selected (checked), then all Data Mover users have ‘Owner’ level permissions on all existing and future Data Mover jobs.  

Click on the New Job link on the 'Saved Jobs' screen. Specify Source/Target systems to dmdev/dmsmp respectively & select items1 table from user jg185041. Please refer to the following article to create the table & user.

Clicking on Save button on the bottom right of TDM Portlet will display another screen. The Sharing section of the screen is where a user can set permissions. Execute and View-only correlates to their respective permissions. Since the 'owner' permission cannot be modified, it is absent in the Sharing section. In our exercise, we have specified ‘user2’ to have ‘execute’ permission and ‘user3’ to have ‘view-only’ permission. 

The job name will be access_rights_test. 

Clicking on Save button on the bottom center will save the job.  

You have successfully created a job with access rights via the TDM Portlet. The rest of the article will address how specifying access rights affect user access.

Access rights result

The TDM Portlet will only display jobs that the user has either a 'View only', 'Execute', or 'Owner' level permissions on (note: This will only happen if security management is enabled in the Data Mover Setup portlet). If a user does not have any permissions on a job, then he will not see the job in the 'Saved Jobs' screen.

If a user has 'View only', 'Execute' or 'Owner' level permissions, he will see the job in the 'Saved Jobs' screen, but the context menu for every job will only display 'commands' the user has permission to.

'OWNER' permission for the exercise.

In our exercise, the Data Mover user who created the job will have the ‘Owner’ permissions. Notice that the user as the 'owner' has ability to run/edit/delete/preview commands.

'Execute' Permission for the exercise

We gave user2 ‘execute’ permissions on access_rights_test. When user2 logs on to viewpoint and click on the context menu of the TDM Portlet, it will see the 'commands' shown below.  Notice the missing ‘Edit’ command

'View only' Permission for the exercise

We gave user3 ‘view-only’ permissions on access_rights_test. When user3 logs on to viewpoint and click on the context menu of the TDM Portlet, it will see the 'commands' shown below. Notice the missing ‘Run’ command.