Global User Management
Global user management in Tacnode provides centralized control over platform-level access and permissions across your entire Data Cloud environment. This system enables administrators to manage user access to Data Cloud instances, databases, and platform services from a single interface.
Understanding Data Cloud Roles
Tacnode uses a hierarchical role system for Data Cloud management, providing different levels of access and capabilities based on organizational needs.
Built-in Data Cloud Roles
Role | Full Name | Capabilities | Use Cases |
---|---|---|---|
admin | admin@{id}.dataclouds | Full platform administration | CTO, Data Engineering Leaders |
devops | devops@{id}.dataclouds | Infrastructure management | DevOps Engineers, Platform Teams |
viewer | viewer@{id}.dataclouds | Read-only platform access | Analysts, Reporting Users |
Role Capabilities Matrix
Admin Role (admin@{id}.dataclouds
)
- Complete Data Cloud instance lifecycle management
- User and role management across the platform
- Access to all databases and nodegroups
- Platform configuration and settings management
- Billing and subscription management
DevOps Role (devops@{id}.dataclouds
)
- Data Cloud instance operations and monitoring
- Nodegroup creation, scaling, and management
- Database deployment and configuration
- Performance monitoring and troubleshooting
- Infrastructure automation and scripting
Viewer Role (viewer@{id}.dataclouds
)
- Read-only access to all Data Cloud resources
- Query execution on all accessible databases
- Monitoring dashboard and metrics viewing
- Report generation and data export
- Documentation and schema browsing
Role Hierarchy and Inheritance
Data Cloud Role Structure
The role hierarchy follows this structure:
- Admin: Top-level role with complete platform control
- DevOps: Operations-focused role with infrastructure management
- Viewer: Read-only role for data consumption and monitoring
Inheritance Rules:
- Admin role includes all DevOps and Viewer capabilities
- DevOps role includes all Viewer capabilities
- Viewer role provides baseline access for data consumption
Managing Data Cloud Permissions
Accessing Permission Management
-
Navigate to Data Cloud Settings
- Log into the Tacnode platform
- Select Data Clouds from the main navigation
- Choose your specific Data Cloud ID
- Click Permission Management
-
View Current Permissions
- Review existing role assignments
- Understand current user access levels
- Identify permission gaps or overlaps
Adding Users to Data Cloud Roles
Step-by-Step Process:
-
Select Target Role
- Click Authorize User next to the appropriate role
- Choose between admin, devops, or viewer based on user needs
-
Specify User Email
- Enter the email address of the intended user
- Ensure the email is registered with the Tacnode platform
- Verify the user's identity and authorization level
-
Confirm Assignment
- Review the role assignment details
- Click OK to complete the assignment
- User will receive notification of their new access
Database Access Authorization
After assigning Data Cloud roles, users need database-level access to connect and query data.
Prerequisites for Database Access
- User must have a registered Tacnode platform account
- User must be assigned to at least one Data Cloud role
- Database must be accessible within the Data Cloud
Granting Database Login Permissions
Using Administrator Account:
-
Connect as Database Administrator
-
Create Global User Account
Important: Only email addresses registered on the Tacnode platform are supported. Attempting to create users with unregistered emails will result in an error: ERROR: a role/user named auth@example.com has not been registered yet
.
Superuser Caution: Granting superuser privileges provides unrestricted database access. Use this privilege sparingly and only for trusted administrators.
Best Practice: Fine-Grained Authorization
Instead of granting broad permissions, implement role-based access control with specific database roles:
Removing Users from Data Cloud Roles
Removal Process:
-
Navigate to Permission Management
- Access the Data Cloud permission interface
- Locate the user to be removed
-
Initiate Removal
- Click the red × icon next to the user's name
- Review the removal confirmation details
-
Confirm Removal
- Click OK in the confirmation dialog
- User access will be immediately revoked
Security Best Practices
User Account Management
- Regular Access Reviews: Conduct quarterly reviews of user access and permissions
- Principle of Least Privilege: Grant minimum necessary permissions for each user
- Account Lifecycle: Implement processes for onboarding and offboarding users
- Strong Authentication: Ensure all users have strong passwords and MFA enabled
Role Assignment Guidelines
- Admin Role: Limit to 2-3 trusted individuals maximum
- DevOps Role: Assign to platform engineers and infrastructure teams
- Viewer Role: Default assignment for data consumers and analysts
- Regular Auditing: Track and audit all role assignments and changes
Database Access Controls
- Schema-Based Separation: Use database schemas to logically separate different business domains
- Role-Based Permissions: Create functional roles instead of granting direct permissions to users
- Connection Monitoring: Monitor database connections and query patterns
- Access Logging: Enable audit logging for all database access and operations
Troubleshooting Common Issues
User Registration Errors
Error: ERROR: a role/user named auth@example.com has not been registered yet
Solution:
- Verify the user has registered an account on the Tacnode platform
- Check email address spelling and format
- Ensure the user has completed email verification
Permission Inheritance Issues
Problem: User has Data Cloud role but cannot access databases
Solution:
- Verify database-level permissions have been granted
- Check that the user's global account has been created in the target database
- Confirm the user is connecting to the correct nodegroup and database
Role Assignment Failures
Problem: Cannot assign roles to certain users
Solution:
- Ensure you have admin privileges for the Data Cloud
- Verify the target user's email is correctly registered
- Check for any platform-level restrictions or quotas
Frequently Asked Questions
Q: Can I create custom Data Cloud roles? A: Currently, Tacnode supports only the three built-in roles (admin, devops, viewer). Custom role creation is not available.
Q: Can I modify the inheritance relationships between roles? A: The inheritance relationships for system roles cannot be modified. However, you can change role assignments for individual users.
Q: How do I identify which roles a user has inherited? A: In the permission management interface, users show their direct role assignments. Inherited permissions are indicated in the role hierarchy display.
Q: What happens when a Data Cloud is deleted? A: All role assignments and permissions associated with the Data Cloud are automatically removed. Users lose access to all resources within that Data Cloud.
This comprehensive global user management system ensures secure, scalable access control across your entire Tacnode platform while maintaining operational flexibility and security best practices.