Global User Management

Global user management in Tacnode provides centralized control over platform-level access and permissions across your entire Data Cloud environment. This system enables administrators to manage user access to Data Cloud instances, databases, and platform services from a single interface.

Understanding Data Cloud Roles

Tacnode uses a hierarchical role system for Data Cloud management, providing different levels of access and capabilities based on organizational needs.

Built-in Data Cloud Roles

RoleFull NameCapabilitiesUse Cases
adminadmin@{id}.datacloudsFull platform administrationCTO, Data Engineering Leaders
devopsdevops@{id}.datacloudsInfrastructure managementDevOps Engineers, Platform Teams
viewerviewer@{id}.datacloudsRead-only platform accessAnalysts, Reporting Users

Role Capabilities Matrix

Admin Role (admin@{id}.dataclouds)

  • Complete Data Cloud instance lifecycle management
  • User and role management across the platform
  • Access to all databases and nodegroups
  • Platform configuration and settings management
  • Billing and subscription management

DevOps Role (devops@{id}.dataclouds)

  • Data Cloud instance operations and monitoring
  • Nodegroup creation, scaling, and management
  • Database deployment and configuration
  • Performance monitoring and troubleshooting
  • Infrastructure automation and scripting

Viewer Role (viewer@{id}.dataclouds)

  • Read-only access to all Data Cloud resources
  • Query execution on all accessible databases
  • Monitoring dashboard and metrics viewing
  • Report generation and data export
  • Documentation and schema browsing

Role Hierarchy and Inheritance

Data Cloud Role Structure

The role hierarchy follows this structure:

  • Admin: Top-level role with complete platform control
  • DevOps: Operations-focused role with infrastructure management
  • Viewer: Read-only role for data consumption and monitoring

Inheritance Rules:

  • Admin role includes all DevOps and Viewer capabilities
  • DevOps role includes all Viewer capabilities
  • Viewer role provides baseline access for data consumption

Managing Data Cloud Permissions

Accessing Permission Management

  1. Navigate to Data Cloud Settings

    • Log into the Tacnode platform
    • Select Data Clouds from the main navigation
    • Choose your specific Data Cloud ID
    • Click Permission Management

  2. View Current Permissions

    • Review existing role assignments
    • Understand current user access levels
    • Identify permission gaps or overlaps

Adding Users to Data Cloud Roles

Step-by-Step Process:

  1. Select Target Role

    • Click Authorize User next to the appropriate role
    • Choose between admin, devops, or viewer based on user needs
  2. Specify User Email

    • Enter the email address of the intended user
    • Ensure the email is registered with the Tacnode platform
    • Verify the user's identity and authorization level
  3. Confirm Assignment

    • Review the role assignment details
    • Click OK to complete the assignment
    • User will receive notification of their new access

Database Access Authorization

After assigning Data Cloud roles, users need database-level access to connect and query data.

Prerequisites for Database Access

  • User must have a registered Tacnode platform account
  • User must be assigned to at least one Data Cloud role
  • Database must be accessible within the Data Cloud

Granting Database Login Permissions

Using Administrator Account:

  1. Connect as Database Administrator

    -- Connect using psql or preferred database client
    psql -h your-nodegroup.tacnode.io -U admin -d your_database
  2. Create Global User Account

    -- For regular users
    CREATE USER "user@example.com";
     
    -- For users requiring administrative privileges
    CREATE USER "admin@example.com" WITH SUPERUSER;

Best Practice: Fine-Grained Authorization

Instead of granting broad permissions, implement role-based access control with specific database roles:

-- Create business-specific schemas
CREATE SCHEMA erp;
CREATE SCHEMA bi;
 
-- Create functional roles
CREATE ROLE bi_full_access;
CREATE ROLE erp_read_only;
 
-- Grant schema-level permissions
GRANT ALL ON ALL TABLES IN SCHEMA bi TO bi_full_access;
GRANT USAGE, CREATE ON SCHEMA bi TO bi_full_access;
 
GRANT SELECT ON ALL TABLES IN SCHEMA erp TO erp_read_only;
GRANT USAGE ON SCHEMA erp TO erp_read_only;
 
-- Assign roles to users
CREATE USER "analyst@example.com";
GRANT bi_full_access TO "analyst@example.com";
GRANT erp_read_only TO "analyst@example.com";

Removing Users from Data Cloud Roles

Removal Process:

  1. Navigate to Permission Management

    • Access the Data Cloud permission interface
    • Locate the user to be removed
  2. Initiate Removal

    • Click the red × icon next to the user's name
    • Review the removal confirmation details
  3. Confirm Removal

    • Click OK in the confirmation dialog
    • User access will be immediately revoked

Security Best Practices

User Account Management

  • Regular Access Reviews: Conduct quarterly reviews of user access and permissions
  • Principle of Least Privilege: Grant minimum necessary permissions for each user
  • Account Lifecycle: Implement processes for onboarding and offboarding users
  • Strong Authentication: Ensure all users have strong passwords and MFA enabled

Role Assignment Guidelines

  • Admin Role: Limit to 2-3 trusted individuals maximum
  • DevOps Role: Assign to platform engineers and infrastructure teams
  • Viewer Role: Default assignment for data consumers and analysts
  • Regular Auditing: Track and audit all role assignments and changes

Database Access Controls

  • Schema-Based Separation: Use database schemas to logically separate different business domains
  • Role-Based Permissions: Create functional roles instead of granting direct permissions to users
  • Connection Monitoring: Monitor database connections and query patterns
  • Access Logging: Enable audit logging for all database access and operations

Troubleshooting Common Issues

User Registration Errors

Error: ERROR: a role/user named auth@example.com has not been registered yet

Solution:

  • Verify the user has registered an account on the Tacnode platform
  • Check email address spelling and format
  • Ensure the user has completed email verification

Permission Inheritance Issues

Problem: User has Data Cloud role but cannot access databases

Solution:

  • Verify database-level permissions have been granted
  • Check that the user's global account has been created in the target database
  • Confirm the user is connecting to the correct nodegroup and database

Role Assignment Failures

Problem: Cannot assign roles to certain users

Solution:

  • Ensure you have admin privileges for the Data Cloud
  • Verify the target user's email is correctly registered
  • Check for any platform-level restrictions or quotas

Frequently Asked Questions

Q: Can I create custom Data Cloud roles? A: Currently, Tacnode supports only the three built-in roles (admin, devops, viewer). Custom role creation is not available.

Q: Can I modify the inheritance relationships between roles? A: The inheritance relationships for system roles cannot be modified. However, you can change role assignments for individual users.

Q: How do I identify which roles a user has inherited? A: In the permission management interface, users show their direct role assignments. Inherited permissions are indicated in the role hierarchy display.

Q: What happens when a Data Cloud is deleted? A: All role assignments and permissions associated with the Data Cloud are automatically removed. Users lose access to all resources within that Data Cloud.

This comprehensive global user management system ensures secure, scalable access control across your entire Tacnode platform while maintaining operational flexibility and security best practices.