Skip to main content

How to share a datasource to all users? I can't really find a good way to do that.

We have an SSO-integration setup towards (A)AD, but have little control over that. Not sure if i could use the local identity provider and create a group that includes all (domain and/or local ) users.

The best solution would be to concentrate the permission management on the AD server but if that’s not so easy you can also create a local group and add SAML users and local users/groups to that local group. It is not possible to add a SAML group as a subgroup of the local group.

The big disadvantage of this approach is that it requires you to add all users manually to that local group which can become cumbersome.

An easier way to give all users access to 1 data source is to create an ACL for that data source and add the full “local” group and all existing SAML groups. 

The members of that ACL would look like this.

 


Local groups is not really a feasible option due to security requirements. 

We have about 80 groups in total (1 for each plant), so that would mean authorizing 80 groups on a datasource. Creating a group (A)AD side has a lot of impact on our authorization process, so that's not the easiest route overall.

 

Out of interest:

  1. How does access then work to e.g. the demo tags? Is that in some way hardcoded?
  2. I assume that NOT adding security to a datasource means no-one can access the data from that datasource?

It would be a great idea to add a “public”  option on datasources, to allow access to anyone.

 

 

 


On TrendMiner side the all SAML groups are bundled under the SSO name. So in my example “SAML-Azure” contains all groups from that provider. So in your case it would contain all 80 SAML groups. So if you add the complete top level group there is no need to add all 80 groups separately per data source, nor is it required to create a new group on you server.

SAML-CS-3 in my example is a second SSO connection which might be a bit less common and therefor maybe somewhat confusing here.

 

About your other questions:

  1. yes, demo tag permissions are hardcoded.
  2. system admins will always have permissions to all data sources by default (since they can access ConfigHub and assign permissions to themselves anyway). For all other users explicit permissions are required indeed.

 

The ‘public’ option is a nice idea. Feel free to share it with our product team: 

 

But that being said, the ‘public’ share can quite easily be simulated by assigning the permission to the full local group and all top level SAML groups like I shared above.


Hi, the top-level SAML group using the SAML name is just what i need. Thanks!


Reply