One key benefit of RapidMiner Server is the ease and granularity of user management. User management is part of the Administration menu of the RapidMiner Server web interface:
You register users to the server and assign them to groups. By assigning permissions to a group, those rights are propagated to all the group's users. In addition:
- A user can belong to one or more groups. By default, each user is assigned to several predefined groups for easy management
- There are special user designations for administration and anonymous access
- You can assign access rights from either RapidMiner Server or RapidMiner Studio.
The following sections define the terms used in RapidMiner Server user management.
What is a user and what is a group?
A user is an individual registration for using RapidMiner Server. Each user must be added individually. A user is assigned to RapidMiner Server's predefined groups and can then be assigned to any number of admin-created groups. When a user is assigned to multiple groups with access to a resource, the more permissive access rights take precedence. Note that a user may be software, as is the case with web services, in which the software querying RapidMiner Server is the user; this type of user also needs an account and access rights.
A group in RapidMiner Server is a collection of users with the same access rights; different groups can distinguish between purposes. For example, you can add all members of the sales team to a project-specific group and provide them all with rights to the data, connections, and web apps related to that project. Or, you could create two Sales groups, one with full and one with limited access to those same resources. With user groups, you only have to assign user rights once and then add or remove defined users, allowing you to assign permissions to more than one person at a time.
Whether to start by creating users or creating groups is really a "chicken or the egg" question. Either way is equally efficient. You can view configured users and groups by clicking the appropriate tab in the User Management page:
There are two methods for adding users to a group:
- From within the group configuration, add users (add users to a group)
- From within the user configuration, add groups (add groups to a user configuration)
Defining access rights
Access rights in RapidMiner Server control access to processes and data (any entry in the server repository), and are defined as follows:
|Read (View)||The user can only read (view) data.|
|Write||The user can modify data.|
|Execute||The user can execute any process within the project that the right applies to. This setting is only applicable to web services.|
|Ignore||The user inherits permissions from the folder or parent. That is, do not explicitly grant or reject.|
|Grant||Allows access to this resource by the specified group.|
|Reject||Prohibits the specified group from accessing this resource. Any member of the denied group having Grant privileges in a different group will still have access.|
The following are some general points about access rights:
- Access to a resource requires access to the resource itself and to all folders above.
- A user needs Execute rights to run web services.
- A user needs Read (and potentially Write) permissions to run scheduled executions or web apps.
Propagating rights over directories and groups
Access rights are always based on the group(s) a user belongs to. If a user belongs to a group with the needed permission to a resource, they will have access to that resource. Access takes precedence over denial when group permissions conflict. So, if a user is in two groups, and, for example, one group is explicitly permitted to a resource and one group is explicitly denied — the permissions take precedence and the user will have access.
Every process execution (scheduler, web service, web apps) is triggered by a user and, therefore, every execution is linked to that user's specified access rights. All resulting actions of an execution require the user to have the appropriate rights. If a process needs to write data to a location, for example, the user needs the specified write permissions to that location. If a user triggers a web service that does not have the defined execute permission, the service request is terminated.
You create a RapidMiner Server user from the Administration > User Management page. Click User Management to display a list of configured users and their assigned groups. Initially, you see only the admin user.
Creating a user account
When you create a user, RapidMiner Server creates a folder for that user in the installation /home directory (the repository). To create a new user:
Click Add user in the Actions box on the right side of the screen.
Complete the fields of the resulting Add user dialog:
Field Description Username Required. This is the name you assign to the user, used internally by RapidMiner Server. Password/Repeat password Required. Enter (and repeat) a password to assign to the user. The password must be a minimum of eight alphanumeric characters. Special characters are allowed. Display name This is the name RapidMiner Server displays to represent the user. If not supplied, RapidMiner Server displays the value for Username. Email address Enter the user's email address. This is the address that RapidMiner Server uses to send email notifications based on triggers, process results, and password resets.
When you complete the fields, click Submit. The dialog returns with empty fields for the next addition and displays a message that the user was created. The user is added, alphabetically by username, to the User List.
Enter each additional user. When finished adding users, click the small in the upper right corner.
Changing user account information
To change the configuration for a created user:
From the User List tab of the Administration > User Management page, click on the name of a user you wish to update in the Username column. A dialog appears.
Update any of the following fields and click Submit.
- display name
Please note that LDAP users and SAML users cannot change their display name, email, passwords. Display name and email are synchronized automatically from LDAP and SAML server at every logon. Passwords for these accounts must be changed in the LDAP/SAML service the user is associated with.
You can also manage group membership from this dialog.
Changing groups in a user configuration
This section describes adding or removing groups in a user configuration. You can also add users to a group.
Once you have created a user, add created groups to it from the Administration > User Management page. (RapidMiner Server adds six predefined user groups and a <username> group automatically.) To add groups to a user:
From the User List tab, click on the name of a user in the Username column. The group management dialog appears.
(You can also change user configuration from this dialog.)
The lower Groups column lists configured groups the user is not part of (left side) and groups that the user is assigned to (right side). Manage group assignments by moving groups between the sides.
To move a group, click Copy to assign or click Remove to remove the user from the selected group. Alternatively, add (or remove) all listed groups to the user configuration with the Copy All or Remove All buttons.
Click Submit to add the group to the user configuration.
Please note that users can't be added to Mirror groups. Mirror group membership is managed automatically.
RapidMiner Server returns to the User List display.
Deleting a user account
To delete a user account, simply click the Delete icon next to the username and click OK when prompted.
RapidMiner Server uses groups to simplify administration. Instead of allowing or denying access to a resource on a user-by-user basis, simply assign a user to a group, and control each group's access.
Creating a group is nothing more than defining a tag that you can apply to users. You assign different privileges for each resource that the group should access. In this way, you can allow a group to have, for example, read access to a web app but write access to a data set.
You create a RapidMiner Server group from the Administration > User Management page. To create a group:
Click Add groups in the Actions box on the right side of the screen:
Enter a group name and, optionally, a description for the new group.
Click Submit. If you then select the Groups tab, you can see the group listed.
Notice in the image above, the user defined groups hava a Delete icon for removing the group. (The predefined groups do not because they cannot be deleted.) To delete a group, simply click the .
Adding users to a group
This section describes adding users to a group. You can also add groups to a user configuration.
Once you have created a group, add configured users to it from the Administration > User Management page. To add users:
From the Groups tab, click on the name of the group in the Group name column. A dialog for adding members appears.
Select a user name in the left Members column.
Double-click the username or click Copy to move the user to the right column. (To remove users, highlight the name in the right column and double-click or click Remove. Note that the removed users are then listed at the end of the Members register.)
Additional actions include:
- add all listed users to the group with the Copy All button (or delete all users from the group with Remove All).
- assign all future users automatically by checking the New users are assigned to this group automatically box.
- Change the group's description (displayed in the group list on the Groups tab) by editing the text in the description box.
Click Submit to add the user to the group.
Please note that LDAP/SAML authenticated users appear only after a successful first login on the list of available users, but they can be assigned to groups as any other local users.
RapidMiner Server returns to the User List display.
Predefined user groups
RapidMiner Server comes preconfigured with six special user groups. Every user is automatically added to each of these groups and a seventh group, <username>, containing only that user. You can remove a user from any group except the <username> group.
The predefined groups are defined below:
|User||All configured users on the instance of RapidMiner Server are part of this group.|
|Administrator||Members have access to everything (files, web apps, connections, configuration).|
|Analyst||Members can connect to RapidMiner Server via RapidMiner Studio and can connect to the admin web interface (/RA). A user who is not part of this group cannot access the admin web interface or connect via RapidMiner Studio. Access to resources and services is dependent on the rights granted to Analyst on the specific object.|
|Execute||Members can execute processes on RapidMiner Server either from RapidMiner Studio (by clicking on the Run Remote Now button) or from RapidMiner Server directly (when opening a process entry via the repository web interface). Users do not need to be part of the Execute group to view reports.|
|Report viewer||Members can view web apps (read access only), but must also have read access to the corresponding database connection. Additionally, users must be part of the Report viewer group to access the App Designer web interface.|
|Report editor||Members can edit web apps (read and write access). Additionally, Report editors can create new apps and ad-hoc reports and edit style bundles.|
|Report manager||Members can manage web apps and domains.|
|Scheduler||Members can create triggers in the process scheduler on RapidMiner Server (via RapidMiner Studio or the web UI), but must also have read access to the corresponding database connection.|
|Service||Members can create web services.|
|<username>||A group containing only the named user.|
Regular groups can be turned to mirror groups to enable automatic LDAP/SAML user management. If a group is turned to mirror group then you can no longer assign users to them directly. You can find more information about LDAP authentication, SAML authentication, and managing mirror groups in the documentation.