Security Settings

Security Settings lets admin users configure general and dataset security settings in Data Quality & Observability Classic.

By default, all security settings are turned off. When a setting is off, no role checks are enforced, and all authenticated users can access the feature. If you turn a setting on, role checks are activated, and users without the required role are blocked from accessing the feature.

Tip Before enabling a new security setting, assign the required role to existing users to prevent immediate access interruptions. You can manage role assignments in Admin > User Management > Role Management.

General

Setting Description

Local user store enabled Allows you to create and administer users stored in the internal Metastore.
After enabling or disabling this setting, you must restart Data Quality & Observability Classic. For more information, go to Local User Store Authentication.

Auto approve users

Automatically approves local users upon sign-in.

When enabled, the accounts of new users are enabled, unlocked, and have ROLE_PUBLIC automatically assigned to them.

When disabled, the accounts of new users are disabled, locked, and do not have any roles assigned to them. Another user with ROLE_ADMIN, ROLE_USER_MANAGER, or ROLE_OWL_ROLE_MANAGER must grant the new user account at least one role before the new user can sign in to Data Quality & Observability Classic.

Warning Enabling this allows anyone who can reach the login page to create a working account immediately.

DB connection security

Restricts who can create, edit, and use database connections. When enabled, only users with ROLE_CONNECTION_MANAGER or ROLE_ADMIN can manage connections.

Note Any user with those mapped roles can see the connection in the Data Quality & Observability Classic application.

DQ job security

Makes ROLE_OWL_CHECK a requirement for users to run DW jobs. ROLE_ADMIN and ROLE_OWL_CHECK are the only roles that can run DQ jobs when DQ job security is enabled.

Note The Require Connection Access setting depends on this setting. If DQ job security is turned off, the Require Connection Access setting has no effect.

Show table

DQ job security	Dataset security	User role	DQ job access level
Enabled	Disabled	No role	Cannot create Cannot run Cannot schedule
Enabled	Enabled	A role other than ROLE_ADMIN or ROLE_OWL_CHECK assigned to the dataset	Cannot create Cannot run Cannot schedule
Enabled	Enabled	ROLE_ADMIN and/or ROLE_OWL_CHECK	Can create Can run Can schedule

Require Connection Access

When DQ job security and Require Connection Access are enabled, ROLE_ADMIN or ROLE_OWL_CHECK must be assigned to both the user and connection for the user to run, schedule, and create DQ jobs on the connection.

Note This setting depends on the DQ job security setting. If DQ job security is turned off, the Require Connection Access setting has no effect.

Enable Integration Management for Connection Users When enabled, users with roles mapped to specific connections can view and configure integration settings for only those connections they have access to. Non-admins can access the Integration Setup page based on their existing connection role mappings.

Allow temp file upload for DQ job Allows users to upload temporary files from their local machines to use as data sources in Explorer.

Set token expiration duration

Sets the expiration duration of the authentication token for DQ client API calls. If an API call is made and the token has reached the time limit, the API response is 401. The default setting is one hour.

To change the duration, modify the following command in owl-env.sh:

Copy

export JWT_TOKEN_EXPIRY_TIME=3600000

The time is specified in milliseconds (ms). In this example, 3600000 milliseconds=60 minutes.

Dataset Security

Important Dataset Security settings are additive, and, depending on which options are enabled, may affect the behavior of roles. If a user unexpectedly encounters an Access Denied error, compare the roles associated with the user account with the combination of restrictions enabled under Dataset Security.

Setting	Description
Dataset security	When enabled, if a user does not have a full permission role granting them the ability to perform specific tasks, they cannot perform them. Enabling this without first granting users access to datasets will lock them out immediately. The following list shows specific tasks that dataset security can prevent users without the correct full permission role from performing: Run DQ jobs Manage rules View DQ job findings Preview data Take action on DQ job findings Train datasets Mask columns View assignments Assign business units and data categories In the list above, a single role encompassing all tasks does not exist. Instead, multiple roles must be mapped to relevant datasets as full permission roles to allow users to perform all listed tasks. Users with ROLE_ADMIN or ROLE_DATASET_MANAGER can map roles to datasets as full permission roles on the Dataset Management page.
Enable ACLs for dataset access	When access control list (ACL) is enabled, administrators can configure the following options to limit usage/permissions on datasets: DATA_PREVIEW DATASET_TRAIN DATASET_RULES DATASET_ACTIONS ACLs turn on the following access levels: Full Read Partial If you select Partial for a dataset, the following further permissions can be individually turned on or off: Enable Data Preview Access Enable Training Enable Rules Create/Edit However, the above permissions only affect a user's access/functionality unless the corresponding global security settings are also enabled: Require DATA_PREVIEW role to see source data Require DATASET_TRAIN role for dataset training access Require DATASET_RULES role for dataset rule create/edit access Tip Dataset security must be enabled for this setting to be meaningful.
Require DATA_PREVIEW role to see source data	When enabled, only users with ROLE_DATA_PREVIEW can: Preview source data on the Findings, Profile, and Rules pages. Access the Copy Results and Download Results buttons in the SQL query editor. Access the Visualize function in the Row Filter option of the Select Rows step in Explorer. Note The ability to run queries is controlled separately by ROLE_VIEW_DATA.
Require DATASET_TRAIN role for dataset training access	When enabled, only users with ROLE_DATASET_TRAIN can train datasets, which includes the ability to adjust the scoring model, modify thresholds of Adaptive Rules, and validate, invalidate, or resolve data quality findings. Without training access, adaptive monitors will not learn from new data.
Require DATASET_RULES role for dataset rule create/edit access	When enabled, only users with ROLE_DATASET_RULES can manage rules. Note ROLE_DATA_PREVIEW is also required to manage rules.
Require TEMPLATE_RULES role to add, edit, or delete a rule template	When enabled, only users with ROLE_TEMPLATE_RULES or ROLE_ADMIN can manage template rules. Users without ROLE_TEMPLATE_RULES or ROLE_ADMIN can view the list of template rules, but cannot add, edit, or delete them.
Require DATASET_ACTIONS role for dataset management actions	When enabled, only users with ROLE_DATASET_ACTIONS can edit jobs, rename, publish, assign data categories and business units, and enable integrations from the Dataset Manager. These permissions are also accessible by users with the ROLE_ADMIN and ROLE_DATASET_MANAGER roles. Note Users with this role can rename the dataset but not the dataset alias.
Require DATA_EXPORT role to export rule breaks	When enabled, all users, including administrators, must have the ROLE_DATA_EXPORT role to use export functions.
Require INSIGHTS_VIEWER role to view scorecards and reports	When enabled, only users with the ROLE_INSIGHTS_VIEWER role can access scorecards and reports, including sub-pages. Important Enabling this without assigning the role blocks all reports and scorecards for that user.
Default owner dataset access	When enabled, the user who creates or runs a dataset automatically receives owner-level access to it, even if dataset-level security is turned on. This ensures that users are not locked out of the datasets they create. It is recommended to keep this setting enabled when Dataset Security is turned on.