User identity management
This article only applies to Docker and Kubernetes installations.
By default, users can authenticate themselves using the Linksight Identity Provider, which offers various sign-in methods, such as Microsoft, GitHub or using a magic link. All users signing into the Governance Hub will be offered these sign-in methods.
For the local installation of the Analysis Hub, we allow different kind of identity providers.
Analysis Hub identity providers
The following identity providers are supported in the Analysis Hub:
- Linksight Identity Provider through
https://auth.linksight.network(default)- Microsoft Identity Provider
- GitHub Identity Provider
- Microsoft OIDC Provider
- Custom OIDC Provider
- Local credentials (username/password)
Linksight Identity Provider
By default, the Analysis Hub will use the Linksight Identity Provider to allow users to sign in. This offers seamless user management where all users and user roles set in the Governance Hub will be automatically used in the Analysis Hub.
Microsoft OIDC Provider
The Microsoft OIDC Provider can be used to manage users in the Analysis Hub.
Required OIDC scopes: openid, email, profile
The following settings need to be configured in the Analysis Hub configuration:
- Docker Compose
- Kubernetes
ANALYSISHUB_AUTH_PROVIDER=microsoft
ANALYSISHUB_AUTH_OIDC_MICROSOFT_TENANTID=<tenant_id>
ANALYSISHUB_AUTH_OIDC_MICROSOFT_CLIENTID=<client_id>
ANALYSISHUB_AUTH_OIDC_MICROSOFT_CLIENTSECRET=<client_secret>
analysisHub:
backend:
config:
auth:
provider: microsoft
oidc:
microsoft:
tenantID: <tenant_id>
clientID: <client_id>
clientSecret: <client_secret>
Microsoft users can be managed in the Governance Hub, and will be listed as local users. Read the User Management section for more information.
Set up using Entra ID
- Go to https://entra.microsoft.com and sign in.
- Go to
Identity>Applications>App registrations. - Click on
New registration. - Set up the application.
- Supported account types:
Accounts in this organizational directory only (XXX only - Single tenant) - Redirect URI:
Web+https://<analysis-hub-host>/auth/callback
- Supported account types:
- Click on
Register. - Go to
Overview- The
Directory (tenant) IDis thetenant_id - The
Application (client) IDis theclient_id
- The
- Go to
Certificate & secrets. - Create a new client secret
- The provided
valueis theclient_secret
- The provided
Custom OIDC Provider
A custom OIDC Provider can be used to manage users in the Analysis Hub.
Required OIDC scopes: openid, email, profile
The following settings need to be configured in the Analysis Hub configuration:
- Docker Compose
- Kubernetes
ANALYSISHUB_AUTH_PROVIDER=customoidc
ANALYSISHUB_AUTH_OIDC_CUSTOM_ISSUERURL=<issuer_url>
ANALYSISHUB_AUTH_OIDC_CUSTOM_CLIENTID=<client_id>
ANALYSISHUB_AUTH_OIDC_CUSTOM_CLIENTSECRET=<client_secret>
analysisHub:
backend:
config:
auth:
provider: customoidc
oidc:
custom:
issuerUrl: <issuer_url>
clientID: <client_id>
clientSecret: <client_secret>
Custom OIDC users can be managed in the Governance Hub, and will be listed as local users. Read the User Management section for more information.
Local credentials (username/password)
Users can be managed with local credentials (username/password).
The following settings need to be configured in the Analysis Hub configuration:
- Docker Compose
- Kubernetes
ANALYSISHUB_AUTH_PROVIDER=localdb
ANALYSISHUB_AUTH_LOCALDB_ADMIN_USERNAME=<username>
ANALYSISHUB_AUTH_LOCALDB_ADMIN_PASSWORD=<password>
analysisHub:
backend:
config:
auth:
provider: localdb
localdb:
admin:
username: <username>
password: <password>
Local credential users can be managed in the Governance Hub, and will be listed as local users. Read the User Management section for more information.
User management
All users and local users (except the local credentials) are managed in the Governance Hub. When a new local user logs into the Analysis Hub, then the user is automatically added to your organization without any roles.
For local credentials, users with the Organization admin role can create and remove users in the Analysis Hub on the Users page.
To assign roles to the local user, go to the Users page in the Governance Hub.
User creation
User creation differs depending on the chosen identity provider.
- Linksight IdP
- Microsoft IdP
- Custom OIDC IdP
- Local credentials
- Go to the Users page in the Governance Hub.
- Click on
Invite. - Complete the form.
- Click on
Invite. - Ask the user to sign into the Governance Hub and accept the invitation.
- Ask the user to sign into the Analysis Hub using their Microsoft credential.
- Check if the user appears as
Local useron the Users page in the Governance Hub. - Follow the steps to assign roles to the new user.
- Ask the user to sign into the Analysis Hub using their Custom OIDC credential.
- Check if the user appears as
Local useron the Users page in the Governance Hub. - Follow the steps to assign roles to the new user.
- Sign into the Analysis Hub (requires
Organization adminrole). - Go to the
Userspage. - Click on
Add user. - Complete the form, and click on
Create. - Copy the invite link, and send the link to the user to reset their password.
- Check if the user appears as
Local useron the Users page in the Governance Hub. - Follow the steps to assign roles to the new user.
Role assignment
These steps require the Organization admin role.
To assign roles to an exiting (local) user:
- Go to the Users page in the Governance Hub.
- Locate the (local) user, and click on the three dots on the right.
- Click on
Update roles. - Assign one or multiple roles to the user.
- Click on
Save.
Link local users to Linksight Identity Provider users
Linking local users to Linksight users allows the local user to automatically inherit all roles from the Linksight user.
These steps require the Organization admin role.
To link a local user to a Linksight user:
- Go to the Users page in the Governance Hub.
- Locate the local user, and click on the three dots on the right.
- Click on
Link to user. - Choose the local user you would like to link.
- Click on
Save.