Occasionally, administrators prefer to manage the access to underlying data within the database directly for groups of users. This is typically done by creating user roles, which then map to certain sets of users at the company.
Within Omni, we can leverage this structure as well, to help enforce security more broadly and leverage RBAC within the database. This configuration assumes the same underlying data structure across these roles, with some potentially being a subset of others but none existing outside the bounds of the primary database connection.
To do so, you must configure the following set up:
- Create a primary connection, which should be the superset of all other roles or permissions that you will be looking to leverage
- Create an additional connection for each additional role you would like to map to a database user role. Each role will need its own service account in the database.
- On the primary connection settings page, navigate to the environments tab
- Add the other connections as environments to the primary connection
- Enable the
Allow environments to be assigned dynamicallytoggle - Assign a user attribute to associate the proper connection with
- Delete the models that may have been created for any connection that is not the primary connection
The final component is configuring a user attribute for each user in Omni, mapping them to the proper connection representing their given role in the database. This can best be done using an identity provider such as Okta and leveraging SCIM, or can be configured either via API or manually.