Access Level Authorization Operations
Access Level Authorization Operations


TitleText
Access Level Authorization

A Soda user obtains authorization to work at an access level by logging in and selecting one of the access levels that they are entitled to have. Their entitlements are set by source administrators.

When a Soda user runs a program that uses the Soda API, the API methods execute at the user's access level.

When a program uses the Virtual Data Lake API, it can present a credential with its secret key to execute at the access level associated with the credential. Source administrators can manage credentials.

Access Level Entitlements

A source admin can authorize a user to have an access level in two ways:

  • By giving an entitlement to the user with a specific identity from an identity provider (an identity entitlement)
  • By giving entitlements to all users with an access level assigned by an identity provider, or to all users with identities from a provider (a provider-level entitlement).

A source admin can add, edit or remove an identity entitlement, and can add, edit or remove a provider-level entitlement.

Add an Identity Entitlement

On the Access Level page for an access level, when logged in with source admin access level:

  1. Click Add button in the Entitled Entities section
  2. Choose the identity provider that will provide the identity
  3. Enter the provider's unique identifier for the identity
  4. Enter the name by which the user with that identity will be known
  5. Click Proceed button
Edit an Identity Entitlement

On the Access Level page for an access level, when logged in with source admin access level:

  1. Click Edit button for the entitlement that you want to change
  2. Choose the identity provider that will provide the identity if you want to change it
  3. Enter the provider's unique identifier for the identity if you want to change it
  4. Enter the name by which the user with that identity will be known if you want to change it
  5. Click Proceed button
Remove an Identity Entitlement

On the Access Level page for an access level, when logged in with source admin access level:

  1. Click Remove button for the entitlement that you want to remove
  2. A confirmation dialog will appear. Click OK
Add a Provider-Level Entitlement

On the Access Level page for an access level, when logged in with source admin access level:

  1. Click Add button in the Implying Provider Levels section
  2. Choose the identity provider that will provide the identity
  3. Enter the name of the provider-assigned level, or * if the entitlement is for all users with levels from the provider
  4. Click Proceed button
Edit a Provider-Level Entitlement

On the Access Level page for an access level, when logged in with source admin access level:

  1. Click Add button for the entitlement that you want to change
  2. Choose the identity provider that will provide the identity if you want to change it
  3. Enter the name of the provider-assigned level, or * if the entitlement is for all users with levels from the provider, if you want to change it
  4. Click Proceed button
Remove a Provider-Level Entitlement

On the Access Level page for an access level, when logged in with source admin access level:

  1. Click Remove button for the entitlement that you want to remove
  2. A confirmation dialog will appear. Click OK
Credentials

A credential is a resource that is associated with an access level and can be used by a program to execute a virtual data lake API method at that access level. It is represented by an item in the same source as the access level that it is associated with. To gain authorization to execute at the access level, the program presents the credential with a secret key. Credentials are managed by source admins.

Credentials Admin

A credential that is associated with an access level provides authorization for a program to execute at that access level.

A source admin can create and delete credentials, and generate their secret keys. The secret keys are displayed to the admin when they are generated, but cannot be retrieved after that. They are not stored in the virtual data lake. Hash digests are stored in the virtual data lake, and are used to validate keys supplied to API calls.

Create a Credential

On the Access Level page for the access level that the credential will be associated with, when logged in with source admin access level:

  1. Click Add icon in the Credentials section
  2. A confirmation dialog will appear. Click Proceed icon
  3. The identifier of a new credential will appear in the Credentials section, and a message will show the credential's secret key. Make a secure note of the identifier and the key.
  4. The message will disappear when you refresh the page or navigate away from it.
Delete a Credential

On the Access Level page for the access level that the credential is associated with, when logged in with source admin access level:

  • Click Remove icon for the credential that you want to delete
  • A confirmation dialog will appear. Click OK.
  • The credential will be deleted and its identifier will disappear from the Credentials section.
Generate a Secret Key

A secret key is generated automatically when a credential is created. You may wish to generate a new key periodically, as a security measure. You may also wish to generate a new key if the previous one is lost. When a new key is generated, it is effective immediately, and the previous one immediately becomes invalid.

To generate a secret key, on the Access Level page for the access level that the credential is associated with, when logged in with source admin access level:

  1. Click Edit icon for the credential for which you want to generate a new key
  2. A confirmation dialog will appear. Click Proceed icon
  3. A message will show the credential's secret key. Make a secure note of it.
  4. The message will disappear when you refresh the page or navigate away from it.