User Management in KEDL
Effective user management is essential for maintaining data security and ensuring seamless data operations within KeyCore Enterprise Data Lake (KEDL). In this article, we will explore the process of managing different types of users in KEDL, including creating initial governance users, adding users via Cognito User Pool and Azure AD, and understanding the user storage and validation mechanisms.
1. User Types in KEDL As mentioned in the previous article, KEDL distinguishes three main user types: Owners, Stewards, and Members. Each user type holds specific roles and responsibilities within the Data Lake:
Owner: Owners have the highest level of privilege in KEDL as they create datasets and have administrative control over them. They can assign stewards to datasets, approve user access requests, and oversee data governance.
Steward: Stewards act as gatekeepers for dataset access. They review and approve user access requests to specific datasets, ensuring compliance and security measures are met before granting access.
Member: Members are users who work with the data products in the Data Lake. They can be assigned different profiles, each defining their data access capabilities, such as read-only or write access.
2. Creating Initial Governance Users To initiate user governance in KEDL, the first governance user must be created. This user will have administrative privileges to manage other users. The process of creating an initial governance user involves sending an event from the AWS EventBridge console as an administrative user:
Go into AWS eventbridge in the console and send and event to the kedl_event_bus, with event source = kedl.frontend, detail type = Create User and detail =
{"action": {
"name": "<Full Name>",
"user_name": "<email address>",
"assume_roles": [],
"trust_accounts": [],
"governance": true,
"sagemaker": false,
"idp": "<CUP|AAD>"
},
"connection_id": "NA"
} You have to choose either CUP(Cognito) or AAD(Azure AD) for idp
Once the governance user is created, they can access the Create and Edit user functionality, and grant governance privileges to other users, as well as adding assum roles and Sagemaker, streamlining the process of user administration.
3. Adding Users via Cognito User Pool (CUP) To add users through Cognito User Pool, a governance user can follow these steps:
Log in as a governance user and access the user page in the DSC.
Choose the option to create a new KEDL Cognito-based user.
Provide the user's email address, name, and any trusted roles or accounts if applicable.
Specify whether the user should have governance and/or Sagemaker permissions.
Press the "Create" button, which will create the user as a Cognito User Pool user and generate an associated IAM role.
4. Adding Users via Azure AD (AAD) Users can also be added to KEDL by leveraging Azure AD. The process is similar to adding Cognito users:
Log in as a governance user and let the user log in through their Azure AD credentials.
The user will be automatically created in KEDL if their Azure AD account belongs to the "KEDL Users" or "KEDL Administrators" group.
5. User Storage and Validation User information in KEDL is stored in DynamoDB. Validation of users is achieved through integration with Cognito and Azure AD. This validation ensures that only authenticated users with the necessary permissions can access the Data Lake.
Effective user management is vital for maintaining a secure and organized data environment within KEDL. By understanding the roles of different user types and utilizing the appropriate mechanisms for adding and validating users, organizations can foster a data-driven culture while adhering to compliance and security guidelines. The following articles will cover dataset creation, user access, and other practical aspects of using KEDL effectively.