Enable role-based authorization

To use role-based authorization, you must have configured authentication with Management Center (MC). Learn how to do this.

Flow uses role-based authorization to control which users can perform which tasks.

Flow roles

Roles are used to grant permissions to users, which allow users to perform different actions on the Flow platform.

Flow roles and corresponding authorities can be found below:

Role Granted Authorities

Admin

Everything

Viewer

BrowseSchema

MetricsViewer

ViewMetrics,
BrowseSchema

QueryRunner

RunQuery

PlatformManager

CancelQuery,
ViewQueryHistory
ViewHistoricQueryResults
BrowseSchema
EditSchema
ViewCaskDefinitions
EditCaskDefinitions
ViewPipelines
EditPipelines
ViewAuthenticationTokens
EditAuthenticationTokens
ViewConnections
EditConnections

Permissions

To perform an activity, users must be associated with a role that grants the related authority.

Activity Required permission

Issue a query through the UI

RunQuery

Issue a query through the API

RunQuery

Cancel a running query

CancelQuery

Browse the query history in the UI

ViewQueryHistory

View the results of historic queries

ViewHistoricQueryResults

Browse the data catalog

BrowseCatalog

View the registered schemas

BrowseSchema

Modify a catalog entry

EditSchema

Import a new schema through the schema importer UI

EditSchema

List pipelines

ViewPipelines

Add a new pipeline

EditPipelines

Edit an existing pipeline

EditPipelines

View authentication tokens Flow uses in requests

ViewAuthenticationTokens

Edit authentication tokens Flow uses in requests

EditAuthenticationTokens

View configured data sources

ViewConnections

Edit configured data sources

EditConnections

Assign users to roles

Since authentication is done via MC, users must already have MC roles assigned. Once a user has a valid MC role, the user will have the corresponding role in Flow. The role mapping can be found here.

If a user does not have any roles in MC, they will not have a corresponding role in Flow, meaning a logged-in user will not be able to do anything and will see a blank navigation bar.

Role mapping between MC and Flow

The mapping:

  • Admin → Admin

  • User → PlatformManager + QueryRunner + Viewer

  • Read-Only User → Viewer

  • Metrics-Only User → Viewer + MetricsViewer

Example: If a user has User role in MC, they will have PlatformManager, QueryRunner and Viewer roles in Flow.