Warehouse Credentials by User

Introduction

Kleene admins can restrict the access users have to data by leveraging the fine-grained access controls in Snowflake, BigQuery and Amazon Redshift. An admin can then mandate their users login via their own credentials to Kleene, which will restrict access to data in SQL queries.
Note - This can lead to some SQL queries, that have previous run for the user, to no longer run.

Important:

  1. If you do not use this feature, everything will carry on as normal in Kleene
  2. The regular, scheduled Extracts and Transforms use the admin warehouse credentials, which are separate from user credentials. These do not need changing.

Warehouse Access Controls

Warehouse admins will generally be responsible for setting the permissions at a user level, and will need to do so before proceeding. More information can be found here:

Snowflake
https://docs.snowflake.com/en/user-guide/security-access-control-overview

BigQuery

https://cloud.google.com/bigquery/docs/control-access-to-resources-iam

Amazon Redshift
https://docs.aws.amazon.com/redshift/latest/mgmt/redshift-iam-authentication-access-control.html

Admin Settings

Once the warehouse admin has made the necessary access control changes, the Kleene admin will need to enter the Admin Settings page and configure the users appropriately.

Whereas before, users may have shared logins to Kleene, admin may want to create separate logins for every user. In addition, the admin will need to change the users' passwords.

Admins can set up new users by clicking ADD USERS.

For each user, under Actions, click EDIT. Here, the admin can toggle on/off the option to Enforce personal Warehouse credentials which will disable Kleene for the user until they enter their warehouse credentials.

This is done via a new page in the menu called Warehouse Credentials, which only appears when an admin has requested the user to do so.

918

A Kleene admin can see whether a user has entered their credentials in the same area, further down.

The admin can also enter warehouse credentials on behalf of a user, if they know the relevant user name/email and password.

Database role is optional.

918