Manage Access Control with Dashboard

Managing access control with the TerminusDB local dashboard
This article is a beginner's guide to managing organizations/teams and users with the TerminusDB dashboard.
In this article, we’ll do the following:
  • Install the local TerminusDB dashboard
  • Provide an overview of the default admin login and screens
  • Go through the administration and access control mechanisms to create new roles, users, and teams and connect them to data products.

Install the Dashboard

Install and run TerminusDB as a Docker container, also referred to as TerminusDB bootstrap.
When installed, TerminusDB creates by default, an admin user and admin team. The admin user has the privileges to manage data products, and create teams and users.
Go to http://localhost:6363/dashboard and start to build your teams, users, and data products.

Login to TerminusDB

Login to the TerminusDB Dashboard using your admin credentials. if you did not change it, the default admin password is root.
  1. 1.
    Fill the form with the user (admin) and your admin password
  2. 2.
    Press "Login"
  3. 3.
    You'll be redirected to the dashboard home page

Dashboard Home Page

On the home page, you'll find a list of teams (referred to as Organizations in the TerminusDB System Database)
Select an existing team or create a new one. If no team is created or selected, some of the dashboard functionalities are disabled.
The Create a new Team button is enabled only for the admin user.
Admin can create a new personal team where they are the admin and can also create additional Teams and Users and configure user roles using the administrator interface.

Creating a new team for the admin user

  1. 1.
    Click the button Create a new Team
  2. 2.
    The Create new team window will pop up
  3. 3.
    Insert the team name in the input field (the team name must be unique)
  4. 4.
    Click Create Team button
  5. 5.
    You will be redirected to the Team home page

Team Home Page

The top bar from right to left displays:
  • The user role
  • The user name
  • The team name

Create a New Data Product

  • Select the New Data Product button
  • Enter the Data Product ID and name
  • Click Create Data Product button

Administration and Access Control

The administrator interface provides a visual console to easily administer TerminusDB teams and data products. In order to create roles, users, and teams, you need to be logged in as the admin.
Access the User Management section from the top bar.
This diagram illustrates the roles we'll create in this how-to guide.

Create a new Role

We are going to create four different roles: appAdmin, reader, writer, and schema_writer.
  • Navigate to the User Management section
  • Select the Roles tab
  • Select Create a new Role and a pop-up window will appear
  • Insert the role name and select the role permissions
  • Click Create Role button and a new role will be created
repeat all the steps for the others roles, you can see the actions for every roles in the image below

Create New Users

We are going to create three new Users:
User_01, User_02, and User_03 , all with the default password "NO_KEY"
  • Select the Users tab
  • Select Create a new User and a pop-up window will appear
  • Insert the user name and NO_KEY as the password
  • Click Create User Button and a new User will be created
Repeat these steps for the three users.
The new users are currently unrelated to any teams.
Next, we’ll get your teams up and running.

Create a New Team

We are going to create three new teams: team_01, team_02, and team_03
  • Select the Teams tab
  • Select Create New Team and a pop-up window will appear
  • Insert the team name
  • Click the Create Team button and a new Team will be created
  • Repeat these steps for the other two teams.
The new teams are not currently linked with any users.

Add Users to Team_01

We are going to add users to team_01, assigning them roles:
  • Choose the Teams tab
  • In the team_01 row, Select the Show Team Users icon
  • Select Add Users to team_01 Team
  • From the drop-down list, select User_01 and check the appAdmin role
  • Click Send, the User01 can now access the team team01 and all the data product under the team with role appAdmin
Repeat the same steps for the other users:
User_01 -> role -> reader
User_02 -> role -> reader /writer
Then do the following:
  • Connect team_03 with User_01 with a role appAdmin
  • Connect team_02 with User_02 with a role appAdmin

Log in with the User_01

Now we are going to log in with User_01:
  • From the top bar, select Logout
  • You will redirect to the login page
  • Insert the user name and password - User_01 and NO_KEY
  • Press the Login button
Logout the admin user
Login with User_01

User_01 teams Homepage

When you first sign in, you will see a list of the teams associated with this user, select team_01.
There are no data products associated with the team, so first we’ll create two new data products.
  • Press the New Data Product button and name it dataproduct_01
  • Repeat the process and name this one dataproduct_02
On the top bar, you will see from right to left:
  • the user team role/s "appAdmin",
  • the user name, User_01
  • the selected team name team_01
User_01 has the access privileges to create new data products and manage them.

Create a Schema

  • Select the Data Product Model icon from the icons menu on the left
  • Select JsonView on the Data Product Model page and copy the following schema
  • Select the save icon
"@base": "terminusdb:///data/",
"@schema": "terminusdb:///schema#",
"@type": "@context"
"@id": "Person",
"@key": {
"@fields": [
"@type": "Lexical"
"@type": "Class",
"name": "xsd:string"
User_01 has ‘appAdmin’ privileges, so if navigating around the dashboard you can see that they can perform all the actions. For example, select the "document explorer" button on the left and insert a new Person Document.

Connect with User_02

  • Select Logout for the upper user menu
  • You'll redirect to the login page
  • Insert the credentials - User_02, password NO_KEY
  • Press Login button
  • For the teams home page select team_01
  • You'll arrive on the team_01 main page
  • From the left menu, Select dataproduct_01
On the top bar from right to left you can see the user role "reader", the user name User_02, and the team name team_01
The user does not have permission to create databases within team_01 so the New Data Product button is hidden.
The user has schema_read permission level, and from the "Data Product Model" section, they can see the schema graph in view mode.

Data product level permissions.

Login with the admin user again (the admin user is the only one that can manage teams, user roles, and capabilities)
  • Select Logout from the top menu bar,
  • You'll redirect to the login page
  • Insert admin and your admin password (default is root)
  • Select User Management from the top user menu to navigate to the access control management interface
  • From the team list table, select the green icon in the team_01 row
  • From the "team_01 -- Team Users Roles" table list, select the green icon in the User_02 row
The user has no specific permissions at the data product level, but each data product inherits the team access level, in this instance a reader role.
In the User_02 Dataproducts Roles table list, in the dataproduct_02 row:
  • Select the green Add database user roles icon
  • The Add Database new_data_product_02 roles window displays
  • Select schema_writer and writer roles for the list
  • Click Send

Check the new User_02 Permission

Login with User_02, NO_KEY, team_01
  • On the team_01 home page, select the dataproduct_02 from the data products pane
  • On the top bar, from right to left you will see:
    • User roles - reader + schema_writer + writer
    • The user name User_02
    • The selected Team team_01
As you can see, User_02 can now edit the schema in dataproduct_02.
Now select dataproduct_01, you will see that the user’s role is reader, so User_02 can only view the schema for this data product.

Further Reading