Key features
- Catalogs: A Trino catalog system that provides access to a data source through a connector. On NexusOne, you can select multiple catalogs to federate queries across different data sources.
- IAM: Manage roles for users and groups. You can either create new roles or use the default roles.
- Data access: Manage data access control by associating roles to specific tags. Each tag determines what data a role can access. You create tags on Datahub or when you are ingesting data on NexusOne.
- Data catalog: Provides access to the DataHub app so you can create tags, view your data lineage, and manage domains, which logically group your data.
Supported Trino catalogs
NexusOne supports the following Trino catalogs:Default roles in NexusOne
NexusOne ships with the following default roles:nx1_ask: Grants read and write permissions to access the Ask feature on the portalnx1_engineer: Grants read and write permissions to access the Engineer feature on the portalnx1_ingest: Grants read permissions to access the Ingest feature on the portalnx1_monitor: Grants the permission to view, trigger, or delete the Airflow DAGs you created by interacting with other NexusOne features such as Ingest. DAGs appear on the Monitor page and on Airflownx1_monitor_admin: Grants read and write permissions to view, trigger, or delete DAGs created by all users in the NexusOne portalnx1_monitor_ops: Grants the same permissions as thenx1_monitorrole with a few additional onesnx1_quality: Grants read and write permissions to access the Quality featurenx1_s3_admin: Complements thenx1_ingestrole by granting write permissions to access the object storage used in the Ingest feature
Each role has pre-assigned permissions that you can’t access. However, you can create a new role and associate
it to multiple roles.
Additional roles in NexusOne
Several OSS tools power specific features in NexusOne, and they do this using roles. These roles are different from the default NexusOne roles, and they include the following:- Apache Airflow: The following roles are specific to the Airflow tool:
airflow_admin: Grants read and write permissions to all usersairflow_viewer: Grants read permissions to view DAGs, tasks, logs, and metricsairflow_user: Grants read and write permissions to create and edit personal DAGs, trigger your workflows, and view your task logsairflow_ops: Grants the same permissions as the user role, with a few additional ones
- Apache Spark: The following roles are specific to the Spark tool:
spark_sql: Grants permission to run SQL commandsspark-history-admins: Grants read and write permissions to the Spark History Serverspark-history-viewers: Grants read permissions to the Spark History Server
- Apache Superset: The following roles are specific to the Superset tool:
superset_admin: Grants read and write permissions to manage users, databases, dashboards, SQL Lab, data sources, security policies and all app configurationssuperset_user: Grants read permissions to create and view dashboards, execute SQL queries in SQL Lab, and explore datasets
- DataHub: The following role is specific to the DataHub tool
datahub-admin: Grants read and write permissions to manage tags, domains, assertions, and more
- Trino: The following role is specific to the Trino tool
trino_admin: Grants full query access to all catalogs and schemas. Also grants read and write access to S3 buckets from the Jupyter UI
Use cases
These examples show how different industries can use NexusOne’s Govern capabilities:- Financial services: Limit data access to sensitive ingested data, such as client account details or regulatory reports, using roles and tags.
- Healthcare: Use IAM to assign a custom role that grants a compliance officer access only to audit logs and regulatory reports, without exposing sensitive patient data.