The Govern feature provides management access to NexusOne apps, features, and data sources, so that you can control who can access what anytime. When you purchase NexusOne, you get access to an external identity provider such as Okta or an internal identity provider such as Keycloak. However, Keycloak isn’t launched directly from the NexusOne portal, but it provides the identity management backend used by NexusOne, and even goes further to provide authorization. In Keycloak, you can create an administrator user and assign an Identity and Access Management (IAM) administrator role to it. This administrator can then create and manage users in Keycloak. However, after signing in to the NexusOne portal, the Keycloak administrator can also use all the IAM capabilities such as creating users, managing apps, and defining roles. These roles contain permissions that determine which NexusOne app a user can access.Documentation Index
Fetch the complete documentation index at: https://docs.nx1cloud.com/llms.txt
Use this file to discover all available pages before exploring further.
Key features
- App manager: An app management layer to organize custom pipelines, DAGs, artifacts,
and metadata into versioned application units. It consists of the following:
- Components: Files belonging to a version of an app
- Roles: Who can manage or use an app
- Secrets: Sensitive values passed to a DAG file
- Versions: Versioned set of DAGs and artifacts, such as JAR or ZIP files
- Catalogs: A Trino catalog system that provides access to a data source through a connector. On NexusOne, you can select multiple catalogs to federate queries across different data sources.
- Data access: Manage data access control by associating roles to specific tags. Each tag determines what data a role can access. You create tags on Datahub or when you are ingesting data on NexusOne.
- Data catalog: Provides access to the DataHub app so you can create tags, view your data lineage, and manage domains, which logically group your data.
- IAM: Manage roles for users and groups. You can either create new roles or use the default roles.
- Identity provider: Manage the user identity of people accessing NexusOne.
- Object storage: Connects and provides data access to S3 buckets from third-party object storage providers.
Supported identity providers
NexusOne supports the following identity providers:- Auth0
- GitHub
- Google Workspace
- Keycloak
- Microsoft Entra ID
- Okta workforce identity cloud
- OneLogin by One Identity
- PingIdentity
- Other custom OIDCs providers
- Other custom SAMLs providers
Supported object storage providers
NexusOne supports any S3-compatible object provider that provides an access and secret key for authentication. Examples include:Supported Trino catalogs
NexusOne supports the following Trino catalogs:Default roles in NexusOne
NexusOne ships with the following default roles:nx1_app_manager: Grants permissions to use Create, Read, Update, and Delete (CRUD) operations on apps and add or remove roles associated with the appsnx1_ask: Grants read and write permissions to access the Ask feature on the portalnx1_engineer: Grants read and write permissions to access the Engineer feature on the portalnx1_ingest: Grants read permissions to access the Ingest feature on the portalnx1_monitor: Grants the permission to view, trigger, or delete the Airflow DAGs you created by interacting with other NexusOne features such as Ingest. DAGs appear on the Monitor page and on Airflownx1_monitor_admin: Grants read and write permissions to view, trigger, or delete DAGs created by all users in the NexusOne portalnx1_monitor_ops: Grants the same permissions as thenx1_monitorrole with a few additional onesnx1_quality: Grants read and write permissions to access the Quality featurenx1_s3_admin: Complements thenx1_ingestrole by granting write permissions to access the object storage used in the Ingest feature
Each role has pre-assigned permissions that you can’t access. However, you can create a new role and associate
it to multiple roles.
Additional roles in NexusOne
Several OSS tools power specific features in NexusOne, and they do this using roles. These roles are different from the default NexusOne roles, and they include the following:- Apache Airflow: The following roles are specific to the Airflow tool:
airflow_admin: Grants read and write permissions to all usersairflow_viewer: Grants read permissions to view DAGs, tasks, logs, and metricsairflow_user: Grants read and write permissions to create and edit personal DAGs, trigger your workflows, and view your task logsairflow_ops: Grants the same permissions as the user role, with a few additional ones
- Apache Spark: The following roles are specific to the Spark tool:
spark_sql: Grants permission to run SQL commandsspark-history-admins: Grants read and write permissions to the Spark History Serverspark-history-viewers: Grants read permissions to the Spark History Server
- Apache Superset: The following roles are specific to the Superset tool:
superset_admin: Grants read and write permissions to manage users, databases, dashboards, SQL Lab, data sources, security policies and all app configurationssuperset_user: Grants read permissions to create and view dashboards, execute SQL queries in SQL Lab, and explore datasets
- DataHub: The following role is specific to the DataHub tool
datahub-admin: Grants read and write permissions to manage tags, domains, assertions, and more
- Trino: The following role is specific to the Trino tool
trino_admin: Grants full query access to all catalogs and schemas. Also grants read and write access to S3 buckets from the Jupyter UI
Use cases
These examples show how different industries can use NexusOne’s Govern capabilities:- Financial services: Limit data access to sensitive ingested data, such as client account details or regulatory reports, using roles and tags.
- Healthcare: Use IAM to assign a custom role that grants a compliance officer access only to audit logs and regulatory reports, without exposing sensitive patient data.