Skip to main content
The Govern feature allows you to manage who can access NexusOne features or any tagged data ingested into NexusOne. When you purchase NexusOne, you get access to an external identity provider, such as Okta or an internal identity provider, such as Keycloak. However, Keycloak isn’t launched directly from the NexusOne portal, instead, it provides the identity management backend used by NexusOne and even goes further to provide authorization. When the purchase is complete, you can create an administrator user in Keycloak and assign an Identity and Access Management (IAM) administrator role to it. As an administrator, you can manage users and roles either directly in Keycloak or through the NexusOne portal. NexusOne acts as a management layer on top of Keycloak, allowing you to create users and define roles with specific permissions. These roles determine which NexusOne features or tagged ingested data each created user can access.

Key features

  • Data access: Manage data access control by associating roles to specific tags. Each tag determines what data a role can access. You create tags on Datahub or when you are ingesting data on NexusOne.
  • IAM: Manage roles for users and groups. You can either create new roles or use the default roles.
  • Identity provider: Manage the user identity of people accessing NexusOne.
  • Object storage: Connects and provides data access to S3 buckets from third-party object storage providers.

Supported identity providers

NexusOne supports the following identity providers:

Supported object storage providers

NexusOne supports any S3-compatible object provider that provides an access and secret key for authentication. Examples include:

Default roles in NexusOne

NexusOne ships with the following default roles:
  • nx1_app_manager: Grants permissions to use Create, Read, Update, and Delete (CRUD) operations on apps and add or remove roles associated with the apps
  • nx1_ask: Grants read and write permissions to access the Ask feature on the portal
  • nx1_engineer: Grants read and write permissions to access the Engineer feature on the portal
  • nx1_ingest: Grants read permissions to access the Ingest feature on the portal
  • nx1_monitor: Grants the permission to view, trigger, or delete the Airflow DAGs you created by interacting with other NexusOne features such as Ingest. DAGs appear on the Monitor page and on Airflow
  • nx1_monitor_admin: Grants read and write permissions to view, trigger, or delete DAGs created by all users in the NexusOne portal
  • nx1_monitor_ops: Grants the same permissions as the nx1_monitor role with a few additional ones
  • nx1_quality: Grants read and write permissions to access the Quality feature
  • nx1_s3_admin: Complements the nx1_ingest role by granting write permissions to access the object storage used in the Ingest feature
Each role has pre-assigned permissions that you can’t access. However, you can create a new role and associate it to multiple roles.

Additional roles in NexusOne

Several OSS tools power specific features in NexusOne, and they do this using roles. These roles are different from the default NexusOne roles, and they include the following:
  • Apache Airflow: The following roles are specific to the Airflow tool:
    • airflow_admin: Grants read and write permissions to all users
    • airflow_viewer: Grants read permissions to view DAGs, tasks, logs, and metrics
    • airflow_user: Grants read and write permissions to create and edit personal DAGs, trigger your workflows, and view your task logs
    • airflow_ops: Grants the same permissions as the user role, with a few additional ones
  • Apache Spark: The following roles are specific to the Spark tool:
    • spark_sql: Grants permission to run SQL commands
    • spark-history-admins: Grants read and write permissions to the Spark History Server
    • spark-history-viewers: Grants read permissions to the Spark History Server
  • Apache Superset: The following roles are specific to the Superset tool:
    • superset_admin: Grants read and write permissions to manage users, databases, dashboards, SQL Lab, data sources, security policies and all app configurations
    • superset_user: Grants read permissions to create and view dashboards, execute SQL queries in SQL Lab, and explore datasets
  • DataHub: The following role is specific to the DataHub tool
    • datahub-admin: Grants read and write permissions to manage tags, domains, assertions, and more
  • Trino: The following role is specific to the Trino tool
    • trino_admin: Grants full query access to all catalogs and schemas. Also grants read and write access to S3 buckets from the Jupyter UI

Use cases

These examples show how different industries can use NexusOne’s Govern capabilities:
  • Financial services: Limit data access to sensitive ingested data, such as client account details or regulatory reports, using roles and tags.
  • Healthcare: Use IAM to assign a custom role that grants a compliance officer access only to audit logs and regulatory reports, without exposing sensitive patient data.

Additional resources

To see all the open source software tools that make up the components of the NexusOne platform, refer to Platform components.