Roles
Roles and permissions are managed using the internal PostgreSQL role concepts. MobyDQ uses 4 roles which define to which database objects users can access to (object-level security).
Anonymous
The anonymous role is the default role used to query the database for non-authenticated users. It grants permissions to read data on all tables and views of the base schema except:
- Table
base.passwordwhich contains users’ passwords. - View
base.data_source_passwordwhich displays decrypted data sources’ passwords.
Standard
The standard role is the default role for all authenticated users who wish to create and execute data quality indicators. It inherits permissions from the anonymous role. In addition, it grants permissions to write and delete the following objects:
- Indicators
- Indicator groups
- Indicator parameters
- Batches
- Sessions
- Session results
Advanced
The advanced role is the role for users who need to manage data sources and their password. It inherits permissions from the standard role. In addition, it grants permissions to write and delete the following objects:
- Data sources
Admin
The admin role is used to manage application users and configuration. It grants the same permissions as the advanced role, plus the permissions to write and delete the following objects:
- Data source types
- Indicator types
- Indicator parameter types
- Users
- User groups
Row Level Security (RLS)
In addition to object-level security, MobyDQ also implements PostgreSQL row-level security. It is used to manage visibility rules on the data so that users only see the data of the user groups they belong to. Row-level security is implemented for the following objects:
- Data sources
- Indicators
- Indicator groups
- Indicator parameters
- Batches
- Sessions
- Session results