Only catalog admins or users who have been assigned the role ‘okera_user_details_role' can access the Users page.
The Users page enables you to see users' group and role assignments and to run the User Inactivity Report to check which users have been inactive on data.
The 'All Users' tab serves as a directory of all active users. Users will appear in this directory if they have logged into Okera or have been otherwise authenticated by Okera. Please note that there may be a slight delay between when a user is authenticated and when they appear on this page.
You can search for specific users by name with the 'User' filter. You can also use the 'Group name' filter to search for a specific group - the results will show all active users who belong to that group.
Click on a user's name to open their details pane and see which roles and groups the user belongs to.
You can click on any role to view it on the Roles page and see what kind of access it grants. To learn more about roles, see Managing Roles in the UI.
User Inactivity Report¶
The User Inactivity Report displays a list of users who have access to specified data objects, but have not queried these data objects within a given timeframe. This report thus lets you see users who are not using their access to data and should likely have this access revoked.
Getting Set Up¶
When you first reach the User Inactivity Report, you will see the following form:
Fill out the required information to get started reviewing inactive users.
Database/Dataset: Use the database and dataset dropdowns to indicate which data object you want to run this report on. The report will show users who have read access on this data object but have not been using this access.
Time range: Use the time range dropdown to specify the amount of time users have been inactive for. The report will show users who have not accessed the relevant data object in this amount of time. You can specify a custom time range between 1 and 999 days if the
As an example, the settings shown below would generate a report that shows all users with access to the marketing database who have not accessed any data in the marketing database in the last 30 days:
Please note that, for this report, "having access" to a data object means that a user: - has read access on the relevant database/dataset, - or has read access on an object within the relevant database/dataset (e.g. a column), - or has inherited read access on the relevant database/dataset due to having read access on a higher-level object (e.g. a user who has ALL access on the entire catalog)
Users who only have the ability to view or edit metadata on a data object (i.e. write access) and cannot view the data itself will not appear in this report.
Understanding the Report¶
Once you've filled out your set-up form, click "Confirm settings" to generate your report. You will see a report like the one below:
Your report settings will be saved, but you can edit them at any time by clicking 'Edit report settings':
The user inactivity report has several columns:
- User: The username of a user who has not accessed the relevant database/dataset within your specified timeframe.
- Last accessed: The last recorded time that this user successfully accessed the relevant database/dataset. This column may display 'Never queried', which means that Okera has no record of this user ever running a successful query on the relevant database/dataset.
- Roles granting access: Any roles this user belongs to which grant read access on the relevant database/dataset. This column indicates how a user acquired access to these data objects. You can click on any role to view it on the Roles page and see a full list of the permissions it grants. To learn more about roles, see Managing Roles in the UI.
- Groups containing user: Users cannot be assigned directly to roles and must instead be assigned via a group. This column shows all groups that (a) contain this user, and (b) are assigned to the roles listed in 'Roles granting access'. This column thus indicates how a user was assigned to these roles. You can revoke a user's access to the relevant data objects by removing the user from these groups.
- Access level: The type of read access that this user has on the relevant data objects. As a reminder, some users may have direct access to the relevant database/dataset, while others may inherit their access by having permissions on a higher-level data object, such as the catalog. Users may also have access to specific objects within the relevant database/dataset, such as a column.
Overall, this report displays a list of users who have not accessed the relevant data objects within your specified timeframe and should thus have their access revoked, as well as the groups and roles that these users should be removed from in order to have their access revoked.
This report can be downloaded as a CSV via the 'Download as CSV' button:
Note that if you have recently deployed Okera 2.1, you may see a message in red on your report:
Okera will only have precise information about when users last accessed data from the date of 2.1 deployment onwards. For this reason, if you attempt to run this report shortly after deploying Okera 2.1, Okera will not have had enough time to collect user data and your report will likely be inaccurate.
Okera thus recommends that you wait the number of days in your ideal time range before running this report, e.g. if you'd like to run this report for the time range '30 days or more', you should wait for 30 days after the Okera 2.1 deployment date before running this report. The message will update every day to inform you how many days of data have been collected.