Security becomes simple and centralized for any connection in Conduit. Connections are run though a central security console that can integrate with your Azure Active Directory for a single sign-on experience, or you can quickly create simple, role-based access rights within Conduit itself.

About User Security

Conduit enables users with Admin permissions manage regular users' access with flexible authentication and authorization configuration, all in one place, across all tables and data sources. Use your existing security infrastructure, or quickly and easily create users and groups within Conduit. 

User Roles

There are two user roles within Conduit. These roles define what pages and functionalities are available to a user after logging in to management console.

  • Admin role – this user role offers access to all pages and functionalities
  • Analyst role – this user role limits access to the Query Editor and Data Catalog functionalities only

Authentication Options

Conduit supports two authentication/authorization options into management console and for data access:

  • Azure Active Directory single-sign-on (sso)–  by establishing a link with an Azure Active Directory (AAD) subscription,  access policies can be managed centrally in AAD so that they translate automatically to Conduit. This helps to streamline the data that users can explore.  AAD sso is optional, and is enabled when AD Subscription is specified as default in Conduit
  • Conduit internal users– users created in Conduit and stored in internal database.

Roles Admin and Analyst apply to both ways of authentication.

Managing Active Directory Subscriptions and Groups

Admin role privileges are required to create and manage Active Directory subscriptions and groups

During the initial deployment internal user with Admin role privileges is created.  Log in with the Admin credentials and click on Security tab, then Active Directory Subscriptions menu option. 

To create link with Azure AD subscription:

  1.  Click Add New Subscription button
  2. Specify name for AD Subscription,  AD Authority, Application ID and Client Secret
  3. Check "Set as default subscription" if this is an AD subscription meant to grant AD users access to Conduit web app
  4. Click  "Validate and Import AAD groups".  You will be prompted to validate provided subscription credentials and AD groups import by signing in with your AD user. The AD user must be from the same AD tenant.

To review imported AD groups:

  1. Go to Security - User Groups - Active Directory Groups
  2. In Subscription dropdown select subscription for the groups you would like to review
  3. To open AAD group, click on corresponding pen icon.
  • All AD groups are imported by default with Analyst role privileges. The roles are relevant only to AD subscription set as default, ie the subscription Conduit checks against when authenticates users.  To grant certain AD users Admin role privileges,  update the role on the group. 
  • On Active Directory Group form you will be able to review which connectors use this group to grant permission to access data. 
  • To re-sync AD subscription created in Conduit with your organization's AAD go to Active Directory Subscriptions and click edit to open an exiting subscription. Click on "Validate and Import AAD groups" to singing in with your AD user.  New AD groups if any were created since last sync will be imported into Conduit.
  • Imported AD groups and subscriptions can be deleted from Conduit if needed. When AD Subscription is deleted, all associated AD Groups are deleted as well
  • More than one AD subscription may be imported. Only one subscription may be set as default AD subscription.
  • Imported AD groups and subscriptions can be deleted from Conduit if needed. When AD Subscription is deleted, all associated AD Groups are deleted as well

Managing Conduit Users

Conduit type users can be created by any user with Admin role privileges 

  1. Go to Security - User Admin page and click on the Add New User button
  2. Fill out all the fields
  3. Select what role should this user account be in, and click Create
  • The email field should to be unique within Conduit
  • The email cannot be changed once the user record is created. If needed, delete and recreate the user
  • Name, role membership and passwords for conduit type users can be updated from User Admin page
  • Analyst conduit users do not have access to User Admin page. They can reset their passwords via Forgot Password if needed.

On Conduit deployments with disabled AAD sso  external users also have option to request creating analyst account in Conduit for themselves. The pending requests would need to be approved by Admin users before the new analyst user is granted access.

Create and Manage Conduit Groups

Admin privileges are required to create and manage Conduit user groups.

Log in with Admin credentials and click on Security tab, then Conduit Groups menu option. 

On this page you can create, update and edit Conduit user groups.

To create a group, click Add New Conduit Group button. On opened form please specify:

  • Name - required field. Please note that it can't be changed after the group is saved.
  • Description - optional field for notes about the group. Can be updated at any point.
  • Select user(s) to be assigned as part of this group

To update Conduit group, click on pen icon to open group form.

On Conduit Group form you will be able to review which connectors use this group to grant users permission and which tables.

Only connectors with Authentication type "Conduit Authentication with Impersonation" will be displayed in the connector list.

To delete Conduit group, click on bucket icon for a group that needs to be deleted and then confirm delete action.