Denodo Security Model

Data Governance

University standard practices related to data and information security also apply to Denodo. All users of Denodo are required to comply with the university Information Security Policy (SPG 601.27). It is the developer’s responsibility to determine the scope of visibility to the data and manage the access to their views.

Roles and Privileges

Access to the Denodo system and views created within Denodo are controlled through MCommunity groups. Virtual Database (VDB) owners manage users’ privileges by adding/removing individuals from these groups.

When requesting a new VDB, the online request form requires an MCommunity administrative group name be provided. This group will own the groups with access to the VDB. It will also be notified when changes to U-M Data Warehouse views may impact the VDB environment, therefore it must be configured to receive email from non-members.

ITS will establish four Denodo roles and the four MCommunity groups to which they map:

  • {VDBName}_developer
  • {VDBName}_reader1
  • {VDBName}_reader2
  • {VDBName}_reader3

The MCommunity administrative group owns the four new MCommunity groups, and anyone in that administrative group can update users as necessary. MCommunity group names are similar to the role names, however the group names do not include underscores: 

  • {VDBName} Developer
  • {VDBName} Reader1
  • {VDBName} Reader2
  • {VDBName} Reader3 

When working with MCommunity groups and Denodo, please note:

  • Sub-groups are not supported within the Denodo MCommunity groups. Individuals must be added to an MCommunity group individually by uniqname. 
  • The individual who requested the VDB is automatically added to the Developer group. Additional developers must be added by a member of the administrative group.
  • The reader groups do not contain any users. They must be added by a member of the administrative group. 
  • The reader roles are optional. These are used for granting access to Denodo views or subsets of views to users who do not need full access to a VDB.
  • To grant an MCommunity reader group access to a view(s), submit a ticket to ITS-Denodo through the ITS Service Center. 
  • Additional reader roles can be created by ITS on request.