Skip to main content

NineData Data Source-Level Permission Control

Use data source-level permission control to limit who can operate tasks that depend on specific data sources. In a NineData dedicated cluster, users who do not have permission for a task's source or target data source can still see the task, but they cannot modify or operate it.

Overview

In NineData dedicated clusters, users can manage running replication tasks from Operations > Schedule.

In multi-user environments, unrestricted task operations can lead to accidental changes, unauthorized intervention, or production impact.

NineData links data source-level permissions with Operations Center task management so that only users with permission for the related data sources can operate a task. This mechanism provides:

  • Task visibility: Users can see that a task exists and view its basic information.
  • Operation isolation: Only users with the required data source permissions can change or operate the task.

Feature Description

In a NineData dedicated cluster, data source permissions determine both data source access and the operations a user can perform on related tasks:

Permission StatusTask VisibleView Task DetailsModify Task Workflow & PropertiesStart/Stop OperationsOpen Terminal
No target data source permissionAllowedAllowedProhibitedProhibitedProhibited
With target data source permissionAllowedAllowedAllowedAllowedAllowed

Data source permission control uses two dimensions:

Permission Control
Description
Authorization subjectsSubjects are users or roles:
  • Direct user authorization: Admins assign data source permissions directly to individual users.
  • Role-based authorization: Admins assign permissions to roles, then bind users to those roles. This creates reusable permission templates for teams and multi-user environments.
Authorization scopeAuthorization supports specific data sources and environments:
  • Data source-level authorization: Admins assign permissions for a specific data source to a user or role. Use this for fine-grained control.
  • Environment-level authorization: Each data source must belong to an environment, such as development, testing, or production. Granting permission for an environment grants access to all data sources in that environment.

Scenario Setup

  • Replication Tasks: The admin user (admin) creates two replication pipelines in advance: MySQL A > MySQL B, and MySQL C > MySQL D.

    image-20250911175736829

  • Users: Two users are created and granted different data source permissions. Each user then signs in and attempts to operate tasks that are both inside and outside their permission scope.

    UserRole NameAuthorized Data Sources
    user_arole_mysql_a-bMySQL A, MySQL B
    user_brole_mysql_c-dMySQL C, MySQL D

    Final result:

    • user_a cannot operate tasks related to MySQL C/D.
    • user_b cannot operate tasks related to MySQL A/B.

Step 1: Create Roles and Configure Data Source Permissions

  1. Sign in to the NineData console with a system administrator account.

  2. Go to Account > Role.

  3. Click Create Role and create two roles:

    image-20250912150100781

    • role_mysql_a-b
    • role_mysql_c-d
  4. Open a target role, go to the Datasource Permission tab, and click Add Permission to assign different data source permissions to the roles:

    image-20250912151717350

    • role_mysql_a-b: Authorized to access MySQL A and MySQL B, and granted Schedule permissions (including Service Permission and Datasource Permission).

      image-20250912151856969
      image-20250912152547562
      image-20250912154817013

    • role_mysql_c-d: Authorized to access MySQL C and MySQL D. Other permissions are the same as role_mysql_a-b.

      image-20250912155004467

    tip

    If your data sources are grouped by environment and a role needs access to every data source in one environment, select the environment name under Environment.

    image-20250912170510119

Step 2: Create Users and Bind Roles

  1. Sign in to the NineData console with a system administrator account.

  2. Go to Account > User.

  3. Click Invite, create two users, and bind each user to the roles created in Step 1. Click OK. NineData generates login credentials.

    image-20250912155201125

    • user_a: bound to role_mysql_a-b.
    • user_b: bound to role_mysql_c-d.

Step 3: Use user_a or user_b to View and Attempt Task Operations

  1. Sign in to the NineData console with either of the accounts created in Step 2. This example uses user_a.

  2. Go to Operations > Schedule. On the Task List page, the two replication tasks created by the admin are visible. In this example, rp-dcpvjufzhzcj is the task for which user_a has data source permission.

    image-20250911181257917

  3. Click the permitted task ID to open the details page. You can view task details and perform all available operations.

    image-20250911181527689

  4. Return to the task list and click a task ID for which the user has no permission. The user can view the task details, but all task operations are blocked and a no-permission message appears.

    image-20250911182400883

Result

Users can view task information across the Operations Center, but task operations are limited by the data source permissions assigned to their user account or role. This helps administrators keep shared task visibility while preventing unauthorized task changes.