Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 5 Next »

🪪 LHO Roles

What roles are there in the LHO app?

LHO currently supports the following roles that grant specific rights in the application:

  • user

    • an Azure AD user can only access the Overview, Reports, UcMigration and Health Alerts features of the application

    • access cost and telemetry data on workspaces based on configured access rights

  • executive

    • all the rights of users, plus access cost and telemetry data on all published workspaces with no access rights restriction

  • admin

    • all the rights of users and executives, plus the ability to configure a Databricks Workspace to be used for analysis by users and executives, set license, configure email notifications and incidents policies

  • billing admin

    • all the rights of users, plus ability to manage consumption data loading and processing

How can I assign LHO roles to users?

(Step 1) Create env variable

In order to enable roles in LHO app, set the following environment variable for LHO app:

  • ADMIN_APP_ROLE = bplm-admin

    • bplm-admin is simply a user defined role name. Administrator can set any tag to identify the admin role type. This tag is used to define in Active Directory an App Registration Role.

    • (warning) if the env variable ADMIN_APP_ROLE is not defined, then all regular users work effectively as admin users, with full rights in the LHO app

(Step 2) Create app role

Open Azure Active Directory in Azure Portal → App registrations → search for client id (see more details at “How do I configure the Azure Active Directory group?”) and open application → click on App roles → Create app role with following settings:

  • Display name

    • bplm-admin

  • select Users/Groups

  • Value

    • bplm-admin

    • value must be the same as the value of env variable ADMIN_APP_ROLE

  • Description

    • any meaningful description

image-20240122-144112.png

If there are NO roles defined in the Service Principal App, then any signed in user in LHO is considered LHO Admin.

image-20240122-144426.png

(Step 3) Assign users to App role

From the above step, click on Overview in the opened application page.

If the from (Step 2) was closed, then Open Azure Active Directory in Azure Portal → App registrations → search for client id (see more details at “How do I configure the Azure Active Directory group?”) and open application.

Click on the link for Managed application in local directory, the link is the App name. This will open the Enterprise Application view.

Select Users and groups tab, click to Add User/Group.

This view allows you to assign users and/or groups to have the admin role in the LHO app.

  • No labels