User Settings, Access, Permissions & Security
Knowi provides a variety of powerful options on user rights, access management and external authentication methods for both internal usage and embedded usage modes.
Please contact your account manager for any questions on mapping out the permissions model to your own enterprise level permissions model.
Navigate to the User Settings in Knowi to view, manage, or update their preferences for Account Settings, Plan Details, Usage, Team, Roles, and External Authentication from one central place.
Navigating to the User Settings
Click on the user profile icon from the bottom-left corner of the interface, select User Settings, and you will be navigated to the User Settings menu
Managing Account Settings
Manage your account settings to view and manage the following:
EMAIL/LOGIN: This is the email address linked to this account. While logging in to Knowi, this email address will work as the username. Please note that this field is not editable.
NAME: Edit the name of the customer.
PASSWORD: This is the password associated with this account. Click the Change Password button to add a new password.
TIME ZONE: Select the time zone that will be used when this customer will run the Query.
LOCALE: This translates the user-interface language and model to the selected locale for the customer. Currently, supported locales include- en (English), de (German), and fr (French).
API KEY: View the API key.
ALWAYS SHARE TO GROUP: This automatically shares all assets including any datasources, queries, widgets, and dashboard to the selected groups. Click on the edit to add, remove, or change the group
DEFAULT DASHBOARD: Click on the edit to select the default dashboard that will appear upon login.
MANAGEMENT API: Enable Management API to generate the client ID and client secret. This will allow the external services and apps to manage users and groups, datasources, queries, dashboards, and widgets programmatically.
TWO FACTOR AUTHENTICATION: Enable Two Factor Authentication (2FA). This adds an extra security layer and the customer will be prompted to enter the verification code received via text message while logging in to the Knowi account.
Note: While the admin will have the access to view and manage all the aforesaid settings, the user will have access to view and manage only 1, 2, 3, 4, 5, 6, and 10 above. The viewer will have access to only view the set configurations for 1, 2, 3, 4, 5, and 10 above.
To learn more about different user roles in Knowi i.e. - Viewer, User, and Admin, please refer to the documentation on User Roles.
On scrolling down further, the admin will be able to view and manage the following customer settings.
GLOBAL HEADER: Define HTML snippet to globally apply a custom Header across all dashboards. Headers can also be set at a specific dashboard via the Dashboards settings.
GLOBAL FOOTER: Define HTML snippet to globally apply a custom footer across all dashboards. Footers can also be set at a specific dashboard via the Dashboards settings.
PASSWORD EXPIRY: Set the password expiry in days. Set 0 for the password to never expire.
DEFAULT TIME ZONE: Change the default time zone. If no default time zone is set, Knowi will default it to America/Los_Angeles.
NATURAL LANGUAGE PROCESSING SETTINGS: This allows you to configure the NLP settings like enabling/disabling NLP Across Datasets, Index By Default, NLP Bot Integration, and other settings. For more information, please refer to the documentation- Natural Language Processing.
SSO TOKEN: This allows you to generate the SSO token. For more information, please refer to the documentation- Single Sign-On API
TUNNEL INFORMATION: Enables the Tunnel key to be used with your datasources. Tunnel information can be used to connect to datasources that are inside your internal network. See the Datasource Tunneling for more details.
SESSION TIMEOUT: Set the Session timeout in minutes. Blank implies default which will set the session timeout to 30 mins.
Managing Current Plan
Navigate to the Plan Details tab to view the current plan and the features available within the same. Click on the Upgrade Plan button to send the Plan Upgrade request.
Account Usage Details
Navigate to the Usage tab to view the total number of widgets and rows running under the current account.
Managing Users & Groups
Custom Roles & Permissions
If the built-in roles don't meet the specific needs of your organization, you can add your own custom roles by navigating to the ROLES tab. Just like built-in roles, you can assign custom roles to users. See Custom Roles & Permissions for more information.
External Authentication Options
By default, the Knowi completes the user authentication through an email address and password, however, you can also configure external authentication via SAML (including Okta) and LDAP. For an extra security layer, two-factor authentication can also be used.
To know more about LDAP configuration, please refer to the documentation- External Authentication from LDAP.
To know more about SAML configuration, please refer to the documentation- External Authentication from SAML.
We offer three types of roles by default: viewer, user and admin.
In case of specific access management requirements you can create your own custom role anytime
Viewers: Viewers are limited to consuming dashboards. While they can download data associated to widgets and run their own analysis on data they have access to, they cannot save or create their own dashboards. This role also cannot create any data assets, including datasources, queries, agents etc. In addition, they cannot invite or manage other users or groups.
Notice the menu structure on the left is limited.
Users: User roles can
Invite other users
Create and share dashboards, widgets, queries, datasources, agents
Create Email Reports
Create and manage Trigger Notifications
Create their own groups
Set Filters (dashboard or user level)
The example below illustrate the User Settings options available to a User.
Admin Users: Admin have all the rights to that of the user, plus the ability to edit/modify other users and their associated rights.
Team management for an Admin viewer:
Custom Roles & Permissions
If the built-in roles don't meet the specific needs of your organization, you can create your own custom roles. Just like built-in roles, you can assign custom roles to users. Custom roles can be shared across all users within the customer. Custom roles can be created using Roles tab on user settings dialog.
Custom Role Example
The following shows what a custom role looks like on the UI. This custom role can be used to restrict delete operations among queries/widgets/datasource and many other things.
When you create a custom role, it appears in the roles list with system flag as false.
Steps to create a custom role
Steps to create a custom role
When you create a custom role, you need to know the provided operations that are available to define your permissions. To view the list of operations, you can use list that is available as soon as your press on
Add Rolebutton. Each permissions has a clarification message that explains what the role does, in case you still have questions you contact your product partner and we'll change the message to be more explicit on the matter. To specify permissions that you need simply check them from the list.
Select Allbuttons should help you to enable & disable all roles in the list.
Create the custom role
You can use
Add Roledialog to create the custom role. Typically, you start with an existing built-in role, copy it and then modify it for your needs. Then you just simply save it and preview created role in the list.
Test the custom role
Once you have your custom role, you have to test it to verify that it works as you expect. If you need to make adjustments later, you can update the custom role.
For a step-by-step tutorial on how to create a custom role, see
User groups are logical groupings of users that data related assets (dashboards, queries, datasources, agents) can be shared to. A user can belong to one or more groups.
Groups can be created and modified from the Team Management menu. Example:
Users can be added to an existing team to share assets and collaborate seamlessly across users. To add users, go to the Teams page within User Settings:
On the team's page, you can specify the user properties such as email address, roles and permissions, and any user-level specific attributes.
Specify the email address, Role and associated Groups to the new user.
Add any optional user filters. User filters enable row level security to filter out data. Read more about User Level Filters.
If Two factor authentication is required, you can set it during the invite (or you can enable it later).
Invite the user. Once the user has accepted the invite, they?ll see all their data assets (dashboards, datasources, queries, agents) shared to them or their group.
Each user can customize their timezone and change passwords. Admin users can also edit user roles, groups, timezones and user filters for any other user.
Knowi provides admins with additional control over password requirements for users on their instance.
To manage password requirements, select User Settings from the Settings panel. Changing the Password Expiry field to a number of days other than zero (0), prompts the user to reset their password.
Create a strong password for your Knowi account
Whether you're creating a password for the first time or resetting your password, Knowi will evaluate the strength of your password to make sure that it is secure and not easily guessed.
Passwords must be at least 8 characters long, and we don't restrict the use of numbers or special characters. As you create a new password, the system will provide feedback on password strength.
If you're having trouble coming up with a password that meets our requirements, use a long, random, and unique string of characters. You can use a passphrase, but it shouldn't be a common phrase from a book, movie, TV show, etc. as those are commonly used.
To choose and store a secure password, use a secure password manager like LastPass or 1Password to generate and auto-fill unique passwords for each site you visit, including Knowi.
Help, I've been locked out of my account!
If you fail five password attempts, your account will be locked. To unlock your account, reset your password or reach out to Knowi to assist you with resetting your password.
Login as (For Admin Users)
This option allows Admin users to login into the application on behalf of any foreign user account that they have access to on the administration page. There is a number of restrictions that come along with that feature.
1. user must be authenticated 2. user must possess a role of ADMIN 3. user can use the feature only providing active customer account 4. user can NOT use the feature on behalf of a foreign account (in a chain)
The 'Login as this user' icon is supposed to be visible on the right hand action bar of the user list.
As soon as authentication is passed the informational banner is attached to the top of the page including basic information of the user account selected.
At any point in time you can release the user account and get back the the original one by clicking on the 'Release user' button, in such a way you will be redirected back to the user administration page.
Two Factor Authentication
For added security, admin users can enable Two factor Authentication, which will send an SMS code to the phone number on record for that user that they must enter before login.
All data assets (dashboards, queries, datasources, agents) are private to the user by default, unless shared to other users or groups. Furthermore, each asset can be configured for granular read or edit access at a group or an individual user level.
Dashboards can be shared to an specific user, or a group. In addition, you can specify if the user has View access or Edit. View access restricts the user to a view mode where they can consume the dashboard, analyze the data, apply temporary filters (for their session), download the data behind the visualizations but cannot make any changes to the dashboard.
A datasource, for example, a database connection can be shared to another user or group, with edit or consumption rights. With Edit, the user (or the group) will have access to modify the datasource (not common). With consumption only rights, the user can create new queries from the datasource, but will not be able to see or edit, or clone the datasource details.
You can add a query against source.
Setting permissions :
Consume vs Edit: The first datasource in the following screenshot is consume only (note the actions that can be performed on the right) vs. full edit privileges on the other datasource.
Queries can be shared with Edit or View only rights to groups and/or users. Edit rights enable collaboration on the same query by multiple users and includes edit, clone and delete rights for that query. A query shared with view only rights can be executed and cloned to create a user?s own version of the query.
Consume vs. Edit rights: The first query in the screenshot below is consume only, the second has edit rights.
User Group Publish/Consume Permissions
A user can belong to one or more groups, and marked with either consumption or publish rights for the specific group. In consumption mode, the user has read access to assets shared, but cannot publish into the same group. This allows publishing of assets from one user into a group, but does not allow the consumer to publish it back into the parent group.
Example: Let's say an "engineering" group writes and publishes baseline queries to an analyst and wants to maintain the original queries and does not want that user to publish queries back to the engineering group. This can be done by setting the rights during the user invite. The analyst can publish it to their own groups, but cannot post back to the parent group.
Assigning user-group consume/edit rights:
There may be cases when any asset that the user creates needs be automatically shared to other groups, instead of sharing a specific asset explicitly (query etc.). In such cases, you can apply an 'Automatic Share to Group' setting that will automatically publish any assets created by the user to those groups that can be used by other users. This is available during user creation as well as within the edit menu.
User Level Filters & Security
User filters can be set that limits the data returned to the user across all their dashboards. There are two modes:
Query Parameters: Helps you define query parameters that can be passed in all the way into direct queries against your datasource. These parameters can be set at the user level and replaced during query execution.
Filter on Query Results: This post processes the data returned any any query to filter by the parameters set.
For an in-depth look at content filters, see section on Filters & Query Parameters.
External Authentication using LDAP
You can set up a connection with an LDAP server to allow your users to login to knowi using LDAP credentials. Please Contact us to enable this feature. The LDAP server used only as read-only information to login and get information about logged-in user objects to map directly to Knowi fields contained within their user account.
Knowi supports transport/encryption via LDAP in the clear and LDAP over TLS. LDAP over TLS is strongly recommended. The LDAP tab can be found within User settings.
It is possible to create multiple different LDAP configurations. Click "Add" to add a new configuration. If you wish to edit an existing configuration, please select it from the drop-down list. After selecting the configuration, you can then edit or view the existing configuration or delete it by pressing the "Delete" button.
LDAP Configuration details
Type an configuration name (any), your LDAP server host and port, and select TLS checkbox if your LDAP server supports TLS encryption.
This section used to enter an "master" LDAP account which have access to get info about LDAP user objects which you or users want to login with. After entering credentials you can click small "Test" button to check if credentials and Connection details valid. This will run connection with LDAP server, "bind" with entered master DN and then unbind and disconnect from server.
Fill fields to search user through LDAP:
Base search DN: this is the top root path to start the search of the user.
Login attributes: list comma-separated attribute names of user objects which will be used as login field to login into Knowi. E.g. this could be "uid", "cn" and etc. System will choose first match via any of the provided attributes (OR filter will be used to search users with this attributes).
Email attribute: this field will be used to read email attribute and assign to email field of Knowi User.
User Name Attributes: this field is list of attributes to set to Knowi User Name, commonly this is First Name and User Name.
ID attribute: important field as this should uniquely identify your user in LDAP server.
Filter (optional): this is optional filter field used to filter search through user objects for login. E.g. can filter by groups, organisations and etc. Please refer LDAP server documentation on filter syntax.
Roles and Groups management
Please choose which Knowi role will be mapped to the LDAP user when logging into Knowi. Optionally, you may select Default Groups which will then be sent to the user. If you change any of these settings, it will be applied to LDAP users upon their next login into Knowi.
After saving the newly created LDAP configuration, you will get LDAP login URL. This is the URL that your LDAP users should then use to login to Knowi.
LDAP login test
At the bottom of the LDAP configuration, you will find a "Test login" button. Selecting this will present a login dialog box. Enter the login attribute values to login with an LDAP account and press Test. This will mimic all login sequences by searching for the user via the set attributes and binding it if possible. If the password is not entered (it is optional), the user will be just found using a master LDAP account and not bound with a password.
This section useful if you wish to test if all LDAP configuration fields valid. After pressing the Test button you will see log output showing the exact steps made by the system to connect to LDAP.
Login with LDAP
First, you will need to provide the LDAP login link to your users. This link is obtained above. This link is associated with your customer account and your exact LDAP configuration. When the user uses this link, they will be presented with special login window. In the "ID" field user should enter a login attribute value (corresponding to login attribute in your LDAP server). In the password field, the user should type their user LDAP password. After login the user will be granted access to Knowi.
If this is a first-time user with such an ID (the ID is set up in the LDAP configuration page) then this user will be automatically created as a new user in Knowi. If this is an existing user login, then they will be directed to their Knowi user account. In this case, all changed fields, roles, and groups will be updated from the LDAP server into the Knowi user account. E.g. if user name in the LDAP server was changed, this will be updated in Knowi upon login.
External Authentication using SAML
SAML-based single sign-on (SSO) gives members of your organization access to Knowi through an identity provider (IdP) of your choice.
To use SAML, you must have a cloud identity provider (IDP) or federation service in place that supports authentication via SAML 2.0. For more information about SAML 2.0, see http://en.m.wikipedia.org/wiki/SAML_2.0
You must have an "Admin" default security role or a custom role with "user:settings:saml" enabled to set up SAML. For more information about default roles and custom roles, see User Roles.
SAML authentication needs to first be enabled by Knowi. To update your license for this feature, contact your account manager.
Once your license is updated, navigate to the SAML tab in the Settings section of Knowi, then click the Add button to see the following configuration options. Note that any changes to configuration options do not take effect until you click the Save button at the bottom of the page.
SAML Auth Settings
Knowi requires the IdP URL, IdP Issuer, and IdP Certificate to authenticate your IdP.
Note: Dynamic configuration with IdP Metadata is not supported at this time.
IdP URL: The URL where Knowi will go to authenticate users.
IdP Issuer: The unique identifier of the IdP.
IdP Certificate: The public key to let Knowi verify the signature of IdP responses.
Default Groups and Roles
You can set a default role and groups for new SAML users. In the User Roles and Groups section, enter the names of any Knowi roles or groups to which you want to assign new Knowi users when they first log in to Knowi.
These groups and roles are applied to new users at their initial login. The groups and roles are not applied to pre-existing users, and they are not reapplied if they are removed from users after the users? initial login.
User Attributes Setting
In the following fields, specify the attribute name in your IdP?s SAML configuration that contains the corresponding information for each field. The SAML attribute names tells Knowi how to map those fields and extract their information at login time. Knowi isn?t particular about how this information is constructed, it?s just important that the way you input it into Knowi matches the way that the attributes are defined in your IdP.
| | | | --- | --- | | NAME | VALUE | | userId | user.id | | userEmail | user.email | | userLogin | user.login |
Signing out of Knowi when using Single Sign-On
To completely sign out, you must sign out of Knowi and close the browser.
- Click the Logout button on the bottom-left menu of the navigation bar
- Close the Web browser
Using Knowi with Single Sign-On
When using Knowi with Single Sign-On, you cannot
be sent a forgotten password email
change your password in your profile
Q: Can I use an alternate login with SAML?
Knowi email/password logins are available for Admin users. This option is useful as a fallback during SAML Auth setup should SAML config problems occur later, or if you need to support some users who do not have accounts in your SAML directory.
Q: Can I merge an existing Knowi user to SAML or vice versa?
You can merge or transfer a user between authentication types (Knowi email/password, LDAP, SAML, SSO). This can be done using the Management API or from the UI.
How to self-configure SAML SSO with Okta
Knowi uses single sign-on (SSO) for Enterprise users to simplify the sign-in process and allow access to Knowi using several authentication sources, including Okta. Your Workspace must be subscribed to the Enterprise plan if you wish to set up SSO.
If you're the Admin of your company's Enterprise account, you can configure SSO using the following steps:
- Go to your SAML tab by clicking on Settings in the left navigation bar then User settings. Click on SAML then Add. Keep this tab open, as you'll be returning to your Knowi Workspace later.
- Open up your Okta admin portal and set up a new application using the Applications tab. Select SAML 2.0 as your sign-on method. Configure your new integration by naming it Knowi and adding a logo if you want.
You'll now see Knowi's SAML Settings. Start with the General section below. You'll need to grab some information from Knowi and input it into Okta:
? Paste the SSO URL from Knowi into the Single sign on URL field on Okta.
? Paste the Audience URI from Knowi into the Audience URI (SP Entity ID) field on Okta.
? For Name ID format, choose Unspecified.
? For Application username, choose Okta username.
Scroll down to Attribute Statements in Okta. You'll need to map your fields:
? For userId, map to the value within your organization's Okta setup.
? For userEmail, map to the value within your organization in Okta. Note: It's important to follow the same capitalization format in your organization when you add this name.
? For userLogin, map to your organization's Okta value as well. Capitalization matters here, too.
Knowi doesn't yet support group attribute statements, so you can leave that portion blank.
Hit next and fill out the final Okta form according to your own preferences. This won't impact anything in your Knowi Workspace.
Your application is ready! You'll now need to take some information from Okta and bring it back to your Knowi portal. Start by clicking View Setup Instructions in your Sign-on Methods settings.
? Paste your IdP SSO URL under **Identity Provider Single Sign-ON URL** in your Knowi SAML settings where it says **IdP URL**. ? Paste your IdP Issuer under **Identity Provider Issuer** in your Knowi SAML settings where it says **IdP Issuer**. ? Copy and paste your **X.509 Certificate** from your setup instructions in Okta to your Knowi SAML settings.
- You can Test configuration and Save the Knowi SAML settings