KNIME Server System vs. Content/Site Admins

Hello there,

Is there a way of separating the roles of a system and site admins?

In our organisation IT are the KNIME Server Admins while our Analytics Team sits with business and is responsible for the analytical reports, models and apps. The IT is unwilling to make anyone of us Users Admins on the KNIME Server, as we could then go and cause havoc and create more unexpected work to the IT, which all fair enough. To be honest there is a level of settings in the KNIME Server I am rather not touching and responsible for.

The problem is that most often any issues relate to the Executor rather than the underlying server, and currently we have only a limited access to see what is going on, let alone rectifying the issue. For example, at the moment we only see Jobs and Schedules on the WebPortal’s Monitoring tab, but already having access to the Access tokens, Executors and Logs items could help us to at least identify problems before make calling the IT to rescue. Is it possible to expand our rights this way without making us Admins?

Hi @pzkor,

I am afraid it is not possible to expand the rights of non-admin users rights in the way you want. Nevertheless, let me try to explain the current situation and some features that could help.

  • As a KNIME Server user (not consumer) you can have access to your own access tokens. But first, KNIME Server Admins need to add your user to workflow_authentication_users list.
  • Providing access to the list of Executors for normal users sounds unnecessary in my view. The KNIME Admins should make sure all executors are available and users can use them. I don’t think this is going to be that helpful to the average user.
  • Executor Logs shouldn’t be available to non-admin users as this is going to be a problem. The reason is these logs contain information from execution of workflows from other users. But, you can get the error messages of a workflow execution directly from the webportal (expanding the down arrow) or from the job on KNIME AP (right click on the job and clicking on get workflow messages). If that is not enough, executors can be configured to save the logs specific to a workflow within the job.

Please contact support@knime.com if you want to know more about these points an we are happy to help you.

Hope this clarifies the issue,
Temesgen

2 Likes

Hello @temesgen-dadi , thanks for your reply.

I am not sure if you fully understand our situation, because your reply very much takes the traditional, slightly aloof IT perspective. We are not “average users”.

My point is that there must be two types of admins. One “system” admin sitting in the IT who is the one who installs the Server software and maintains it on and ongoing basis, ensures network security and whatever else. And another “content” admin who is fully responsible for all of the published content including specifying user access to different content. This is more likely to be an data science/analytics team sitting in the business, and is exactly the case for my team.

The challenge to us is that the KNIME Server is OURS in almost all possible ways, the IT does not own it. The IT is unwilling to make us admins on the server, because it would enable to go beyond our role of product development, managing workflows, access and jobs. Which is fair enough, because it would open up the possibility that we could fundamentally mess up the server and cause the IT serious unexpected work. But at the same time, the current situation is not acceptable as we have to go to the IT every time we want to get a more detailed understanding what’s happening to the jobs anyone is running than your “average user” is allowed to, and struggle to get the full feedback to inform our product development.

So, again. It is not about expanding the rights of normal users but creating another type of admin for the business side, data science content administrators. We must know who is running and what and where resources are used. It is our server. It is our money. We chose the product. If we don’t feel ownership of a product we purchased, we will buy something else that gives us the power.

Hello @pzkor,

I might have misunderstood your question. I believe what you are looking for has been possible with the KNIME Server product.

We have a user type called KNIME Server Administrators which shouldn’t necessarily have an elevated/root access to the machine on which the product is installed on.

Server administrators are not restricted by any access permissions. These administrators always have the right to perform any action usually controlled by user access rights. They can always change the owner of an item, change the permissions of an item, they see all workflow jobs (while as a regular user you can only see your own jobs) and they can delete all jobs and items, download server logs. They can do all these without having to login to the machine running the application using the Webportal Monitoring and Administration pages.

If you would like more information on this please reach out to your account manager and they will be happy to explain details.

Hope this helps,
Temesgen