Communities

Fine tune authorization to assets ..

Data Catalog Communities

Communities in Pentaho Data Catalog are custom organizational containers that provide fine-grained access control beyond standard roles. A community is a custom role that is used to fine-tune access to specific actions or Data Catalog assets. For example, you can use a community to restrict access for a group of users to a subset of glossaries and data sources. They enable business-aligned data governance by organizing users around specific business domains or organizational units.

Communities allow you to create logical boundaries that mirror your business structure. You can create named communities, such as US Business Users or Commercial Lending Business Users to fine-tune the actions users can perform, as well as to allow access to a subset of glossaries and data sources. In your Adventure Works context, you might create communities like "Adventure Works Sales Community" or "Adventure Works HR Community," where each has access to specific data sources and business glossaries relevant to their domain.

Communities work alongside your Keycloak roles to provide layered security. Your Keycloak roles handle authentication and basic permissions, while PDC Communities provide business-context-specific access control within the data catalog itself. At least one role or community must be assigned to a user when the user is created. Multiple roles or communities can be assigned to a user, if the permissions granted are mutually exclusive. This creates a comprehensive security model where users get both functional access (via Keycloak roles) and domain-specific data access (via Communities).

Data Catalog Default Roles

Data Catalog provides default user roles with role-based permissions that enable administrators to control access as necessary across Data Catalog. These permissions are distributed across two tiers of licensed users: Business Users, and Expert Users, as needed.

Administrators can also fine-tune access by creating communities of users to which they assign permissions, such as access to specific data source types or business glossaries.

A Community is a custom role used to fine-tune access to specific actions or Data Catalog assets. For example, you can use a Community to restrict access for a group of users to a subset of glossaries and data sources.

At least one role or Community must be assigned to a user when the user is created. Multiple roles or Communities can be assigned to a user, if the permissions granted are mutually exclusive and are not derived from the same default role.

Your software license determines user-based entitlement.

Business Users

The first tier of licensed users is Business Users, including two roles with differing permissions.

The following table shows the default access permitted for a user with the Business User or Data User role. For example, a user with the Business User role can view business glossaries but cannot view data sources. The Data User role has all the access of a Business User, plus access to data associated with the user's specific line of business.

The data can be masked when deemed sensitive or confidential.

Role

Permissions

Business User

Can view business glossaries and policies.

Cannot view data sources.

Data User

Can view applications, business glossaries, business intelligence, data sources (view, add content, delete content, view dashboard), and policies.

As soon as log in all the AW Users will be added to PDC. These users will have a JWT Token which will have their AW Role [aw-sales-analyst] + Default PDC Role [default-roles-pdc].

The default-roles-pdc functions similarly to a guest role, but it's actually a composite role that provides basic authenticated user access. Looking at your realm configuration, default-roles-pdc includes offline_access, uma_authorization, and basic client roles like view-users, manage-account, and view-profile. This gives authenticated users minimal baseline permissions - more than a true guest but far from privileged access.

If we take a look at the JWT Token for David Park:

If every user in the PDC is assigned default-roles-pdc, why bother creating AW custom roles?

You raise an excellent point ..!

The custom roles provide governance and compliance metadata that Communities alone cannot deliver. Your Adventure Works roles contain rich compliance attributes like compliance_scope: ["gdpr", "ccpa"], data_domains: ["sales", "customer"], and retention_policy: ["7_years"]. These attributes can be used by other systems, audit tools, and compliance reporting - not just PDC. Communities are PDC-specific containers, while Keycloak roles can be consumed by multiple applications.

Custom roles enable consistent authorization across your entire ecosystem. If Adventure Works users need to access other applications beyond PDC (reporting tools, databases, APIs), the Keycloak roles provide a consistent identity that travels with the user. Communities only work within PDC, so you'd need separate authorization mechanisms for each additional system.

The approach you're suggesting could work for a PDC-only environment: Users get default-roles-pdc → Join appropriate PDC Communities → Get domain-specific access through Community membership. This would be simpler to manage and reduces the number of moving parts.

However, the hybrid approach (Keycloak roles + PDC Communities) provides maximum flexibility and governance. You get fine-grained business domain control (Communities), compliance metadata (custom roles), functional permissions (PDC roles), and extensibility to other systems. The trade-off is increased complexity.

Adventure Works Communities

PDC uses Keycloak for authentication. Once authenticated PDC, based on your role, authorizes access to the PDC assets and actions. The only way to grant this authorization is through the combination of Communities + mapped to PDC Default Roles.

Community

Schema

PDC Default Role

Description

Users

AdventureWorks_Data_Governance_Council

Data Steward

Cross-domain data stewardship and governance oversight

elena.rodriguez

AdventureWorks_System_Administrators

All the Roles

Full PDC administrative capabilities for system management

james.lock

AdventureWorks_Sales_Analytics

Sales + Person

Data User

Sales team data analysis and customer insights.

sarah.johnson

AdventureWorks_Compliance_Officers

Business Steward

Regulatory compliance monitoring and audit management

david.park

Log into PDC:

https://pdc.pentah.labpdc.pentah.lab

Username: [email protected]

Password: Welcome123!

Go to: Management → Users & Communities
Click: Add New → Add Community

Based on the table above, enter the following details - refer to the table above:

Click: Add Users.

Add: sarah.johnson

Click: Done.
Repeat to create the rest of the Communities ..

The Community names in PDC must exactly match what you expect in your JWT tokens. If you plan to use the group path for Community assignment, PDC needs to understand the mapping.

Users with multiple PDC Roles

Click on the Pen to edit the User

Click: Add Roles

Select the required Roles > Done - Save.

Note: The initial PDC mapped role isn't displayed ..

It's going to need fine tuning .. with Permissions & Scope

Log into PDC:

https://pdc.pentaho.labpdc.pentaho.lab

Username: [email protected]

Password: Welcome123!

PreviousAW Users NextAW Data Sources

Last updated 1 day ago

Was this helpful?