Skip to main content
Version: v3.2 print this page

Tags Management

Tag-Based Access Control in Amorphic is a feature that helps users to efficiently share and manage Amorphic resources at scale. This control system co-exists with existing Role-Based Access Control (RBAC).

Amorphic Tag-Based Access Control provides the following capabilities:

  • By sharing Tags with users, administrators can grant users access to specific Amorphic resources to which the tag is attached. This provides a dynamic and scalable access control mechanism.
info

Migration from Groups to Tags ( v2.7)

Starting with v2.7 release, the Groups feature is deprecated and will be automatically migrated to the new Tags-based access control system. This section outlines how existing group configurations will be mapped to their tag equivalents.

Migration Details

Tag Structure

  • Each existing group will be converted to a tag using the following format:
    • TagKey: "group"
    • TagValue: The original group name
    • Example: A group named "developers" becomes a tag group:developers

Access Rights Migration

  1. Admin Access
    • Previous group administrators will receive owner-level access to the corresponding tag
  2. Member Access
    • Former group members will be granted read-only access to the tag

Resource Access

  • All resources previously associated with the group will be automatically linked to the new tag
  • Access levels to these resources will be preserved based on the original Group Type:
    • Full Access permissions will maintain full access capabilities
    • Read Only permissions will maintain read-only capabilities

Example Migration

  • Original: "Group - developers"
  • New: "Tag - group:developers"
    • Group Admins → Owner Access to the tag
    • Group Members → Read Only Access to the tag
    • Resources maintain their original access levels as defined by the Group Type

Migration

What is a Tag?

In Amorphic, each tag consists of a Tag Key and Tag Value pair, representing a unique resource. Other Amorphic resources can be shared with these tags, similar to how we share resources with users with an access types. Anyone granted access to a tag can utilize the associated resource according to the defined access type. An access type: owner, editor or read-only must be specified when sharing any resource(including Tags) with users or Tags.

Example

Suppose user has the following Tag Key and Tag Value combinations:

Tag Key: department
Tag Value: sales

These combinations can be shared with users in the system, while other Amorphic resources can be shared with these Tags. This allows all users with whom the tags have been shared to access the Amorphic resources associated with those tags. Sharing a dataset with the tag department: sales and the access type owner associates the dataset with the sales department. When this tag is shared with users, it grants them owner access to that dataset.

info

Tags can only be shared with users and cannot be shared with other Tags.

Amorphic Acecss Tags contains the following information:

Tag Metadata Information

TypeDescription
Tag KeyThe key identifying the tag. Can be a maximum of 24 characters. Allowed characters are lowercase letters, numbers and _
Tag ValueUnique value for the tag key. Tag value can be a maximum of 24 characters and allowed characters are lowercase letters, numbers and _
Tag DescriptionA brief explanation of the tag's purpose.
ResourcesThe list of resources attached to the tag.

Tag Operations

User can perform basic CRUD operations (shown in the below table) on a tag if user has sufficient permissions.

Tag Details

FunctionalityDescription
Create TagCreate a Tag by specifying Key & Value
View TagView existing Tag Metadata Information
Update TagUpdates can only be made to the description of a tag, and this is permitted only for users who have editor or owner access to that tag
Delete TagDelete an existing Tag; this action is only permitted for users who have owner access to that tag
Share TagShare the Tag with users in the system
info

If any resources are attached to the tag, it cannot be deleted. Please remove all resources from the tag before attempting to delete it.

How to create a Tag?

To create a new tag in Amorphic, follow these steps:

  1. Go to Tags Management tab under Manage - > Administration.
  2. Click on the Create Access Tag button.
  3. Fill in the information required, such as Tag Key & Tag Value
  4. Click on Create to create the new Tag.

Create tags

How to attach users to a Tag?

This process is same as how we share other Resources to users

  1. Click the Share button for the Tag
  2. Select the User and Access Type from the drop down list
  3. Click on Share
info

When sharing the resources with a tag:

  1. All users in the Tags must have domain access for all datasets attached to the tag.
  2. If a resource has only 1 tag with owner access attached to it, it cannot be removed.

SAML Mapping

SAML (Security Assertion Markup Language) is an XML-based standard for exchanging authentication and authorization data between an identity provider (IdP) such as Okta, and a service provider (SP) such as Amorphic In Amorphic, Users/API calls get authenticated using Cognito. The authentication token received has the groups embedded in it. These groups will have tags assigned to it Amorphic application. User will be granted read-only access to the tag based on the groups assigned to him in identity provider(IdP) such as Okta.

Amorphic provides SAML Groups with access to application resources through its tags. SAML Groups are the groups in an Idp which contains a list of users. To delegate users in the group with access to specific tags in the Amorphic application, map the SAML group with the desired tags. The SAML group tag mapping provides all the users within the group read-only access to the mapped tags upon sign-in through SAML authentication.

What is a SAML Mapping?

A SAML mapping is a way of assigning a SAML Group with a tag in Amorphic application. An administrator in the Amorphic application will have permissions to perform this operation.

SAML Mapping Metadata Information

TypeDescription
SamlGroupIdSAML Group name which the administrator has to enter manually.
TagThe tag that users in the group will be granted access to. Administrator selects the tag from the drop down.
CreationTimeTimestamp when the mapping was created.
CreatedByAdministrator who created the mapping.

SAML Mapping Operations

Administrator of the Amorphic Application can add a mapping, edit or delete an existing mapping.

Add New Mapping

User can add a new mapping in the Amorphic application by using the "Add New Mapping" functionality.

In order to add a new mapping, user need to be an administrator in the application. Below is the image that shows how to add a new mapping.

Create SAML Tag Mapping

Edit Mapping

User can edit an existing mapping. User can change the tag associated with the group but not the other way. To change the group name delete the existing mapping and add a new one.

Below is the image that will show how to edit a mapping.

Edit SAML Tag Mapping

Delete Mapping

User can delete an existing mapping.

Below is the image that will show how to delete a mapping.

Delete SAML Tag Mapping

Note

Below are some the important points that the Amorphic administrator needs to keep in mind when a mapping is added or deleted.

  • Deleting a SAML group mapping does not automatically remove the user's access to the associated tags. The System Administrator must manually revoke the user's access from the tag.
  • If a user is removed from a SAML group, the user will not be automatically removed from the tag. It is the System Administrator’s responsibility to revoke the user’s access from the tag.