Skip to content
Datamotive

Security

RBAC

Console roles and privileges, default users, user management, and SAML single sign-on with Azure AD.

Product
Datamotive Platform
Version
v2.0.3
Last updated
Updated
Reading time
2 min read

Access to the Datamotive console is governed by roles — sets of privileges that define rights to perform actions on system entities. Roles are assigned to users; users authenticate locally or through SAML single sign-on.

Default roles

RoleRights
Super AdminView and perform all available operations in the system.
Support AdminView and perform operations essential for the support team.
DR AdminOperations related to protection plans and recovery/migration.
Read OnlyView all operations, perform none.

Under Settings → Roles, click any role to load its associated privileges and the users holding it.

Default users

A fresh deployment creates four users — Administrator, DRadmin, Guest, and SupportAdmin — all with the default password admin. A password change is mandatory on first login.

Manage users

Under Settings → Users:

  • Create — click + New and provide username, password, full name, email, description, and a role from the dropdown.
  • Edit / remove — via the corresponding actions on each user.
  • Reset password — select the user, click Reset Password, and confirm with the logged-in user's password. A temporary password is generated; the user must change it at first login. Only Super Admin users can reset passwords.

SAML single sign-on (Azure AD)

Users can authenticate via their domain identity using Azure Active Directory (Microsoft Entra ID) as the identity provider. Configuration involves three stages, performed on each management node separately:

  1. Download the service provider metadata

    In the console under Identity Provider, click Service Provider Metadata URL to download the Datamotive SP metadata file; rename it with an .xml extension.

  2. Create and configure the Entra application

    In the Azure portal: Microsoft Entra ID → Enterprise Application → New Application → Create your own application (non-gallery). Open Single sign-on, select SAML, and upload the Datamotive metadata file. Then:

    • Copy the App Federation Metadata URL from the SAML Certificates section.
    • In Attributes & Claims, copy the email address and name claims, and add a new claim named Role (namespace matching the other claims) with source attribute user.assignedroles.
    • Add the domain users to the application and assign roles. Custom app roles must be created via Microsoft Graph Explorer; the role value is sent as a claim in the SAML response and is mapped to Datamotive roles locally.

  3. Register the application in the Datamotive node

    In the console: Identity Provider → Configure SAML 2.0 Identity Provider. Provide a name, the IdP metadata URL or file, the email/name/role claim attributes, and the role mapping (IdP role name → Datamotive role). Click Configure.

Related docs

Related articles

Was this page helpful?