User Isolation

Note

User Isolation Framework was previously called Multi-User-Security.

Note

If using Dataiku Cloud Stacks installation, User Isolation is automatically managed for you, and you do not need to follow these instructions

On an out-of-the-box installation of DSS, every action performed by DSS is performed as a single account on the host machine. This account which runs the DSS service is called the dssuser . For example, when a DSS end-user executes a code recipe, it runs as the UNIX dssuser

Similarly:

This default behavior has several limitations:

DSS features a set of mechanisms to isolate code which can be controlled by the user, so as to guarantee both traceability and inability for a hostile user to attack the dssuser . Together, these mechanisms form the User Isolation Framework .

The User Isolation Framework is not a single technology but a set of capabilities that permit isolation depending on the context. Most of the components of the User Isolation Framework imply that DSS impersonates the end-user and runs all user-controlled code under different identities than dssuser .

This documentation includes a number of reference architectures showing common deployments of the various UIF components.

Note

The User Isolation Framework requires an Enterprise Edition license of DSS.