USER GUIDE

Version : 0.5.0

September 2015





About this document

Selection_004.png

Getting started 

General Features

 Login to the system:

Selection_005.png


Selection_007.png

 

Log out to the system:

Selection_008.png

Service Manager (Access Manager)

Selection_009.png

HDFS

Selection_011.png

 

Label

Description

Service name

Name of the service, you will need to specify the service name in the agent config

Description

Give service description for reference

Active Status

You can choose this option to enable or disable the service

User name

Specify the end system username that can be used for connection

Password

Add the password for username above

Namenode URL

hdfs://NAMENODE_FQDN:8020

Authorization Enabled

Authorization involves restricting access to resources. If enabled, user need authorization credentials.

Authentication Type

Specify the authentication type (Simple, Kerberos)

hadoop.security.auth_to_local

It should be taken from hadoop configuration file, core-site.xml; Mapping of login credential to a username with hadoop

dfs.datanode.kerberos.principal

It should be taken from hadoop configuration file, hdfs-site.xml; Provide only if kerberos authentication is enabled; Principle associated with datanode

dfs.namenode.kerberos.principal

It should be taken from hadoop configuration file, hdfs-site.xml; Provide only if kerberos authentication is enabled; Principle associated with namenode

dfs.secondary.namenode.kerberos.principal

Should be taken from hadoop configuration file, hdfs-site.xml; Provide only if kerberos authentication is enabled; principal associated with secondary- namenode

RPC Protection Type

Only authorised user can view,use and contribute to a dataset

Common Name for certificate

Specify the name of the certificate

Add new Configurations

Specify any other new configurations

HIVE

Selection_012.png

 

Label

Description

Service Name

Name of the service, you will need to specify the service name in the agents config

Description

Give service description for reference.

Active Status

You can choose this option to enable or disable the service

Username

Specify the end system user name that can be used for connection

Password

Add the password for username above

jdbc.driverClassName

Specify the full classname of the

driver used for Hive connections.

The default HiveServer2 classname is : org.apache.hive.jdbc.HiveDriver

jdbc.url

jdbc:hive2://HIVE_FQDN:10000

Common name for certificate

Specify common name for certificate

Add new configurations

Specify any other new configurations

HBASE

Selection_014.png

 

Label

Description

Service Name

Name of the Service, you will need to specify the service name in the agents config

Description

Give any description for reference

Active Status

You can choose this option to enable or disable the service

Username

Specify the end system user name that can be used for connection

Password

Add the password for the username above

hadoop.security.authentication

Specify the authentication type (Simple, Kerberos)

hbase.master.kerberos.principal

Specify the Kerberos principal for the

HBase Master (Applicable only for Kerberos enabled environment)

hbase.security.authentication

Setting must match the hbase-site.xml setting for this property (Simple, Kerberos).

hbase.zookeeper.property.clientPort

Setting must match the hbase-site.xml setting for this property (default is : 2181).

hbase.zookeeper.quorum

Setting must match the hbase-site.xml setting for this property.

zookeeper.znode.parent

Setting must match the hbase-site.xml setting for this property.

Common Name for Certificate

Specify common name for certificate

Add New Configurations

Specify any other new configurations

KNOX

Selection_015.png

 

Label

Description

Service Name

Name of the Service, you will need to specify the service name in the agents config

Description

Give service description for reference

Active Status

You can choose this option to enable or disable the service

Username

Specify the end system user name that can be used for connection

Password

Add the password for the username above

knox.url

gateway url for knox

common name for certificate

Specify the name of the certificate

Add New configurations

Specify any other new configuration

5.YARN

Selection_016.png

 

Label

Description

Service Name

Name of the Service, you will need to specify the service name in the agents config

Description

Give service description for reference

Active Status

You can choose this option to enable or disable the service

Username

Specify the end system user name that can be used for connection

Password

Add the password for the username above

YARN REST URL

Http or https://RESOURCEMANAGER_FQDN:8088

Common name for certificate

Specify common name for certificate

Add new configurations

Specify new configurations

STORM

Selection_017.png

 

Label

Description

Service Name

Name of the Service, you will need to specify the service name in the agents config

Description

Give service description for reference

Active Status

You can choose this option to enable or disable the service

Username

Specify the end system user name that can be used for connection

Password

Add the password for the username above

Nimbus URL

hostname of nimbus format http://<ipaddress>:8080

Common name for certificate

Specify common name of the certificate

Add New Configuration

Specify any other new configurations

SOLR

Selection_018.png

 

Label

Description

Service name

Name of the Service, you will need to specify the service name in the agents config

Description

Give any description for reference

Active Status

You can choose this option to enable or disable the service

Username

Specify the end system user name that can be used for connection

Password

Add the password for the username above

solr URL

http://Solr_host:6083

Ranger Plugin SSL Cname

Provide common.name.for.certificate which is registered with Ranger (in Wire Encryption environment)

Add New Configurations

Specify new configuration

KAFKA

Selection_019.png

 

Label

Description

Service  name

Name of the Service, you will need to specify the service name in the agents config

Description

Give service description for reference

Active Status

You can choose this option to enable or disable the service

Username

Specify the end system user name that can be used for connection

Password

Add the password for the username above

Zookeeper Connect String

defaults to localhost:2181 (Provide FQDN of zookeeper host : 2181)

Ranger Plugin SSL CName

Provide common.name.for.certificate which is registered with Ranger (in Wire Encryption environment)

Add New Configuration

Specify any other new configurations

Edit Service

Selection_020.png

Delete Service

Selection_021.png


Ranger Policies

HDFS

You can add a new policy from the HDFS policy listing page for a particular service. On add , the policy should be listed in the table below. You can search a Policy by search filters provided.

Step 1 : Click on the Add New Policy button on listing page

Selection_022.png

Step 2 : Create Policy Form

Selection_023.png

 

Label

Description

Policy Name

Enter an appropriate policy name.

This name is cannot be duplicated for the same Service type (HDFS). This field is mandatory.

Resource path

Define the resource path for folder/file. You can add wildcard characters like /home* to avoid writing the full path as well as to enable the policy for all sub folders or files

Description

You can include the description for the policy you are creating

Recursive

You can indicate whether all files or folders within the existing folder comes under the policy. Can be used instead of wildcard characters

Audit Logging

Indicate whether this policy would be audited or not

Group Permissions

From a user group list, pick a particular group and choose permissions for that group.

Enable/disable

By default the policy is enabled.You can disable a policy to restrict user/group access for that policy.

User Permissions

From a user list, pick a particular user and choose permissions for that user.

Delegate Admin

When a policy is assigned to a user or a group of users those users become the delegated admin.The delegated admin can update, delete the policies. It can also create child policies based on the original policy (base policy)

 

Selection_024.png

 

Permissions

Description

Read

Allows user to perform read operation

Write

Allows user to perform write operation

Execute

Allows user to perform execute operation

 

Step 3 : Policy is created with unique id

Selection_027.png

Edit/Delete HDFS Policies

Selection_028.png

HDFS Policy Examples

Example 1: Policy in Ranger

Step 1 : In the below example we create a policy ‘HDFS_POLICY’ with Resource path /home with read ,write,execute,delegate admin rights and assign it to mark.

Selection_029.png

Selection_008.png

Selection_009.png

Selection_013.png

Selection_014.png

Selection_015.png

Example 2: No Policies in Ranger,permission in HDFS

Selection_016.png

 

Selection_017.png

HIVE

You can add a new policy from the Hive Policy Listing Page. On add , the policy should be listed in the table below. You can search a Policy by ‘Database Name’, ‘Table’ , ‘Column’, ‘Groups name’, ’policy name’, ’status’, ’user name’, ’udf’

Step 1 : Click on the Add New Policy button on listing page.

Selection_018.png

Step 2 : Add policy form

Selection_019.png

 

Label

Description

policy name

Enter an appropriate policy name.

This name is cannot be duplicated for the same Service type (Hive). This field is mandatory.

Hive database name

Select the appropriate database. Multiple databases can be selected for a particular policy. This field is mandatory.

table name

For the selected database, select table(s) for the which the policy will be applicable

Hive column name

For the selected database and table(s), select columns for the which the policy will be applicable

Audit logging

Choose whether the particular policy will be audited or not.

Group permission

From a user group list, pick a particular group and choose permissions for that group.

User permission

From a user list, pick a particular user and choose permissions for that user.

include/exclude

The include flag means it will consider the values entered in the field. The default value is set as include. The exclude Flag will exclude all the table names or column names entered in that particular field.

Enable/disable

By default the policy is enabled.You can disable a policy to restrict user/group access for that policy.

  

 

Selection_020.png

 

Label

Description

Policy name

Enter an appropriate policy name.

This name can not be duplicated across the system.This field is mandatory.

Hive database

Select the appropriate database. Multiple databases can be selected for a particular policy. This field is mandatory.

UDF

We can also set policies for UDF.User Defined Function.Enter an appropriate udf.

Audit Logging

Choose whether the particular policy will be audited or not.

Group permissions

From a user group list, pick a particular group and choose permissions for that group. Choosing admin permission will designate the group as admin for chosen resource

User Permissions

From a user list, pick a particular group and choose permissions for that group. Choosing admin permission will designate the user as admin for the chosen resource

Include/exclude

The include flag means it will consider the values entered in the field.The default value is set as include. The exclude Flag will exclude all the table names or column names entered in that particular field.

Enable/disable

By default the policy is enabled. You can disable a policy to restrict user/group access for that policy.

 

 

Wildcards: Wildcards can be included in resource path.’*’ indicates zero or more occurs of characters.’?‘ indicates single character.You can use wildcards in the database name ,table name ,column name.for e.g database name as *,table name as ? and column name as ?.

In case of UDF we can use for e.g. database name as *,UDF as ?.

Permission

Description

Select

Allows users to perform a select operation

Update

Allows users to perform an update operation

Create

Allows users to perform a Create operation

Drop

Allows users to perform a Drop operation

Alter

Allows users to perform a Alter operation

Index

Allows users to perform an indexing operation

Lock

Allows users to perform an lock operation on specified resource

All

Allows users to perform all operations

GRANT: Hive GRANT is a command used to provide access or privileges on Hive database tables to the users.

Syntax: grant <permissions> on table <table> to user <user or group>;    
 
i.e   : grant select on table default.newtable to user mark;

This will create a policy and give select rights to user1.

 


Selection_081.png


Selection_077.png

 

Edit / Delete / Revoke HIVE policies

Selection_021.png

 

REVOKE: Hive REVOKE is a command used to revoke access or privileges on Hive database tables from the users.


Syntax: revoke <permissions> on table <table> from user <user or group>;
 
i.e.  : revoke select on table default.newtable from user mark;

This will revoke select rights from user1.

 

Selection_080.png


Selection_082.png

 

HBASE

You can add a new policy from the HBASE Policy Listing Page. On add , the policy should be listed in the table below. You can search a Policy by ‘column’, ’column family’, ’Group name’, ’Policy name’,  ’Status', 'Table', ’Username’.

Step 1 : Click on the Add New Policy button on listing page.

Selection_022.png

Step 2 : Create Hbase Policy

Selection_023.png

 

 

Label

Description

Policy  Name

Enter an appropriate policy name.

This name is cannot be duplicated for same Service type (Hbase). This field is mandatory.

Hbase Table

Select the appropriate table. Multiple tables can be selected for a particular policy. This field is mandatory

Hbase column-family

For the selected table, select column families for the which the policy will be applicable

Hbase column

For the selected table and column family, select columns for the which the policy will be applicable

Audit Logging

Choose whether the particular policy will be audited or not.

Group permission

From a user group list, pick a particular group and choose permissions for that group. Choosing admin permission will designate the group as admin for the chosen resource

User Permission

From a user list, pick a particular user and choose permissions for that user. Choosing admin permission will designate the user as admin for the chosen resource

Enable/Disable

By default the policy is enabled.You can disable a policy to restrict user/group access for that policy.

 

 

Wildcards: Wildcards can be included in resource path.’*’ indicates zero or more occurs of characters.’?‘ indicates single character. You can use wildcards in the table name, column name, column families. for e.g table name as *, column family as ? and column name as ?.

Permission

Description

Read

Allows user to perform  a read operation

Write

Allows user to perform  a write operation

Create

Allows user to perform  a create operation

Admin

This gives the delegated admin access to user

GRANT:  HBase GRANT is a command used to provide access or privileges on Hbase database tables to the users.

Syntax: grant '<user-or-group>','<permissions>','<table>'
 
i.e   : grant 'mark’' , 'RW' , 'testtable2'

This will create a policy and give read and write access to user1 on testtable2 .Similarly we can grant create and admin writes

 

Selection_024.png

Selection_025.png

 

 Edit / Delete / Revoke HBASE Policies

Selection_026.png

REVOKE: Hbase REVOKE is a command used to revoke access or privileges on Hbase database tables from the users.

Syntax: revoke ‘<user-or-group>','<table>'
 
i.e   : revoke 'mark','testtable2'

This will revoke all rights from mark

In hbase you don't have specific revoke commands for each privilege as we had in Hbase.


Selection_027.png

Selection_028.png

 

KNOX

You can add a new policy from the KNOX Policy Listing Page. On add , the policy should be listed in the table below. You can search a Policy by ‘Policy Name’, ‘Topology Name’, ‘Service Name’ and ‘Groups’.

Step 1 : Click on the Add New Policy button on listing page

Selection_029.png

Step 2 : Add knox policy

Selection_031.png


 

Label

Description

Policy name

Enter an appropriate policy name.

This name is cannot be duplicated in the same Service type (Knox).

Knox topology

Enter an appropriate Topology Name

Knox service

Enter an appropriate Service Name

Audit Logging

Choose whether the particular policy will be audited or not.

Group permissions

From a group list, pick a particular group and choose permissions for that group.

User permissions

From a user user list, pick a particular user and choose permissions for that user.

Enable/disable

By default the policy is enabled. You can disable a policy to restrict user/group access for that policy.

Include/Exclude

The include flag means it will consider the values entered in the field. The default value is set as include. The exclude Flag will exclude all the table names or column names entered in that particular field.

 

 

Wildcards: Wildcards can be included in resource path.’*’ indicates zero or more occurs of characters.’?‘ indicates single character. You can use wildcards in the 'topology name', 'service name'. for e.g topology name as *, service name as ?.

Permission

Description

IP Address Range

Specify ip address range

Allow

Allow permission allows users to access topology that is specified in topology name

 

You can edit/delete a policy from the KNOX Policy Listing page by clicking on the edit/delete button next to policy row.

Selection_032.png

 

STORM

You can add a new policy from the STORM Policy Listing Page. On add , the policy should be listed in the table below. You can search a Policy by ‘Policy Name’, ‘Topology Name’ and ‘Groups’.

Step 1 : Click on the Add New Policy button on listing page

Selection_033.png

Step 2 : Add STORM Policy

Selection_034.png

 

 

Topology name: A topology is a graph of computation. Each node in a topology contains processing logic, and links between nodes indicate how data should be passed around between nodes.

Label

Description

Policy name

Enter an appropriate policy name.

This name is cannot be duplicated across the system.

Storm topology

Enter an appropriate Topology Name

Audit logging

Choose whether the particular policy will be audited or not.

Group permission

From a user group list, pick a particular group and choose permissions for that group.

User permission

From a user list, pick a particular group and choose permissions for that group.

Enable/disable

By default the policy is enabled.You can disable a policy to restrict user/group access for that policy.

Include/Exclude

The include flag means it will consider the values entered in the field. The default value is set as include. The exclude Flag will exclude all the table names or column names entered in that particular field.

Wildcards: Wildcards can be included in resource path.’*’ indicates zero or more occurs of characters.’?‘ indicates single character. You can use wildcards in the topology name.for e.g topology name as ?.

 

 

Permission

Description

Submit Topology

Allows user to submit a topology

File upload

Allows user to upload files

Get Nimbus Conf

Allows user to access Nimbus Configuration

Get Cluster info

Allows user to get Cluster Information

File Download

Allows user to Download Files

Kill Topology

Allows user to kill a topology

Rebalance

Allows user to Rebalance topologies

Activate

Allows user to Activate topology

Deactivate

Allows user to Deactivate topology

Get Topology Conf

Allows user to access Topology Configuration

Get Topology

Allows user to access Topology

Get User Topology

Allows user to access user Topology

Get Topology Info

Allows user to access Topology Information

Upload New Credential

Allows user to upload new credential

 

You can edit/delete a policy from the STORM Policy Listing page by clicking on the edit/delete button next to policy row.

Selection_035.png

 

YARN

You can add a new policy from the YARN Policy Listing Page. On add , the policy should be listed in the table below. You can search a Policy by ‘Group name’, ’Policy name’, ’Queue’, ’Status’, ’username’. 

 Step 1 : Click on the Add New Policy button on listing page

Selection_038.png

Step 2 : Add YARN Policy

Selection_039.png

 

 

Label

Description

Policy Name

Enter an appropriate policy name.

This name is cannot be duplicated across the system.

Queue

The fundamental unit of scheduling in yarn

Audit Logging

Choose whether the particular policy will be audited or not.

Enable/disable

By default the policy is enabled.You can disable a policy to restrict user/group access for that policy.

Recursive

You can indicate whether all files or folders within the existing folder comes under the policy.Can be used instead of wildcard characters

User Permission

From a user list, pick a particular user and choose permissions for that user.

Group Permission

From a group list, pick a particular group and choose permissions for that group.

Wildcards: Wildcards can be included in resource path.’*’ indicates zero or more occurs of characters.’?‘ indicates single character.You can use wildcards in the topology name.for e.g topology name as ?.

 

 

Permission

Description

Submit-job

Allows user to submit a job on a defined queue

Admin-queue

Allows user to manage admin queue


Edit/Delete YARN policies

Selection_040.png

 

SOLR

You can add a new policy from the Solr Policy Listing Page. On add , the policy should be listed in the table below. You can search a Policy by 'Collection', 'Group name', 'Policy name', 'status', 'user name'.

Step 1 : Click on the Add New Policy button on listing page

Selection_041.png

Step 2 : Add SOLR policy

Selection_042.png

 

 

Label

Description

Policy Name

Enter an appropriate policy name.

This name is cannot be duplicated for the same Service type (Solr)

Solr connection

http:<host_ip>:6083/solr

Audit logging

Choose whether the particular policy will be audited or not.

Group permission

From a user list, pick a particular group and choose permissions for that group. Choosing solr admin permission will designate the group as admin for chosen resource

User Permission

From a user list, pick a particular user and choose permissions for that user. Choosing solr admin permission will designate the user as admin for the chosen resource

Enabled/disabled

By default the policy is enabled.You can disable a policy to restrict user/group access for that policy.

Include/Exclude

The include flag means it will consider the values entered in the field.The default value is set as include.The exclude Flag will exclude all the table names or column names entered in that particular field.

 

 

Permission

Description

Querry

Permission to fetch records from Solr DB.

Update

Permission to update records in Solr

Others

 

Solr Admin

Permission to manage user accounts and


Edit / Delete SOLR Policies

Selection_044.png

 

KAFKA

You can add a new policy from the KAFKA Policy Listing Page. On add , the policy should be listed in the table below. You can search a Policy by ‘Group name’,’Policy name’,Status,topic,’username’.

Step 1 : Click on the Add New Policy button on listing page

Selection_045.png

Step 2 : Add KAFKA Policy

Selection_046.png

 

Label

Description

Policy name

Enter an appropriate policy name.

This name is cannot be duplicated for the same Service type (Kafka)

Topic

A topic is a category or feed name to which messages are published.

Audit logging

Choose whether the particular policy will be audited or not.

User permission

From a user list, pick a particular user and choose permissions for that user. Choosing Kafka Admin permission will designate the user as admin for the chosen resource

Group permission

From a user group list, pick a particular group and choose permissions for that group. Choosing Kafka Admin permission will designate the group as admin for chosen resource

Enable/Disable

By default the policy is enabled.You can disable a policy to restrict user/group access for that policy.

Include/Exclude

The include flag means it will consider the values entered in the field. The default value is set as include. The exclude Flag will exclude all the table names or column names entered in that particular file

Wildcards: Wildcards can be included in resource path.’*’ indicates zero or more occurs of characters.’?‘ indicates single character. You can use wildcards in the topic name.for e.g topic name as ?.

 

 

Permission

Description

Publish

A process that publish message to kafka topic producers.

Consume

Consume only a subset of the partitions in a topic in a process

Configure

Configure the kafka broker/cluster

Describe

Permission to fetch metadata on the topic

Kafka Admin

 


USERS/GROUPS

Policy permissions are assigned to users and groups.  

These are users who can login into the Ranger portal and perform administrative and reporting tasks.Roles can be assigned while adding the users. Only admins are allowed to create users and create services. The role of the ‘admin’/’admin user’ dictates what roles can be assigned to the new users.

 

You can add a new group from the User Listing Page. On add, the user should be listed in the table below. The users that are created in the system are You can search a User by ‘Email Address’, ‘Role’ , ‘User Name’, ‘ User Source’, ’user status’, ’visibility’.


Step 1 : Click on the Add New User button on the user listing page

Selection_047.png

Step 2 : Enter the details and save.

Selection_048.png

 

Label

Description

User Name

Enter an appropriate user name.

This name  cannot be duplicated across the system.

New Password

Enter an appropriate password.

Password Confirm

Confirm the entered password

First Name

Enter an appropriate first name.     

Last Name

Enter an appropriate last name

Email address

Enter an appropriate first email address in the required format

Select Role

Select appropriate Role (Admin, User). This is a mandatory field.

Group

Select group/s to which user belongs.

 

Step 3 : Set visibility (i.e. Visible/Hidden)

After clicking on hidden button user get hide from policy listing page. For hiding functionality user must need to select check box located near User Name column.

Selection_053.png


Selection_050.png


Selection_051.png

Step 4 : Set visibility (Visible)

Selection_052.png

Step 5 : Set status of the user.

Selection_054.png


Selection_055.png

 Admin Login:     

Selection_056.png

User Login:

Selection_057.png

 

Groups

You can add a new group from the group Listing Page. On add , the group should be listed in the table below. You can search a group by ‘Group Name’ and ‘ Group Source’,visibility

Step 1: Click on the Add New Group button on the group listing page.

Selection_058.png

Step 2 : Enter the details and save.

Selection_059.png

 

 

Label

Description

Group Name

Enter an appropriate user name.

This name  cannot be duplicated across the system.This is a mandatory field.

Description

Give any description for reference.

 

Selection_060.png

Selection_061.png


Selection_062.png

 

Reports

 

Selection_063.png


Selection_064.png


Audit

Access

 

Search Criteria

Description

Access Enforcer

Access enforcer indicates who made the decision to allow or deny. In case of HDFS, the enforcer would XA (Ranger) or Hadoop.

Access Type

Type of access user has for e.g read,write

Start date,End date

Time and date is stored for each access.A date range is used to filter the results for that particular date range.

Service Name

The name of the service which the user tries to access

Service Type

The type of the service which the user tries to access

Result

This shows whether the operation was successfull or not

User

Name of the user which tried to access the resource

Client ip

Ip address of the user system which tried to access the resource

 

Selection_065.png

 

Admin

 

Search Criteria

Description

Action

These are operations performed on resources e.g(actions like create,update,delete,password change)

Audit Type

There are three values Resource,asset and xa user according to operations performed on Service,policy and users.

Session id

The session count increments each time you try to login to the system

Start Date

Login time and date is stored for each session.A date range is used to filter the results for that particular date range

User

Username who has performed create,update,delete operation.

 

Selection_066.png

 

Selection_067.png

 

Logging Session

 

Search Criteria

Description

End Date,Start Date

Login time and date is stored for each session.A date range is used to filter the results for that particular date range     

Ip

The IP of the system through which we log in

Login id

The user name through which you login to the system

Login Type

The mode through which the user tries to login.(By entering username and password)

Result

Result based on login pass or fail

Session id

The session count increments each time you try to login to the system

User Agent

Login time and date is stored for each session

 

Selection_068.png

Selection_070.png


Selection_069.png

 

Plugins

 

Search Criteria

Description

Http Response Code

The http code which you get when you try to export the Services

Plugin IP

Ip of the agent which tries to export the service

Plugin Id

Name of the agent which tries to export the service

Start Date,End Date

Export time and date is stored for each agent. A date range is used to filter the results for that particular date range.

Service Name

The service name we are trying to export.

 

Selection_071.png



Permissions

The aim of permission module is to provide flexibility of user roles.With the help of permission model, Admin can restrict access or assign permission to any module for non-admin users.The main purpose of Permission model is to assign dedicated roles to non-admin users based on services such as policy manager, audit, reporting, user management,Key Manager.


Step 1: Put the pointer on Settings tab. Click on ‘Permissions’ from dropdown.

PERMISSION.png

Step 2 : You can search the permissions by Group Name,Module Name,User Name.

Selection_072.png

 

Step 3 : Click on edit button under Action column for access of particular module to selected user on permissions listing page.

Selection_073.png

Step 4 : You can select multiple users and groups from drop down.

            a.  User Permission

USER PERMISSION.png

             b.  Group Permission

GROUP PERMISSION.png

Step 5 : If Steve user is having permission of only Audit and Reports tab then only this two module will be visible to to mark user on his login.

           a.  Admin Login

Selection_074.png

             b.  Steve user Login

Selection_075.png