Vertica Documentation – Users, roles, and privileges

Mc: Users in Management Console

Mon, 01 Jan 0001 00:00:00 +0000

Unlike database users, which you create on the Vertica database and then grant privileges and roles through SQL statements, you create MC users on the Management Console interface. MC users are external to the database. Their information is stored on an internal database on the MC application/web server. Their access to both MC and to databases managed by MC is controlled by groups of privileges (also referred to as access levels). MC users are not system (Linux) users; they are entries in the MC internal database.

Permission group types

There are two types of permission groups on MC, those that apply to MC configuration and those that apply to database access:

MC configuration privileges are made up of roles that control what users can configure on the Management Console, such as modify MC settings, create and import Vertica databases, restart MC, create a Vertica cluster through the MC interface, and create and manage MC users.
MC database privileges are made up of roles that control what users can see or do on a Vertica database monitored by MC, such as view the database cluster state, query and session activity, monitor database messages and read log files, replace cluster nodes, and stop databases.

If you are using MC, you might want to allow one or more users in your organization to configure and manage MC, and you might want other users to have database access only. You can meet these requirements by creating MC users and granting them a role from each privileges group. See Creating an MC user for details.

MC user types

The following table describes the five types of role-based users on MC:

User Type	Description
SUPER Role (MC)	The default superuser administrator (Linux account) who gets created when you install and configure MC and oversees all of MC.
ADMIN Role (MC)	Users who can configure all aspects of MC and control all databases managed by MC.
MANAGER Role (MC)	Users who can configure MC user settings and monitor all databases managed by MC.
IT Role (MC)	Users who can configure some aspects of MC user settings and monitor all databases managed by MC.
NONE Role (MC)	Users who cannot configure MC and have access to one or more databases managed by MC.

For details about each role, see Configuration privileges.

You create users and grant them privileges (through roles) on the MC Settings page in the User management tab.

Creating users and choosing an authentication method

You create users and grant them privileges (through roles) on the MC Settings page. You can also choose how to authenticate their access to MC.

To add users who are authenticated against the MC, click User Management
To add users who are authenticated through your organization's LDAP repository, click Authentication

MC supports only one method for authentication, so if you choose MC, all MC users will be authenticated using their MC login credentials.

Default MC users

The MC super account is the only default user. The super or another MC administrator must create all other MC users.

Mc: Configuration privileges

Mon, 01 Jan 0001 00:00:00 +0000

When you create a Management Console (MC) user, you assign them an MC configuration access level (role). MC roles control a user's ability to create users and manage MC settings on the MC interface.

You can assign a user one of the following MC access levels:

ADMIN Role (MC): Full access to all MC functionality.
Manager Role (MC): Access to MC user management functionality. Access to non-database MC alerts.
IT Role (MC): Limited access to MC user management functionality. Access to MC log and to non-database MC alerts.
NONE Role (MC): Database access only, to the databases an administrator assigns to this user.

You grant MC configuration privileges at the same time you create the user's account, on the User Management tab of the MC Settings page. You can change MC access levels using this page. See Creating an MC user for details.

You can also use the User Management tab to grant users access to one or more databases managed by MC. See Database privilegesfor details.

SUPER role (MC)

The default superuser administrator, called Super on the MC UI, is a Linux user account that gets created when you install and configure MC. During the configuration process, you can assign the Super any name you like; it need not be dbadmin.

The MC SUPER role, a superset of the ADMIN Role (MC), has the following privileges:

Oversees the entire Management Console, including all MC-managed database clusters

Note
This user inherits the privileges/roles of the user name supplied when importing a Vertica database into MC. Vertica recommends that you use the database administrator's credentials.
Creates the first MC user accounts and assigns them an MC configuration role
Grants MC users access to one or more MC-managed Vertica databases by assigning Database privileges to each user

The MC super administrator account is unique. Unlike other MC users you create, including other MC administrators, the MC super account cannot be altered or dropped, and you cannot grant the SUPER role to other MC users. The only property you can change for the MC super is the password. Otherwise the SUPER role has the same privileges on MC as the ADMIN Role (MC).

On MC-managed Vertica databases, SUPER has the same privileges as ADMIN Role (DB).

The MC super account does not exist within the LDAP server. This account is also different from the special dbadmin account that gets created during a Vertica installation, whose privileges are governed by the DBADMIN. The Vertica-created dbadmin is a Linux account that owns the database catalog and storage locations and can bypass database authorization rules, such as creating or dropping schemas, roles, and users. The MC super does not have the same privileges as dbadmin.

ADMIN role (MC)

This user account is the user who can perform all administrative operations on Management Console, including configure and restart the MC process and add, change, and remove all user accounts. By default, MC administrators inherit the database privileges of the main database user account used to set up the database on the MC interface. Therefore, MC administrators have access to all MC-managed databases. Grant the ADMIN role to users you want to be MC administrators.

The difference between this ADMIN user and the default Linux account, the MC SUPER Role, is you cannot alter or delete the MC SUPER account, and you can't grant the SUPER role to any other MC users. You can, however, change the access level for other MC administrators, and you can delete this user's accounts from the MC interface.

There is also the ADMIN Role (DB) that controls a user's access to MC-managed databases. The two ADMIN roles are similar, but they are not the same, and you do not need to grant users with the ADMIN (mc) role an ADMIN (db) role because MC ADMIN users automatically inherit all database privileges of the main database user account that was created on or imported into MC.

MANAGER role (MC)

Users assigned the Manager role can configure user settings in MC. The Manager role allows full access to the User Management tab in MC Settings. Managers can also view a full list of databases monitored by MC on the Home page, view the MC log, and see non-database MC alerts.

The Manager role has similar configuration privileges to the IT configuration role. Unlike IT users, Managers can also create, edit, and delete users in User Settings.

IT role (MC)

MC IT users can monitor all MC-managed databases, view MC-level (non database) messages, logs, and alerts, disable or enable user access to MC, and reset non-LDAP user passwords. You can also assign MC IT users specific database privileges, which you do by mapping IT users to a user on a database. In this way, the MC IT user inherits the privileges assigned to the database user that they are mapped to.

There is also an IT Role (DB) that controls a user's access to MC-managed databases. If you grant an MC user both IT roles, it means the user can perform some configuration on MC and also has access to one or more MC-managed databases. The database mapping is not required, but it gives the IT user wider privileges.

NONE role (MC)

The default role for all newly-created users on MC is NONE, which prevents users granted this role from configuring the MC. When you create MC users with the NONE role, you grant them an MC database-level role. This assignment maps the MC user to a user account on a specific database and specifies that the NONE user inherits the database user’s privileges to which he or she is mapped.

Which database-level role you grant this user with NONE privileges—whether ADMIN (db) or IT (db) or USER (db)—depends on the level of access you want the user to have on the MC-managed database. Database roles have no impact on the ADMIN and IT roles at the MC configuration level.

MC configuration privileges by user role

You grant the following configuration privileges by MC role.

MC access privileges	ADMIN	MANAGER	IT	NONE
Configure MC settings: Configure storage locations and ports Upload new SSL certificates Manage LDAP authentication Update Vertica installation Change MC theme Map to an external data source	Yes
Configure user settings: Add, edit, delete users Add, change, delete user permissions Map users to one or more databases	Yes	Yes
Configure user settings: Enable or disable user access to MC Reset user passwords	Yes	Yes	Yes
Monitor user activity on MC using audit log	Yes
Create and manage databases and clusters: Create a new database or import an existing one Create a new cluster or import an existing one Remove databases and clusters from MC	Yes
Reset MC to its original, preconfigured state	Yes
Restart Management Console	Yes
View full list of databases monitored by MC	Yes	Yes	Yes
View MC log	Yes		Yes
View non-database MC alerts	Yes	Yes	Yes	Yes

Mc: Database privileges

Mon, 01 Jan 0001 00:00:00 +0000

When you create Management Console (MC) users, you first assign them MC configuration privileges, which controls what they can do on the MC itself. In the same user-creation operation, you grant access to one or more MC-managed databases. MC database access does not give the MC user privileges directly on Vertica; it provides MC users varying levels of access to assigned database functionality through the MC interface.

Assign users an MC database level through one of the following roles:

ADMIN Role (DB): Full access to all databases managed by MC. Actual privileges ADMINs inherit depend on the database user account used to create or import the Vertica database into the MC interface.
Associate Role (DB): Full access to all databases managed by MC. Cannot start, stop, or drop a database. Actual privileges that Associates receive depend on those defined for the database user account to which the Associate user is mapped.
IT Role (DB): Can start and stop a database but cannot remove it from the MC interface or drop it.
USER Role (DB): Can view database information through the database Overview and Activities pages but is restricted from viewing more detailed data.

ADMIN role (DB)

ADMIN is a superuser with full privileges to monitor MC-managed database activity and messages. Other database privileges (such as stop or drop the database) are governed by the user account on the Vertica database that this ADMIN (db) user is mapped to. ADMIN is the most permissive role and is a superset of privileges granted to the Associate, IT, and USER roles.

Note

Database access granted through Management Console never overrides roles granted on a specific Vertica database.

There is also an MC configuration administrator role that defines what the user can change on the MC itself. The two ADMIN roles are not the same. Unlike the MC configuration role of ADMIN, which can manage all MC users and all databases imported into the UI, the MC database ADMIN role has privileges only on the databases you map this user to. See ADMIN Role (MC) for additional details.

Associate role (DB)

The Associate role is an MC database access role. It is similar to the Admin role. It has privileges to monitor activity and messages on databases managed by MC. Unlike Admin users, Associate users cannot start, stop, or drop the database. The Associate user role is mapped to a user account on the database. This mapped user role determines what other database privileges the Associate role has (such as modifying settings, installing licenses, and viewing the database designer).

The following database operations depend on the database user's role that you mapped this Associate user to:

Install or audit a license
Manage database settings
View Database Designer
View the database Activity page

Note
Database access granted through Management Console never overrides roles granted on a specific Vertica database.

IT role (DB)

IT can view most details about an MC-managed database, such as messages (and mark them read/unread), the database overall health and activity/resources, cluster and node state, and MC settings. You grant and manage user role assignments through the MC Settings > User management page on the MC.

There is also an IT role at the MC configuration access level. The two IT roles are similar, but they are not the same. If you grant an MC user both IT roles, it means the user can perform some configuration on MC and also has access to one or more MC-managed databases. For additional details, see IT Role (MC).

User role (DB)

USER has limited database privileges, such as viewing database cluster health, activity/resources, and messages. MC users granted the USER database role might have higher levels of permission on the MC itself, such as the IT Role (MC). Alternatively, USER users might have no (NONE) privileges to configure MC. How you combine the two levels is up to you.

Mapping MC users to a database to avoid conflicts

When you assign an MC database level to an MC user, map the MC user account to a database user account to ensure that:

The MC user inherits the privileges assigned to that database user
You prevent the MC user from doing or seeing anything not allowed by the privileges for the user account on the server database

Privileges assigned to the database user supersede privileges of the MC user if there is a conflict, such as stopping a database. When the MC user logs into MC using an MC user name and password, Vertica compares privileges for database-related activities to the privileges on the database account to which you mapped the MC user. Vertica allows the user to perform operations in MC only when that user has both MC privileges and corresponding database privileges.

Tip

As a best practice, you should identify, in advance, the appropriate Vertica database user account that has privileges or roles similar to one of the MC database roles.

See Creating an MC user for more information.

MC database privileges by role

The following table summarizes MC database-level privileges by user role. The table shows the default privileges each role has. Operations marked "database user privilege" are dependent on the privileges of the Vertica database user account to which the MC user is mapped.

Default database-level privileges	ADMIN	ASSOCIATE	IT	USER
View database Overview page	Yes	Yes	Yes	Yes
View database messages	Yes	Yes	Yes	Yes
Delete messages and mark read/unread	Yes	Yes	Yes
Audit and install Vertica licenses	Database user privilege	Database user privilege
View database Activity page: Queries chart Internal Sessions chart User Sessions chart System Bottlenecks chart User Query Phases chart	Yes	Database user privilege	Database user privilege	Database user privilege
View database Activity page: Queries chart > Detail page Table Treemap chart Query Monitoring chart Resource Pools Monitoring chart	Database user privilege	Database user privilege
Start a database	Yes
Rebalance, stop, or drop databases	Database user privilege
View Manage page	Yes	Yes	Yes	Yes
View node details	Yes	Yes	Yes
Replace, add, or remove nodes	Database user privilege
Start/stop a node	Yes
View database Settings page	Yes	Yes	Yes
Modify database Settings page	Database user privilege	Database user privilege
View Database Designer	Database user privilege	Database user privilege

Vertica Documentation – Users, roles, and privileges

Mc: Users in Management Console

Permission group types

MC user types

Creating users and choosing an authentication method

Default MC users

See also

Mc: Configuration privileges

SUPER role (MC)

Note

ADMIN role (MC)

MANAGER role (MC)

IT role (MC)

NONE role (MC)

MC configuration privileges by user role

See also

Mc: Database privileges

ADMIN role (DB)

Note

Associate role (DB)

Note

IT role (DB)

User role (DB)

Mapping MC users to a database to avoid conflicts

Tip

MC database privileges by role