Configuration privileges
When you create a Management Console (MC) user, you assign them an MC configuration access level (role). MC roles control a user's ability to create users and manage MC settings on the MC interface.
You can assign a user one of the following MC access levels:
-
ADMIN Role (MC): Full access to all MC functionality.
-
Manager Role (MC): Access to MC user management functionality. Access to non-database MC alerts.
-
IT Role (MC): Limited access to MC user management functionality. Access to MC log and to non-database MC alerts.
-
NONE Role (MC): Database access only, to the databases an administrator assigns to this user.
You grant MC configuration privileges at the same time you create the user's account, on the User Management tab of the MC Settings page. You can change MC access levels using this page. See Creating an MC user for details.
You can also use the User Management tab to grant users access to one or more databases managed by MC. See Database privilegesfor details.
SUPER role (MC)
The default superuser administrator, called Super on the MC UI, is a Linux user account that gets created when you install and configure MC. During the configuration process, you can assign the Super any name you like; it need not be dbadmin.
The MC SUPER role, a superset of the ADMIN Role (MC), has the following privileges:
-
Oversees the entire Management Console, including all MC-managed database clusters
Note
This user inherits the privileges/roles of the user name supplied when importing a Vertica database into MC. Vertica recommends that you use the database administrator's credentials. -
Creates the first MC user accounts and assigns them an MC configuration role
-
Grants MC users access to one or more MC-managed Vertica databases by assigning Database privileges to each user
The MC super administrator account is unique. Unlike other MC users you create, including other MC administrators, the MC super account cannot be altered or dropped, and you cannot grant the SUPER role to other MC users. The only property you can change for the MC super is the password. Otherwise the SUPER role has the same privileges on MC as the ADMIN Role (MC).
On MC-managed Vertica databases, SUPER has the same privileges as ADMIN Role (DB).
The MC super account does not exist within the LDAP server. This account is also different from the special dbadmin account that gets created during a Vertica installation, whose privileges are governed by the DBADMIN. The Vertica-created dbadmin is a Linux account that owns the database catalog and storage locations and can bypass database authorization rules, such as creating or dropping schemas, roles, and users. The MC super does not have the same privileges as dbadmin.
ADMIN role (MC)
This user account is the user who can perform all administrative operations on Management Console, including configure and restart the MC process and add, change, and remove all user accounts. By default, MC administrators inherit the database privileges of the main database user account used to set up the database on the MC interface. Therefore, MC administrators have access to all MC-managed databases. Grant the ADMIN role to users you want to be MC administrators.
The difference between this ADMIN user and the default Linux account, the MC SUPER Role, is you cannot alter or delete the MC SUPER account, and you can't grant the SUPER role to any other MC users. You can, however, change the access level for other MC administrators, and you can delete this user's accounts from the MC interface.
There is also the ADMIN Role (DB) that controls a user's access to MC-managed databases. The two ADMIN roles are similar, but they are not the same, and you do not need to grant users with the ADMIN (mc) role an ADMIN (db) role because MC ADMIN users automatically inherit all database privileges of the main database user account that was created on or imported into MC.
MANAGER role (MC)
Users assigned the Manager role can configure user settings in MC. The Manager role allows full access to the User Management tab in MC Settings. Managers can also view a full list of databases monitored by MC on the Home page, view the MC log, and see non-database MC alerts.
The Manager role has similar configuration privileges to the IT configuration role. Unlike IT users, Managers can also create, edit, and delete users in User Settings.
IT role (MC)
MC IT users can monitor all MC-managed databases, view MC-level (non database) messages, logs, and alerts, disable or enable user access to MC, and reset non-LDAP user passwords. You can also assign MC IT users specific database privileges, which you do by mapping IT users to a user on a database. In this way, the MC IT user inherits the privileges assigned to the database user that they are mapped to.
There is also an IT Role (DB) that controls a user's access to MC-managed databases. If you grant an MC user both IT roles, it means the user can perform some configuration on MC and also has access to one or more MC-managed databases. The database mapping is not required, but it gives the IT user wider privileges.
NONE role (MC)
The default role for all newly-created users on MC is NONE, which prevents users granted this role from configuring the MC. When you create MC users with the NONE role, you grant them an MC database-level role. This assignment maps the MC user to a user account on a specific database and specifies that the NONE user inherits the database user’s privileges to which he or she is mapped.
Which database-level role you grant this user with NONE privileges—whether ADMIN (db) or IT (db) or USER (db)—depends on the level of access you want the user to have on the MC-managed database. Database roles have no impact on the ADMIN and IT roles at the MC configuration level.
MC configuration privileges by user role
You grant the following configuration privileges by MC role.
MC access privileges | ADMIN | MANAGER | IT | NONE |
---|---|---|---|---|
Configure MC settings:
|
Yes | |||
Configure user settings:
|
Yes | Yes | ||
Configure user settings:
|
Yes | Yes | Yes | |
Monitor user activity on MC using audit log | Yes | |||
Create and manage databases and clusters:
|
Yes | |||
Reset MC to its original, preconfigured state | Yes | |||
Restart Management Console | Yes | |||
View full list of databases monitored by MC | Yes | Yes | Yes | |
View MC log | Yes | Yes | ||
View non-database MC alerts | Yes | Yes | Yes | Yes |