Users, roles, and privileges

• 1: Users in Management Console
• 1.1: Creating an MC user
• 1.2: Managing MC users
• 1.3: Granting database access to MC users
• 1.4: Managing MC user passwords
• 2: Configuration privileges
• 3: Database privileges

1 - Users in Management Console

Unlike database users, which you create on the Vertica database and then grant privileges and roles through SQL statements, you create MC users on the Management Console interface. MC users are external to the database. Their information is stored on an internal database on the MC application/web server. Their access to both MC and to databases managed by MC is controlled by groups of privileges (also referred to as access levels). MC users are not system (Linux) users; they are entries in the MC internal database.

Permission group types

There are two types of permission groups on MC, those that apply to MC configuration and those that apply to database access:

• MC configuration privileges are made up of roles that control what users can configure on the Management Console, such as modify MC settings, create and import Vertica databases, restart MC, create a Vertica cluster through the MC interface, and create and manage MC users.

• MC database privileges are made up of roles that control what users can see or do on a Vertica database monitored by MC, such as view the database cluster state, query and session activity, monitor database messages and read log files, replace cluster nodes, and stop databases.

If you are using MC, you might want to allow one or more users in your organization to configure and manage MC, and you might want other users to have database access only. You can meet these requirements by creating MC users and granting them a role from each privileges group. See Creating an MC user for details.

MC user types

The following table describes the five types of role-based users on MC:

For details about each role, see Configuration privileges.

You create users and grant them privileges (through roles) on the MC Settings page in the User management tab.

Creating users and choosing an authentication method

You create users and grant them privileges (through roles) on the MC Settings page. You can also choose how to authenticate their access to MC.

• To add users who are authenticated against the MC, click User Management
• To add users who are authenticated through your organization's LDAP repository, click Authentication

MC supports only one method for authentication, so if you choose MC, all MC users will be authenticated using their MC login credentials.

Default MC users

The MC super account is the only default user. The super or another MC administrator must create all other MC users.

See also

• Users, roles, and privileges
• Granting database access to MC users

1.1 - Creating an MC user

MC provides two authentication schemes for MC users: LDAP or MC (internal). The method you choose when you configure MC is the method MC uses to authenticate all MC users. It is not possible to authenticate some MC users against LDAP and other MC users against credentials in the database through MC.

• MC (internal) authentication. Internal user authorization is specific to MC itself. You create a user with a username and password combination. This method stores MC user information in an internal database on the MC application/web server, and encrypts passwords. Note that these MC users are not system (Linux) users; they are entries in the MC’s internal database.

• LDAP authentication. All MC users—except for the MC super administrator, which is a Linux account—are authenticated based on search criteria against your organization's LDAP repository. MC uses information from LDAP for authentication purposes only and does not modify LDAP information. Also, MC does not store LDAP passwords but passes them to the LDAP server for authentication.

Instructions for creating new MC users are in this topic.

• If you chose MC authentication, follow the instructions under Create a New User Authenticated by MC.

• If you chose LDAP authentication, follow the instructions under Create a New User from LDAP.

See Configuring Management Console, Users in Management Console and LDAP authenticationfor more information.

Prerequisites

Before you create an MC user, ensure that:

• You have created a database directly on the server or through the MC interface, or you imported an existing database cluster into the MC interface. See Managing database clusters.

• You have created a database user account (source user) on the server, which has the privileges and/or roles you want to map to the new (target) MC user. See Creating a database user.

• You know which MC privileges you want to grant to the new MC user. See Users, roles, and privileges.

• You will be mapping the MC user to a Vertica DB user who has sysmonitor privileges assigned, or to the Vertica database super user. Without sysmonitor (or super user) privileges, the mapped MC user will not be able to view information in MC monitoring tables, and will not be able to load Kafka streaming data.

If you have not yet met the first two above prerequisites, you can still create new MC users; you just won't be able to map them to a database until after the database and target database user exist. To grant MC users database access later, see Granting database access to MC users.

Create a new user authenticated by MC

1. Sign in to MC as an administrator and navigate to MC Settings > User Management.

2. Click Add.

3. Enter the MC username.

   Note

   It is not necessary to give the MC user the exact same name as the database user account you'll map the MC user to in Step 7. What matters is that the source database user has privileges and/or roles similar to the database role you want to grant the MC user. The most likely scenario is that you map multiple MC users to a single database user account.

4. Let MC generate a password or create one by clicking Edit password. If LDAP has been configured, the MC password field will not appear.

5. Optionally enter the user's e-mail address.

6. Select an MC configuration permissions level. See Configuration privileges. Your choice in this field also fills in the appropriate User API Key value.

7. Next to the DB access levels section, click Add to grant this user database permissions.

   1. Choose a database. Select a database from the list of MC-discovered (databases that were created on or imported into the MC interface).

   2. Database username. Enter an existing database user name or, if the database is running, click the ellipsis [...] to browse for a list of database users, and select a name from the list.

   3. Database password. Enter the password to the database user account (not this username's password).

   4. Restricted access. Choose a database level (ADMIN, IT, or USER) for this user.

   5. Click OK to close the Add permissions dialog box.

   6. If the Vertica database is configured to require TLS, select Yes in the Use TLS Connection drop-down. MC launches the Certificates wizard to let you configure TLS. See MC certificates wizard.

8. Leave the user's Status as enabled (the default). If you need to prevent this user from accessing MC, select disabled.

9. Click Add User to finish.

Create a new LDAP-authenticated user

When you add a user from LDAP on the MC interface, options on the Add a new user dialog box are slightly different from when you create users without LDAP authentication. Because passwords are store externally (LDAP server) the password field does not appear. An MC administrator can override the default LDAP search string if the user is found in another branch of the tree. The Add user field is pre-populated with the default search path entered when LDAP was configured.

1. Sign in to MC and navigate to MC Settings > User management.

2. Click Add and provide the following information:

   1. LDAP user name.

   2. LDAP search string.

   3. User attribute, and click Verify user.

   4. User's email address.

   5. MC configuration role. NONE is the default. See Configuration privileges for details.

   6. Database access level. See Database privileges for details.

   7. Accept or change the default user's Status (enabled).

3. Click Add user.

If you encounter issues when creating new users from LDAP, you'll need to contact your organization's IT department.

How MC validates new users

After you click OK to close the Add permissions dialog box, MC tries to validate the database username and password entered against the selected MC-managed database or against your organization's LDAP directory. If the credentials are found to be invalid, you are asked to re-enter them.

If the database is not available at the time you create the new user, MC saves the username/password and prompts for validation when the user accesses the Database and Clusters page later.

See also

• Configuring Management Console
• Users, roles, and privileges
• Users in Management Console
• Granting database access to MC users
• Creating a database user

1.2 - Managing MC users

You manage MC users through the following pages on the Management Console interface:

• MC Settings > User management

• MC Settings > Resource access

Who manages users

The MC superuser administrator (SUPER Role (MC)) and users granted ADMIN role (MC) manage all aspects of users, including their access to MC and to MC-managed databases.

Users granted IT Role (MC) can enable and disable user accounts. For more information, see Users, roles, and privileges and Users in Management Console.

Editing an MC user's information follows almost the same steps as creating a new user, except that you select an existing user and click Edit. The user's information will be pre-populated, so that you can edit and save it.

The only user account you cannot alter or remove from the MC interface is the MC super account.

For details about each user type, see Configuration privileges.

What kind of user information you can manage

You can change the following user properties:

• MC password

• Email address. This field is optional. If the user is authenticated against LDAP, the email field is pre-populated with that user's email address if one exists.

• Configuration privileges role

• Database privileges role

You can also change a user's status (enable/disable access to MC) and delete users.

About user names

After you create and save a user, you cannot change that user's MC user name, but you can delete the user account and create a new user account under a new name. The only thing you lose by deleting a user account is its audit activity, but MC immediately resumes logging activity under the user's new account.

1.3 - Granting database access to MC users

If you did not grant an MC user a database-level role when you created the user account, you can do so in the User Management tab in MC Settings.

Granting the user an MC database-level role associates the MC user with a database user's privileges and ensures that the MC user cannot do or see anything not allowed by the privileges set up for the user account on the server database. When that MC user logs in to MC, his or her MC privileges for database-related activities are compared to that user's privileges on the database itself. Only when the user has both MC privileges and corresponding database privileges will the operations be exposed in the MC interface.

Prerequisites

Before you grant database access to an MC user, see the prerequisites in Creating an MC user.

Grant a database-level role to an MC user

1. Log in to Management Console as an administrator and navigate to MC Settings > User management.

2. Select an MC user and click Edit.

3. Verify the Configuration privileges are what you want them to be. NONE is the default.

4. Next to the DB access levels section, click Add and provide the following database access credentials:

   1. Choose a database. Select a database from the list of MC-discovered (databases that were created on or imported into the MC interface).

   2. Database username. Enter an existing database user name or, if the database is running, click the ellipsis [...] to browse for a list of database users, and select a name from the list.

   3. Database password. Enter the password to the database user account (not this username's password).

   4. Restricted access. Choose a database level (ADMIN, IT, or USER) for this user.

   5. Click OK to close the Add permissions dialog box.

   6. If the Vertica database is configured to require TLS, select Yes in the Use TLS Connection drop-down. MC launches the Certificates wizard to let you configure TLS. See MC certificates wizard.

5. Optionally change the user's Status (enabled is the default).

6. Click Save.

How MC validates new users

After you click OK to close the Add permissions dialog box, MC tries to validate the database username and password entered against the selected MC-managed database or against your organization's LDAP directory. If the credentials are found to be invalid, you are asked to re-enter them.

If the database is not available at the time you create the new user, MC saves the username/password and prompts for validation when the user accesses the Database and Clusters page later.

1.4 - Managing MC user passwords

MC user passwords must be different from the username and must contain at least one of each of the following character types:

• Upper-case

• Lower-case

• Numeric

• Special: ~ ! @ # $ % ^ & * ( ) _ + = - [ ] / ? > < , .

Configurable password requirements

You can configure additional password requirements by navigating to Home > MC Settings > Configuration > MC Password configuration settings.

Security questions

When a user creates an MC account, they must set security questions. If a user forgets their password, they can reset their password by answering these questions. These answers:

• must only contain letters, numbers, and spaces
• must be between 2 and 30 characters in length, inclusive
• are case insensitive

2 - Configuration privileges

When you create a Management Console (MC) user, you assign them an MC configuration access level (role). MC roles control a user's ability to create users and manage MC settings on the MC interface.

You can assign a user one of the following MC access levels:

• ADMIN Role (MC): Full access to all MC functionality.

• Manager Role (MC): Access to MC user management functionality. Access to non-database MC alerts.

• IT Role (MC): Limited access to MC user management functionality. Access to MC log and to non-database MC alerts.

• NONE Role (MC): Database access only, to the databases an administrator assigns to this user.

You grant MC configuration privileges at the same time you create the user's account, on the User Management tab of the MC Settings page. You can change MC access levels using this page. See Creating an MC user for details.

You can also use the User Management tab to grant users access to one or more databases managed by MC. See Database privilegesfor details.

SUPER role (MC)

The default superuser administrator, called Super on the MC UI, is a Linux user account that gets created when you install and configure MC. During the configuration process, you can assign the Super any name you like; it need not be dbadmin.

The MC SUPER role, a superset of the ADMIN Role (MC), has the following privileges:

• Oversees the entire Management Console, including all MC-managed database clusters

  Note

  This user inherits the privileges/roles of the user name supplied when importing a Vertica database into MC. Vertica recommends that you use the database administrator's credentials.

• Creates the first MC user accounts and assigns them an MC configuration role

• Grants MC users access to one or more MC-managed Vertica databases by assigning Database privileges to each user

The MC super administrator account is unique. Unlike other MC users you create, including other MC administrators, the MC super account cannot be altered or dropped, and you cannot grant the SUPER role to other MC users. The only property you can change for the MC super is the password. Otherwise the SUPER role has the same privileges on MC as the ADMIN Role (MC).

On MC-managed Vertica databases, SUPER has the same privileges as ADMIN Role (DB).

The MC super account does not exist within the LDAP server. This account is also different from the special dbadmin account that gets created during a Vertica installation, whose privileges are governed by the DBADMIN. The Vertica-created dbadmin is a Linux account that owns the database catalog and storage locations and can bypass database authorization rules, such as creating or dropping schemas, roles, and users. The MC super does not have the same privileges as dbadmin.

ADMIN role (MC)

This user account is the user who can perform all administrative operations on Management Console, including configure and restart the MC process and add, change, and remove all user accounts. By default, MC administrators inherit the database privileges of the main database user account used to set up the database on the MC interface. Therefore, MC administrators have access to all MC-managed databases. Grant the ADMIN role to users you want to be MC administrators.

The difference between this ADMIN user and the default Linux account, the MC SUPER Role, is you cannot alter or delete the MC SUPER account, and you can't grant the SUPER role to any other MC users. You can, however, change the access level for other MC administrators, and you can delete this user's accounts from the MC interface.

There is also the ADMIN Role (DB) that controls a user's access to MC-managed databases. The two ADMIN roles are similar, but they are not the same, and you do not need to grant users with the ADMIN (mc) role an ADMIN (db) role because MC ADMIN users automatically inherit all database privileges of the main database user account that was created on or imported into MC.

MANAGER role (MC)

Users assigned the Manager role can configure user settings in MC. The Manager role allows full access to the User Management tab in MC Settings. Managers can also view a full list of databases monitored by MC on the Home page, view the MC log, and see non-database MC alerts.

The Manager role has similar configuration privileges to the IT configuration role. Unlike IT users, Managers can also create, edit, and delete users in User Settings.

IT role (MC)

MC IT users can monitor all MC-managed databases, view MC-level (non database) messages, logs, and alerts, disable or enable user access to MC, and reset non-LDAP user passwords. You can also assign MC IT users specific database privileges, which you do by mapping IT users to a user on a database. In this way, the MC IT user inherits the privileges assigned to the database user that they are mapped to.

There is also an IT Role (DB) that controls a user's access to MC-managed databases. If you grant an MC user both IT roles, it means the user can perform some configuration on MC and also has access to one or more MC-managed databases. The database mapping is not required, but it gives the IT user wider privileges.

NONE role (MC)

The default role for all newly-created users on MC is NONE, which prevents users granted this role from configuring the MC. When you create MC users with the NONE role, you grant them an MC database-level role. This assignment maps the MC user to a user account on a specific database and specifies that the NONE user inherits the database user’s privileges to which he or she is mapped.

Which database-level role you grant this user with NONE privileges—whether ADMIN (db) or IT (db) or USER (db)—depends on the level of access you want the user to have on the MC-managed database. Database roles have no impact on the ADMIN and IT roles at the MC configuration level.

MC configuration privileges by user role

You grant the following configuration privileges by MC role.

See also

• Users, roles, and privileges
• Users in Management Console
• Users, roles, and privileges
• Database privileges
• Creating an MC user
• Granting database access to MC users

3 - Database privileges

When you create Management Console (MC) users, you first assign them MC configuration privileges, which controls what they can do on the MC itself. In the same user-creation operation, you grant access to one or more MC-managed databases. MC database access does not give the MC user privileges directly on Vertica; it provides MC users varying levels of access to assigned database functionality through the MC interface.

Assign users an MC database level through one of the following roles:

• ADMIN Role (DB): Full access to all databases managed by MC. Actual privileges ADMINs inherit depend on the database user account used to create or import the Vertica database into the MC interface.

• Associate Role (DB): Full access to all databases managed by MC. Cannot start, stop, or drop a database. Actual privileges that Associates receive depend on those defined for the database user account to which the Associate user is mapped.

• IT Role (DB): Can start and stop a database but cannot remove it from the MC interface or drop it.

• USER Role (DB): Can view database information through the database Overview and Activities pages but is restricted from viewing more detailed data.

ADMIN role (DB)

ADMIN is a superuser with full privileges to monitor MC-managed database activity and messages. Other database privileges (such as stop or drop the database) are governed by the user account on the Vertica database that this ADMIN (db) user is mapped to. ADMIN is the most permissive role and is a superset of privileges granted to the Associate, IT, and USER roles.

There is also an MC configuration administrator role that defines what the user can change on the MC itself. The two ADMIN roles are not the same. Unlike the MC configuration role of ADMIN, which can manage all MC users and all databases imported into the UI, the MC database ADMIN role has privileges only on the databases you map this user to. See ADMIN Role (MC) for additional details.

Associate role (DB)

The Associate role is an MC database access role. It is similar to the Admin role. It has privileges to monitor activity and messages on databases managed by MC. Unlike Admin users, Associate users cannot start, stop, or drop the database. The Associate user role is mapped to a user account on the database. This mapped user role determines what other database privileges the Associate role has (such as modifying settings, installing licenses, and viewing the database designer).

The following database operations depend on the database user's role that you mapped this Associate user to:

• Install or audit a license

• Manage database settings

• View Database Designer

• View the database Activity page

  Note

  Database access granted through Management Console never overrides roles granted on a specific Vertica database.

IT role (DB)

IT can view most details about an MC-managed database, such as messages (and mark them read/unread), the database overall health and activity/resources, cluster and node state, and MC settings. You grant and manage user role assignments through the MC Settings > User management page on the MC.

There is also an IT role at the MC configuration access level. The two IT roles are similar, but they are not the same. If you grant an MC user both IT roles, it means the user can perform some configuration on MC and also has access to one or more MC-managed databases. For additional details, see IT Role (MC).

User role (DB)

USER has limited database privileges, such as viewing database cluster health, activity/resources, and messages. MC users granted the USER database role might have higher levels of permission on the MC itself, such as the IT Role (MC). Alternatively, USER users might have no (NONE) privileges to configure MC. How you combine the two levels is up to you.

Mapping MC users to a database to avoid conflicts

When you assign an MC database level to an MC user, map the MC user account to a database user account to ensure that:

• The MC user inherits the privileges assigned to that database user

• You prevent the MC user from doing or seeing anything not allowed by the privileges for the user account on the server database

Privileges assigned to the database user supersede privileges of the MC user if there is a conflict, such as stopping a database. When the MC user logs into MC using an MC user name and password, Vertica compares privileges for database-related activities to the privileges on the database account to which you mapped the MC user. Vertica allows the user to perform operations in MC only when that user has both MC privileges and corresponding database privileges.

See Creating an MC user for more information.

MC database privileges by role

The following table summarizes MC database-level privileges by user role. The table shows the default privileges each role has. Operations marked "database user privilege" are dependent on the privileges of the Vertica database user account to which the MC user is mapped.