Database privileges

When you create Management Console (MC) users, you first assign them MC configuration privileges, which controls what they can do on the MC itself. In the same user-creation operation, you grant access to one or more MC-managed databases. MC database access does not give the MC user privileges directly on Vertica; it provides MC users varying levels of access to assigned database functionality through the MC interface.

Assign users an MC database level through one of the following roles:

• ADMIN Role (DB): Full access to all databases managed by MC. Actual privileges ADMINs inherit depend on the database user account used to create or import the Vertica database into the MC interface.

• Associate Role (DB): Full access to all databases managed by MC. Cannot start, stop, or drop a database. Actual privileges that Associates receive depend on those defined for the database user account to which the Associate user is mapped.

• IT Role (DB): Can start and stop a database but cannot remove it from the MC interface or drop it.

• USER Role (DB): Can view database information through the database Overview and Activities pages but is restricted from viewing more detailed data.

ADMIN role (DB)

ADMIN is a superuser with full privileges to monitor MC-managed database activity and messages. Other database privileges (such as stop or drop the database) are governed by the user account on the Vertica database that this ADMIN (db) user is mapped to. ADMIN is the most permissive role and is a superset of privileges granted to the Associate, IT, and USER roles.

There is also an MC configuration administrator role that defines what the user can change on the MC itself. The two ADMIN roles are not the same. Unlike the MC configuration role of ADMIN, which can manage all MC users and all databases imported into the UI, the MC database ADMIN role has privileges only on the databases you map this user to. See ADMIN Role (MC) for additional details.

Associate role (DB)

The Associate role is an MC database access role. It is similar to the Admin role. It has privileges to monitor activity and messages on databases managed by MC. Unlike Admin users, Associate users cannot start, stop, or drop the database. The Associate user role is mapped to a user account on the database. This mapped user role determines what other database privileges the Associate role has (such as modifying settings, installing licenses, and viewing the database designer).

The following database operations depend on the database user's role that you mapped this Associate user to:

• Install or audit a license

• Manage database settings

• View Database Designer

• View the database Activity page

  Note

  Database access granted through Management Console never overrides roles granted on a specific Vertica database.

IT role (DB)

IT can view most details about an MC-managed database, such as messages (and mark them read/unread), the database overall health and activity/resources, cluster and node state, and MC settings. You grant and manage user role assignments through the MC Settings > User management page on the MC.

There is also an IT role at the MC configuration access level. The two IT roles are similar, but they are not the same. If you grant an MC user both IT roles, it means the user can perform some configuration on MC and also has access to one or more MC-managed databases. For additional details, see IT Role (MC).

User role (DB)

USER has limited database privileges, such as viewing database cluster health, activity/resources, and messages. MC users granted the USER database role might have higher levels of permission on the MC itself, such as the IT Role (MC). Alternatively, USER users might have no (NONE) privileges to configure MC. How you combine the two levels is up to you.

Mapping MC users to a database to avoid conflicts

When you assign an MC database level to an MC user, map the MC user account to a database user account to ensure that:

• The MC user inherits the privileges assigned to that database user

• You prevent the MC user from doing or seeing anything not allowed by the privileges for the user account on the server database

Privileges assigned to the database user supersede privileges of the MC user if there is a conflict, such as stopping a database. When the MC user logs into MC using an MC user name and password, Vertica compares privileges for database-related activities to the privileges on the database account to which you mapped the MC user. Vertica allows the user to perform operations in MC only when that user has both MC privileges and corresponding database privileges.

See Creating an MC user for more information.

MC database privileges by role

The following table summarizes MC database-level privileges by user role. The table shows the default privileges each role has. Operations marked "database user privilege" are dependent on the privileges of the Vertica database user account to which the MC user is mapped.