Users in Management Console

• 1: Creating an MC user
• 2: Managing MC users
• 3: Granting database access to MC users
• 4: Managing MC user passwords

1 - Creating an MC user

MC provides two authentication schemes for MC users: LDAP or MC (internal). The method you choose when you configure MC is the method MC uses to authenticate all MC users. It is not possible to authenticate some MC users against LDAP and other MC users against credentials in the database through MC.

• MC (internal) authentication. Internal user authorization is specific to MC itself. You create a user with a username and password combination. This method stores MC user information in an internal database on the MC application/web server, and encrypts passwords. Note that these MC users are not system (Linux) users; they are entries in the MC’s internal database.

• LDAP authentication. All MC users—except for the MC super administrator, which is a Linux account—are authenticated based on search criteria against your organization's LDAP repository. MC uses information from LDAP for authentication purposes only and does not modify LDAP information. Also, MC does not store LDAP passwords but passes them to the LDAP server for authentication.

Instructions for creating new MC users are in this topic.

• If you chose MC authentication, follow the instructions under Create a New User Authenticated by MC.

• If you chose LDAP authentication, follow the instructions under Create a New User from LDAP.

See Configuring Management Console, Users in Management Console and LDAP authenticationfor more information.

Prerequisites

Before you create an MC user, ensure that:

• You have created a database directly on the server or through the MC interface, or you imported an existing database cluster into the MC interface. See Managing database clusters.

• You have created a database user account (source user) on the server, which has the privileges and/or roles you want to map to the new (target) MC user. See Creating a database user.

• You know which MC privileges you want to grant to the new MC user. See Users, roles, and privileges.

• You will be mapping the MC user to a Vertica DB user who has sysmonitor privileges assigned, or to the Vertica database super user. Without sysmonitor (or super user) privileges, the mapped MC user will not be able to view information in MC monitoring tables, and will not be able to load Kafka streaming data.

If you have not yet met the first two above prerequisites, you can still create new MC users; you just won't be able to map them to a database until after the database and target database user exist. To grant MC users database access later, see Granting database access to MC users.

Create a new user authenticated by MC

1. Sign in to MC as an administrator and navigate to MC Settings > User Management.

2. Click Add.

3. Enter the MC username.

   Note

   It is not necessary to give the MC user the exact same name as the database user account you'll map the MC user to in Step 7. What matters is that the source database user has privileges and/or roles similar to the database role you want to grant the MC user. The most likely scenario is that you map multiple MC users to a single database user account.

4. Let MC generate a password or create one by clicking Edit password. If LDAP has been configured, the MC password field will not appear.

5. Optionally enter the user's e-mail address.

6. Select an MC configuration permissions level. See Configuration privileges. Your choice in this field also fills in the appropriate User API Key value.

7. Next to the DB access levels section, click Add to grant this user database permissions.

   1. Choose a database. Select a database from the list of MC-discovered (databases that were created on or imported into the MC interface).

   2. Database username. Enter an existing database user name or, if the database is running, click the ellipsis [...] to browse for a list of database users, and select a name from the list.

   3. Database password. Enter the password to the database user account (not this username's password).

   4. Restricted access. Choose a database level (ADMIN, IT, or USER) for this user.

   5. Click OK to close the Add permissions dialog box.

   6. If the Vertica database is configured to require TLS, select Yes in the Use TLS Connection drop-down. MC launches the Certificates wizard to let you configure TLS. See MC certificates wizard.

8. Leave the user's Status as enabled (the default). If you need to prevent this user from accessing MC, select disabled.

9. Click Add User to finish.

Create a new LDAP-authenticated user

When you add a user from LDAP on the MC interface, options on the Add a new user dialog box are slightly different from when you create users without LDAP authentication. Because passwords are store externally (LDAP server) the password field does not appear. An MC administrator can override the default LDAP search string if the user is found in another branch of the tree. The Add user field is pre-populated with the default search path entered when LDAP was configured.

1. Sign in to MC and navigate to MC Settings > User management.

2. Click Add and provide the following information:

   1. LDAP user name.

   2. LDAP search string.

   3. User attribute, and click Verify user.

   4. User's email address.

   5. MC configuration role. NONE is the default. See Configuration privileges for details.

   6. Database access level. See Database privileges for details.

   7. Accept or change the default user's Status (enabled).

3. Click Add user.

If you encounter issues when creating new users from LDAP, you'll need to contact your organization's IT department.

How MC validates new users

After you click OK to close the Add permissions dialog box, MC tries to validate the database username and password entered against the selected MC-managed database or against your organization's LDAP directory. If the credentials are found to be invalid, you are asked to re-enter them.

If the database is not available at the time you create the new user, MC saves the username/password and prompts for validation when the user accesses the Database and Clusters page later.

See also

• Configuring Management Console
• Users, roles, and privileges
• Users in Management Console
• Granting database access to MC users
• Creating a database user

2 - Managing MC users

You manage MC users through the following pages on the Management Console interface:

• MC Settings > User management

• MC Settings > Resource access

Who manages users

The MC superuser administrator (SUPER Role (MC)) and users granted ADMIN role (MC) manage all aspects of users, including their access to MC and to MC-managed databases.

Users granted IT Role (MC) can enable and disable user accounts. For more information, see Users, roles, and privileges and Users in Management Console.

Editing an MC user's information follows almost the same steps as creating a new user, except that you select an existing user and click Edit. The user's information will be pre-populated, so that you can edit and save it.

The only user account you cannot alter or remove from the MC interface is the MC super account.

For details about each user type, see Configuration privileges.

What kind of user information you can manage

You can change the following user properties:

• MC password

• Email address. This field is optional. If the user is authenticated against LDAP, the email field is pre-populated with that user's email address if one exists.

• Configuration privileges role

• Database privileges role

You can also change a user's status (enable/disable access to MC) and delete users.

About user names

After you create and save a user, you cannot change that user's MC user name, but you can delete the user account and create a new user account under a new name. The only thing you lose by deleting a user account is its audit activity, but MC immediately resumes logging activity under the user's new account.

3 - Granting database access to MC users

If you did not grant an MC user a database-level role when you created the user account, you can do so in the User Management tab in MC Settings.

Granting the user an MC database-level role associates the MC user with a database user's privileges and ensures that the MC user cannot do or see anything not allowed by the privileges set up for the user account on the server database. When that MC user logs in to MC, his or her MC privileges for database-related activities are compared to that user's privileges on the database itself. Only when the user has both MC privileges and corresponding database privileges will the operations be exposed in the MC interface.

Prerequisites

Before you grant database access to an MC user, see the prerequisites in Creating an MC user.

Grant a database-level role to an MC user

1. Log in to Management Console as an administrator and navigate to MC Settings > User management.

2. Select an MC user and click Edit.

3. Verify the Configuration privileges are what you want them to be. NONE is the default.

4. Next to the DB access levels section, click Add and provide the following database access credentials:

   1. Choose a database. Select a database from the list of MC-discovered (databases that were created on or imported into the MC interface).

   2. Database username. Enter an existing database user name or, if the database is running, click the ellipsis [...] to browse for a list of database users, and select a name from the list.

   3. Database password. Enter the password to the database user account (not this username's password).

   4. Restricted access. Choose a database level (ADMIN, IT, or USER) for this user.

   5. Click OK to close the Add permissions dialog box.

   6. If the Vertica database is configured to require TLS, select Yes in the Use TLS Connection drop-down. MC launches the Certificates wizard to let you configure TLS. See MC certificates wizard.

5. Optionally change the user's Status (enabled is the default).

6. Click Save.

How MC validates new users

After you click OK to close the Add permissions dialog box, MC tries to validate the database username and password entered against the selected MC-managed database or against your organization's LDAP directory. If the credentials are found to be invalid, you are asked to re-enter them.

If the database is not available at the time you create the new user, MC saves the username/password and prompts for validation when the user accesses the Database and Clusters page later.

4 - Managing MC user passwords

MC user passwords must be different from the username and must contain at least one of each of the following character types:

• Upper-case

• Lower-case

• Numeric

• Special: ~ ! @ # $ % ^ & * ( ) _ + = - [ ] / ? > < , .

Configurable password requirements

You can configure additional password requirements by navigating to Home > MC Settings > Configuration > MC Password configuration settings.

Security questions

When a user creates an MC account, they must set security questions. If a user forgets their password, they can reset their password by answering these questions. These answers:

• must only contain letters, numbers, and spaces
• must be between 2 and 30 characters in length, inclusive
• are case insensitive