This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Users, roles, and privileges in MC

If you are a Management Console (MC) administrator, you can use MC Settings to grant MC users privileges to one or more Vertica users.

A Management Console (MC) user is separate from a Linux system user or a Vertica server database user. An MC user account exists only within the MC. Each MC user account requires two sets of privileges:

  • MC configuration roles that grant access to MC functionality and user administration.
  • Database privileges that grant access to a database that is managed by the MC.

Default user

The MC SUPER administrator account is the only default user, and it is created when you configure the MC. The MC SUPER administrator is the only user that can set up federated servers or identity provider (IDP) user authentication. For additional details about MC SUPER administrator privileges, see Configuration roles in MC.

Authorization

You can control what a user is authorized to access in the MC and what actions a user can perform with their associated databases.

Configuration roles

Each MC configuration role is a predefined with a set of privileges that control what Management Console features the user can access. Configuration privileges include the following:

  • Modify MC settings
  • Create and import Vertica databases
  • Restart the MC
  • Create a Vertica cluster with MC
  • Create and administer user profiles

For details about each role, see Configuration roles in MC.

Database privileges

Database privileges are granted with predefined roles that determine what a user can access and the available actions on a Vertica database that is created by or imported to the MC. Database privileges include the following:

  • View the database cluster state
  • Access query and session activity
  • Monitor database messages
  • Read log files
  • Replace cluster nodes
  • Stop databases

For details about each role, see Database privileges.

Authentication

The Management Console supports multiple ways to authenticate users to the Management Console. The MC supports the following authentication methods:

  • Local: Users are authenticated internally in the MC.
  • Federated: Authenticate MC users with a Federation server.
  • Identity Provider (IDP): Authenticate MC users with your corporate identity provider.

For details about implementing each authentication method, see User authentication in MC.

1 - Configuration roles in MC

When you create a Management Console (MC) user, you assign them an MC configuration access level (role).

A configuration role is a predefined role with a set of privileges that determine what users can configure on the Management Console. You grant configuration privileges on MC Settings > User Management when you add or edit a user account.

The following table provides a brief overview of each role:

Role Description
SUPER A Linux user account, the MC SUPER administrator is the default superuser that gets created when you configure the MC.
Admin Full access to all MC functionality and databases managed by MC.
Manager Access to MC user settings, monitors all databases managed by MC, and non-database MC alerts.
IT Limited access to MC user settings, monitors all databases managed by MC, MC logs, and non-database MC alerts.
None No configuration privileges. This user can access one or more databases managed by MC.

Super

The MC SUPER administrator is a Linux user account that is created when you configure the MC. This user account is unique: it cannot be altered or dropped, and you cannot grant the SUPER role to other MC users. The only property you can change for the MC SUPER administrator is the password.

The MC SUPER administrator is a Local user account, so the MC stores its login credentials and profile information internally. This account is different from the dbadmin account that is created when you install Vertica. The dbadmin account is a Linux account that owns the database catalog and storage locations, and can bypass database authorization rules, such as creating or dropping schemas, roles, and users. The MC SUPER administrator does not have the same privileges as dbadmin.

The MC SUPER administrator has the following privileges:

  • Oversee the entire Management Console, including all database clusters managed by the MC.

  • Create the first MC user account.

  • Assign MC configuration roles.

  • Grant database privileges to one or more databases managed by MC.

  • Configure federated server and identify provider authentication methods. For details, see User authentication in MC.

On MC-managed Vertica databases, MC SUPER administrator has the same privileges as the Admin database role.

Admin

A user with Admin configuration privileges can perform all administrative operations on the Management Console, including configuring and restarting the MC, and adding, editing, and deleting user accounts. An Admin has access to all databases that the MC manages and inherits the database privileges of the user account that sets up a database on the MC.

The Admin role grants a user the same configuration privileges as the MC SUPER administrator account, but you can alter and delete user accounts with Admin privileges.

Manager

Users assigned the Manager role can add, edit, and delete users in the MC. The Manager role grants full access to the MC Settings > User Management tab. Additionally, a Manager can view the following:

  • On the MC Home page, all databases monitored by MC.
  • MC log.
  • Non-database MC alerts.

The Manager role has similar database privileges to the IT database privileges role.

IT

Users assigned the IT role have the following privileges:

  • Monitor all MC-managed databases.
  • View non-database MC messages, logs, and alerts.
  • Disable or enable user access to MC.
  • Reset local user passwords.

You can assign IT users specific database privileges by mapping them to a user on a server database. The IT user inherits the privileges assigned to the mapped server user.

None

The default role for all users on MC is None, which does not grant any MC configuration privileges. A common strategy is to assign the None role to grant no MC configuration privileges, and then map the MC user to a Vertica server database user so that they can inherit database privileges from the mapped server user.

Role comparison

You grant the following configuration privileges by MC role:

Privileges Admin Manager IT None

Configure MC settings:

  • Configure storage locations and ports

  • Upload new SSL certificates

  • Manage LDAP authentication

  • Update Vertica installation

  • Change MC theme

  • Map to an external data source

Yes

Configure user settings:

  • Add, edit, delete users

  • Add, change, delete user permissions

  • Map users to one or more databases

Yes Yes

Configure user settings:

  • Enable or disable user access to MC

  • Reset user passwords

Yes Yes Yes
Monitor user activity on MC using audit log Yes

Create and manage databases and clusters:

  • Create a new database or import an existing one

  • Create a new cluster or import an existing one

  • Remove databases and clusters from MC

Yes
Reset MC to its original, preconfigured state Yes
Restart Management Console Yes
View full list of databases monitored by MC Yes Yes Yes
View MC log Yes Yes
View non-database MC alerts Yes Yes Yes Yes

See also

2 - Database privileges

When you create (MC) users, you first assign them MC configuration privileges, which controls what they can do on the MC itself.

You can assign database privileges with a predefined database role. Each role is associated with a set of privileges that determines what a user can access on a database that the MC manages.

You grant database privileges on MC Settings > User Management when you add or edit a user account. You can also map an MC user to a Vertica server database user, which allows the MC user to inherit database privileges from the server user.

The following table provides a brief overview of each role:

Role Description
Admin Full access to all databases managed by MC. Actual privileges ADMINs inherit depend on the database user account used to create or import the Vertica database into the MC interface.
Associate Full access to all databases managed by MC. Cannot start, stop, or drop a database. Actual privileges that Associates receive depend on those defined for the database user account to which the Associate user is mapped.
IT Can start and stop a database but cannot remove it from the MC interface or drop it.
User Can view database information through the database Overview and Activities pages but is restricted from viewing more detailed data.

Admin

Admin is the most permissive role. It is a superuser with full privileges to monitor activity and messages on databases that the MC manages. Other database privileges (such as stop or drop the database) are inherited from its mapped server user account.

There is also an Admin configuration role that grants configuration privileges for the MC. The two Admin roles are not the same. The Admin MC configuration role can manage all MC users and all databases imported into the UI, but the MC database Admin role has privileges only on the databases you map this user to.

Associate

The Associate role has the same monitoring privileges as an Admin user—full privileges to monitor MC-managed database activity and messages. Unlike the Admin user, the Associate cannot start, stop, or drop a database. The Associate user inherits database privileges its mapped server user account, including the following:

  • Install or audit a license
  • Manage database settings
  • View Database Designer
  • View the database Activity page

IT

The IT role can view most details about a database that the MC manages, including the following:

  • Messages (and mark them read/unread)
  • Overal database health, activity, and resources
  • Cluster and node state
  • MC settings

There is also an IT role at the MC configuration access level. The two IT roles are not the same. For additional details, see Configuration roles in MC.

User

The User role has limited database privileges, such as viewing database cluster health, activity, resources, and messages. MC users with the User database role might have higher MC privileges, granted with configuration roles.

Role comparison

The following table summarizes default MC database privileges by role:

Privileges Admin Associate IT User
View database Overview page Yes Yes Yes Yes
View database messages Yes Yes Yes Yes
Delete messages and mark read/unread Yes Yes Yes
Audit and install Vertica licenses Inherited Inherited

View database Activity page:

  • Queries chart

  • Internal Sessions chart

  • User Sessions chart

  • System Bottlenecks chart

  • User Query Phases chart

Yes Inherited Inherited Inherited

View database Activity page:

  • Queries chart > Detail page

  • Table Treemap chart

  • Query Monitoring chart

  • Resource Pools Monitoring chart

Inherited Inherited
Start a database Yes
Rebalance, stop, or drop databases Inherited
View Manage page Yes Yes Yes Yes
View node details Yes Yes Yes
Replace, add, or remove nodes Inherited
Start/stop a node Yes
View database Settings page Yes Yes Yes
Modify database Settings page Inherited Inherited
View Database Designer Inherited Inherited

Granting database privileges

You can grant database privileges to new and existing users on MC Settings > User Management.

Prerequisites

Mapping to server users

When you assign MC database privileges, map the MC user account to a Vertica server database user account for the following benefits:

  • The MC user inherits database privileges from the database user, so you need to maintain privileges for one user.
  • Restrict the MC user from accessing functionality not permitted by the Vertica server database user account privileges.

If there is a conflict between server and MC database privileges, server privileges supersede MC privileges. When the MC user logs in, Vertica compares the MC user database privileges to the privileges assigned to its mapped server user account. Vertica permits the user to perform an operation in MC only when the MC user has both MC and server database privileges for that operation.

Grant a database role

When you grant an MC user a database role, that user inherits the privileges assigned to its mapped server user account.

  1. Log in to Management Console as an administrator, and go to MC Settings > User management.

  2. In the grid, select an MC user and select Edit.

  3. Verify that MC configuration permissions lists the correct configuration role. None is the default setting.

  4. In DB access levels, select Add and provide the following information:

    1. Choose a database. Select a database from the list databases that you imported or created with the MC.

    2. Database username. Enter an existing database username or select the ellipsis [...] button to browse running databases for a list of database users.

    3. Database password. Enter the password to the server database user account.

    4. Restricted access. Choose a database level. For details, see Admin, IT, or User.

    5. Select OK.

    6. If the Vertica database requires TLS, select Yes in the Use TLS Connection, then select Configure TLS for user. MC launches the Certificates wizard to let you configure TLS. For details, see MC certificates wizard.

  5. Select Save.

3 - User authentication in MC

The MC provides authentication options that integrate the MC with your existing corporate authentication workflows. By default, the MC provides local authentication, which stores all user information in the MC. The MC integrates with Keycloak so you can configure federated or identity provider (IDP) authentication with the MC SUPER administrator account.

Local authentication

Local user authentication is the default authentication method and does not require additional steps after you install and configure the MC. Local user information is stored on an internal database on the MC web server.

You can edit or reset local user passwords in the following locations:

  • Email Gateway.
  • MC Settings > Change Password.
  • In the user account menu in the toolbar, select Change Password.

Federated server authentication

Federated servers store your organization's user credentials in a single location so you can authenticate user identities across one or more applications. The MC integrates with Keycloak to support LDAP and LDAPS federated server configurations.

The MC can access only usernames in federated servers for authentication purposes—it cannot modify any other federated user information. To edit or reset a user password, contact your organization's federated server administrator.

For additional details about how LDAP and LDAPS federated services work with Vertica and the MC, see LDAP authentication.

Add SSL/TLS certificate

If you authenticate users with LDAPS or StartTLS, you must upload a certificate to the MC to encrypt communications between the MC and the server. If you do not upload a valid certificate, the MC cannot verify the connection:

  1. Log in to the Management Console, then go to MC Settings > SSL/TLS Certificates.
  2. In the Manage Authentication Certificates section, select Add New Certificate.
  3. Browse your filesystem and upload your certificate.
  4. Restart the MC.

After the MC restarts, the new certificate takes effect.

Set up a federated server

This section provides guidance about how to connect the MC to a federated server for MC user authentication. Only the MC SUPER administrator can configure an MC and federated server integration.

The steps to configure a federated server for MC user authentication vary by organization. Refer to the following sources for comprehensive documentation about integrating federated servers:

The following steps connect the MC and an OpenLDAP federated server:

  1. Log in to the Management Console, then go to MC Settings > User Federation. You are prompted to add an SSL/TLS certificate. OpenLDAP does not requie a certificate, so ignore the prompt and continue.

    The User Federation screen opens in a new tab.

  2. On the User Federation screen, select ldap from the Add provider... dropdown list.

    The Add user federation provider screen displays.

  3. In Required Settings, enter or select information for the following fields:

    • Console Display Name: Enter a name for the federated server. This value is listed in the grid on the User Federation screen.

    • Priority: Enter 0 to indicate the highest priority.

    • Edit Mode: Select READ_ONLY.

    • Vendor: Active Directory is populated in this field.

    • Username LDAP attribute: Enter cn=inetOrgPerson.

    • RDN LDAP attribute: Enter cn=inetOrgPerson.

    • UUID LDAP attribute: Enter cn=inetOrgPerson.

    • User Object Classes: Enter inetOrgPerson.

    • Connection URL: For LDAP, use port 389. For example, ldap://10.20.30.40:389.

    • Users DN: A distinguished name (DN) consists of two DC components. For example, dc=example,dc=com.

    • Bind Type: If the LDAP server supports anonymous binding, select none.

      Otherwise, select simple. This setting makes the Bind DN field available. In Bind DN, enter the administrator's DN and password.

  4. Select Save.

The federated server is listed in the grid on the User Federation screen. When you add a new user in MC, the new user is authenticated to each MC session with credentials stored in the federated server.

For details on adding a federated user, see User administration in MC.

Identity provider (IDP) authentication

You can authenticate users with an IDP service. The MC integrates with Keycloak to configure IDP services and supports the following identity protocols and social IDPs:

  • SAML v2.0
  • OpenID Connect v1.0
  • Keycloak OpenID Connect
  • Various social providers, including GitHub, Facebook, and Google.

The MC can access only usernames from IDP servers for authentication purposes—it cannot modify any IDP user information. To edit or reset a user password, you must log into your IDP server and edit the information.

The steps to configure an IDP for MC user authentication vary depending on the IDP service. Refer to the Keycloak IDP documentation for comprehensive details about integrating identity providers.

Integrate MC and Azure AD IDP

The following sections explain how to configure IDP authentication with Microsoft Azure AD OpenID Connect (OIDC). This requires that you register an application in Azure, and then add that application as an IDP in the MC. For comprehensive documentation about creating an app in Azure, see the Microsoft Azure documentation.

Register the app

First, you must create your application in Microsoft Azure:

  1. Log in to the Azure portal.

  2. In the search bar, enter Azure Active Directory and open it.

  3. In the + Add menu at the top, select App registration from the dropdown list.

  4. Complete the fields on Register an application. For details about each field, see the Microsoft Azure documentation.

  5. Select Register.

    Your new application's Overview page displays.

Next, create the client secret. This secret authenticates your Azure app to the MC:

  1. In the menu on the left, select Certificates & secrets.

  2. On the Client secrets tab, select + New client secret.

  3. In Add a client secret, enter a description, and choose an expiration date.

  4. Select Add.

    The new secret is listed in the Client secrets tab.

  5. Copy the secret listed in the Value column, and store it in a secure location for later use.

Next, add optional claims to your token configuration:

  1. In the left-hand menu, select Token configuration.

  2. Select + Add optional claim to open the Add optional claim pane to the right.

  3. In the Add optional claim pane, select ID as the Token type, and then select the following boxes:

    • email
    • given_name
    • family_name
    • upn
  4. Select Add.

    A pop-up displays and asks you about API permissions.

  5. In the pop-up, select the checkbox and select Add. The claims are listed on the Token configuration page.

Next, retrieve the client ID and application endpoint:

  1. Select Overview from the left-hand menu.

  2. In the Essentials section, copy the Application (client) ID.

    Save the Application (client) ID in a secure location for later use.

  3. At the top of the screen, select the Endpoints tab to display the application's available endpoints.

  4. Copy the value in OpenID Connect metadata document.

    Save this endpoint in a secure location.

Add Azure AD IDP to the MC

This section requires the following information from the Azure AD app:

  • Client secret Value
  • Application (client) ID
  • OpenID Connect metadata document endpoint

Only the MC SUPER administrator can add Azure AD as an IDP in the MC:

  1. Log in to the Management Console, then go to MC Settings > Identity Providers.

    The Identity Providers screen opens in a new tab.

  2. Select OpenID Connect v1.0 from the Add provider... list.

    The Add identity provider screen displays.

  3. In the top section, add or select the following:

    • Alias: (Optional) Edit this field to distinguish this IDP from others that you might integrate with the MC.
    • Display Name: Enter Azure AD. This is the name that displays on the IDP login button after you complete configuration.
    • Trust Email: Toggle to On.
    • First Login Flow: Select auto_detect so that the MC can detect the new user in the IDP during the first user login.
  4. In the OpenID Connect Config section, select or add the following:

    • Client Authentication: Select Client secret sent as post.
    • Client ID: Add the Azure AD Application (client) ID that you saved from the previous section.
    • Client Secret: Add the Azure AD Client secret Value that you saved from the previous section.
    • In Default Scopes, enter openid profile email.
  5. Go to the Import External IDP Config section. In Import from URL, add the OpenID Connect metadata document endpoint that you saved from the previous section.

  6. Select Import.

    MC imports the Azure application configuration and populates the URL fields.

  7. Select Save.

  8. Copy the value in Redirect URI and store it in a secure location for later use. You must add this URI in Azure.

Complete configuration

This section requires the Redirect URI value from Add the IDP to MC. Return to Azure, and complete the MC registration:

  1. Log in to the Azure portal.

  2. In the search bar, enter App registrations and go to your application's overview page.

  3. Select Authentication in the left menu.

  4. In Platform configurations, select Add a platform.

  5. Select Web, then add the Redirect URI value from the MC.

    For details about additional Redirect URI options and your Azure AD application, see the Microsoft Azure documentation.

  6. Select Configure.

After you complete the configuration, the MC SUPER administrator can add MC user accounts with user identities from Azure AD. Before each user can log in to the MC, they must accept the Microsoft Azure app permissions request.

Accept permissions request

After the MC SUPER administrator adds an Azure AD IDP user to the MC, the user must accept the Microsoft Azure permissions request to view the MC and access its data before they can log in to the MC:

  1. On the MC login screen, select the Azure AD option at the bottom of the Sign in to your account section.
  2. Enter your Azure credentials for your organization's Azure AD.
  3. When Microsoft requests permissions, select Accept to grant Azure AD access to the MC.

After you accept the permissions request, the user is authenticated to each MC session with Azure AD credentials.

4 - User administration in MC

MC provides two authentication schemes for MC users: LDAP or MC (internal).

Management Console (MC) users are separate from Vertica server database users. MC user accounts exist in the MC only, and you cannot alter MC users with SQL statements. You add, edit, and delete MC users entirely within the MC.

Add a user

After you install and configure the MC, only the MC SUPER administrator (superuser) user exists. The MC SUPER administrator can create the other users and assign them MC configuration roles that grant privileges to perform user actions.

Prerequisites

Add a local user

To add a local user, you must have the required MC configuration privileges:

  1. Log in to the Management Console, then go to MC Settings > User Management.
  2. Select Add. The Add a new user screen displays.
  3. Select or enter the following information:
    • Authentication: How the user authenticates to the MC. Select Local.

    • MC username: The username of the new user. After you create and save a user, you cannot edit the username, but you can delete the user account and create a new user account with a new username.

    • MC password: The new user's password. The MC has the following default password requirements:

      • Cannot be the same as MC username
      • Between 3 and 30 characters in length
      • One number
      • One uppercase letter
      • One lowercase letter

      As the user enters the new password, the MC verifies that the password meets the preceding requirements. If the password does not meet the requirements, then an error message is displayed. If you have the required MC configuration privileges, you can edit password requirements in MC Settings > Configuration > MC Password configuration settings.

      When a new user logs in, they are prompted to create a new password.

    • Email address: Required. The new user's email address.

    • MC configuration privileges: The user's configuration role privileges. For details, see Configuration roles in MC.

    • DB access levels: The user's database privileges. For details, see Database privileges.

    • Status: Select Enabled.

  4. Select Add user.

After you add the user, the User Management screen displays, and the user is listed in the grid.

Add a federated or IDP user

After you set up a federated server or set up an IDP, you can create MC user accounts with the user identities that the federated server or IDP manages. To add a user, you must have the required MC configuration privileges:

  1. Log in to the Management Console, then select MC Settings > User Management.

  2. Select Add. The Add a new user screen displays.

  3. Select or enter the following information:

    • Authentication: How the user authenticates to the MC. This list displays only the names of the federated servers or IDPs that you have set up to authenticate users:

      • For federated users, select Federated.
      • For IDP users, select IDP.
    • MC username: Add the username.

      For IDP users, the username is their email address.

      For federated users, enter the username stored in the federated server. As you enter the username, the MC searches the federated server for the username and displays the results in a list. Select the username from the list. You can use the wildcard character (*) to filter names. For example, if you enter mcuser*, the MC will list all users in the federation server whose usernames begin with mcuser.

    • MC configuration privileges: The user's configuration role privileges. For details, see Configuration roles in MC.

    • DB access levels: The user's database privileges. For details, see Database privileges.

    • Status: Select Enabled.

  4. Select Add user.

After you add the user, the User Management screen displays, and the user is listed in the grid.

Edit a user

Edit a user to update their MC configuration or database privileges. The only user account that you cannot edit is the MC SUPER administrator. You must have the required MC configuration roles to edit a user account:

  1. Log in to the Management Console, then select MC Settings > User Management.

  2. In the grid, select the row that lists the user that you want to edit.

  3. Select Edit.

  4. Update the fields. You cannot edit the MC password or Email address for federated or IDP users.

    For local users, you can edit the password from the Change Password screen. To access this screen, log in to the Management Console, then select MC Settings > Change Password.

  5. Select Save.

Delete a user

Delete a user that you no longer authorize to access the MC. When you delete an MC user, you delete the user's audit activity and their MC profile, which includes configuration roles and database access privileges. If you do not want to delete a user but you do want to revoke a user's MC authorization, consider setting the user's Status to Disabled. For details, see Edit a user.

The only user account you cannot delete is the MC SUPER administrator. If you delete a federated or IDP user, you delete their MC profile only. The MC cannot change user identity information stored in federated servers or IDPs.

You must have the required MC configuration roles to delete a user account:

  1. Log in to the Management Console, then select MC Settings > User Management.

  2. In the grid, select the row that lists the user that you want to delete.

  3. Select Delete.

    The Confirm window is displayed and asks you if you are sure that you want to delete this user.

  4. Select OK.

    The user is no longer listed in the User Management grid.

See also