Configuration roles in MC
A configuration role is a predefined role with a set of privileges that determine what users can configure on the Management Console. You grant configuration privileges on MC Settings > User Management when you add or edit a user account.
The following table provides a brief overview of each role:
| Role | Description |
|---|---|
| SUPER | A Linux user account, the MC SUPER administrator is the default superuser that gets created when you configure the MC. |
| Admin | Full access to all MC functionality and databases managed by MC. |
| Manager | Access to MC user settings, monitors all databases managed by MC, and non-database MC alerts. |
| IT | Limited access to MC user settings, monitors all databases managed by MC, MC logs, and non-database MC alerts. |
| None | No configuration privileges. This user can access one or more databases managed by MC. |
Super
The MC SUPER administrator is a Linux user account that is created when you configure the MC. This user account is unique: it cannot be altered or dropped, and you cannot grant the SUPER role to other MC users. The only property you can change for the MC SUPER administrator is the password.
The MC SUPER administrator is a Local user account, so the MC stores its login credentials and profile information internally. This account is different from the dbadmin account that is created when you install Vertica. The dbadmin account is a Linux account that owns the database catalog and storage locations, and can bypass database authorization rules, such as creating or dropping schemas, roles, and users. The MC SUPER administrator does not have the same privileges as dbadmin.
The MC SUPER administrator has the following privileges:
-
Oversee the entire Management Console, including all database clusters managed by the MC.
Note
The MC SUPER administrator inherits the privileges and roles of the user name provided when importing a Vertica database into MC. Vertica recommends that you use the database administrator's credentials when you import a database. -
Create the first MC user account.
-
Assign MC configuration roles.
-
Grant database privileges to one or more databases managed by MC.
-
Configure federated server and identify provider authentication methods. For details, see User authentication in MC.
On MC-managed Vertica databases, MC SUPER administrator has the same privileges as the Admin database role.
Admin
A user with Admin configuration privileges can perform all administrative operations on the Management Console, including configuring and restarting the MC, and adding, editing, and deleting user accounts. An Admin has access to all databases that the MC manages and inherits the database privileges of the user account that sets up a database on the MC.
The Admin role grants a user the same configuration privileges as the MC SUPER administrator account, but you can alter and delete user accounts with Admin privileges.
Important
There is also an Admin database role that grants MC database privileges. The two Admin roles are not the same. Because the Admin configuration role inherits all database privileges from the user account that created or imported the database into the MC, you do not need to grant the Admin database role to users with the Admin configuration role.Manager
Users assigned the Manager role can add, edit, and delete users in the MC. The Manager role grants full access to the MC Settings > User Management tab. Additionally, a Manager can view the following:
- On the MC Home page, all databases monitored by MC.
- MC log.
- Non-database MC alerts.
The Manager role has similar database privileges to the IT database privileges role.
IT
Users assigned the IT role have the following privileges:
- Monitor all MC-managed databases.
- View non-database MC messages, logs, and alerts.
- Disable or enable user access to MC.
- Reset local user passwords.
You can assign IT users specific database privileges by mapping them to a user on a server database. The IT user inherits the privileges assigned to the mapped server user.
None
The default role for all users on MC is None, which does not grant any MC configuration privileges. A common strategy is to assign the None role to grant no MC configuration privileges, and then map the MC user to a Vertica server database user so that they can inherit database privileges from the mapped server user.
Role comparison
You grant the following configuration privileges by MC role:
| Privileges | Admin | Manager | IT | None |
|---|---|---|---|---|
|
Configure MC settings:
|
Yes | |||
|
Configure user settings:
|
Yes | Yes | ||
|
Configure user settings:
|
Yes | Yes | Yes | |
| Monitor user activity on MC using audit log | Yes | |||
|
Create and manage databases and clusters:
|
Yes | |||
| Reset MC to its original, preconfigured state | Yes | |||
| Restart Management Console | Yes | |||
| View full list of databases monitored by MC | Yes | Yes | Yes | |
| View MC log | Yes | Yes | ||
| View non-database MC alerts | Yes | Yes | Yes | Yes |