OpenText Analytics Database 26.2.x – Database users

Admin: Types of database users

Mon, 01 Jan 0001 00:00:00 +0000

There are three types of users in an OpenText™ Analytics Database:

Database administrator (DBADMIN)
Object owner
Everyone else (PUBLIC)

Note

External to the database, an MC administrator can create users through the Management Console and grant them database access. See User administration in MC for details.

Admin: Creating a database user

Mon, 01 Jan 0001 00:00:00 +0000

To create a database user:

From vsql, connect to the database as a superuser.
Issue the CREATE USER statement with optional parameters.
Run a series of GRANT statements to grant the new user privileges.

To create a user on MC, see User administration in MC in Management Console.

New user privileges

By default, new database users have the right to create temporary tables in the database.

New users do not have access to schema PUBLIC by default. Be sure to call GRANT USAGE ON SCHEMA PUBLIC to all users you create.

Modifying users

You can change information about a user, such as his or her password, by using the ALTER USER statement. If you want to configure a user to not have any password authentication, you can set the empty password ‘’ in CREATE USER or ALTER USER statements, or omit the IDENTIFIED BY parameter in CREATE USER.

Example

The following series of commands add user Fred to a database with password 'password'. The second command grants USAGE privileges to Fred on the public schema:

=> CREATE USER Fred IDENTIFIED BY 'password';
=> GRANT USAGE ON SCHEMA PUBLIC to Fred;

Admin: User-level configuration parameters

Mon, 01 Jan 0001 00:00:00 +0000

ALTER USER lets you set user-level configuration parameters on individual users. These settings override database- or session-level settings on the same parameters. For example, the following ALTER USER statement sets DepotOperationsForQuery for users Yvonne and Ahmed to FETCHES, thus overriding the default setting of ALL:

=> SELECT user_name, parameter_name, current_value, default_value FROM user_configuration_parameters
   WHERE user_name IN('Ahmed', 'Yvonne') AND parameter_name = 'DepotOperationsForQuery';
 user_name |     parameter_name      | current_value | default_value
-----------+-------------------------+---------------+---------------
 Ahmed     | DepotOperationsForQuery | ALL           | ALL
 Yvonne    | DepotOperationsForQuery | ALL           | ALL
(2 rows)

=> ALTER USER Ahmed SET DepotOperationsForQuery='FETCHES';
ALTER USER
=> ALTER USER Yvonne SET DepotOperationsForQuery='FETCHES';
ALTER USER

Identifying user-level parameters

To identify user-level configuration parameters, query the allowed_levels column of system table CONFIGURATION_PARAMETERS. For example, the following query identifies user-level parameters that affect depot usage:

n=> SELECT parameter_name, allowed_levels, default_value, current_level, current_value
    FROM configuration_parameters WHERE allowed_levels ilike '%USER%' AND parameter_name ilike '%depot%';
     parameter_name      |     allowed_levels      | default_value | current_level | current_value
-------------------------+-------------------------+---------------+---------------+---------------
 UseDepotForReads        | SESSION, USER, DATABASE | 1             | DEFAULT       | 1
 DepotOperationsForQuery | SESSION, USER, DATABASE | ALL           | DEFAULT       | ALL
 UseDepotForWrites       | SESSION, USER, DATABASE | 1             | DEFAULT       | 1
(3 rows)

Viewing user parameter settings

You can obtain user settings in two ways:

Query system table USER_CONFIGURATION_PARAMETERS:

=> SELECT * FROM user_configuration_parameters;
 user_name |      parameter_name       | current_value | default_value
-----------+---------------------------+---------------+---------------
 Ahmed     | DepotOperationsForQuery   | FETCHES       | ALL
 Yvonne    | DepotOperationsForQuery   | FETCHES       | ALL
 Yvonne    | LoadSourceStatisticsLimit | 512           | 256
(3 rows)

Use SHOW USER:

=> SHOW USER Yvonne PARAMETER ALL;
  user  |         parameter         | setting
--------+---------------------------+---------
 Yvonne | DepotOperationsForQuery   | FETCHES
 Yvonne | LoadSourceStatisticsLimit | 512
(2 rows)

=> SHOW USER ALL PARAMETER ALL;
  user  |         parameter         | setting
--------+---------------------------+---------
 Yvonne | DepotOperationsForQuery   | FETCHES
 Yvonne | LoadSourceStatisticsLimit | 512
 Ahmed  | DepotOperationsForQuery   | FETCHES
(3 rows)

Admin: Locking user accounts

Mon, 01 Jan 0001 00:00:00 +0000

As a superuser, you can manually lock and unlock a database user account with ALTER USER...ACCOUNT LOCK and ALTER USER...ACCOUNT UNLOCK, respectively. For example, the following command prevents user Fred from logging in to the database:

=> ALTER USER Fred ACCOUNT LOCK;
=> \c - Fred
FATAL 4974: The user account "Fred" is locked
HINT: Please contact the database administrator

The following example unlocks access to Fred's user account:

=> ALTER USER Fred ACCOUNT UNLOCK;|
=> \c - Fred
You are now connected as user "Fred".

Locking new accounts

CREATE USER can specify to lock a new account. Like any locked account, it can be unlocked with ALTER USER...ACCOUNT UNLOCK.

=> CREATE USER Bob ACCOUNT LOCK;
CREATE USER

A user's profile can specify to lock an account after a certain number of failed login attempts.

Admin: Setting and changing user passwords

Mon, 01 Jan 0001 00:00:00 +0000

As a superuser, you can set any user's password when you create that user with CREATE USER, or later with ALTER USER. Non-superusers can also change their own passwords with ALTER USER. One exception applies: users who are added to the database with the LDAPLink service cannot change their passwords with ALTER USER.

You can also give a user a pre-hashed password if you provide its associated salt. The salt must be a hex string. This method bypasses password complexity requirements.

To view password hashes and salts of existing users, see the PASSWORDS system table.

Changing a user's password has no effect on their current session.

Setting user passwords in VSQL

In this example, the user 'Bob' is created with the password 'mypassword.'

=> CREATE USER Bob IDENTIFIED BY 'mypassword';
CREATE USER

The password is then changed to 'Orca.'

=> ALTER USER Bob IDENTIFIED BY 'Orca' REPLACE 'mypassword';
ALTER USER

In this example, the user 'Alice' is created with a pre-hashed password and salt.

=> CREATE USER Alice IDENTIFIED BY
'sha512e0299de83ecfaa0b6c9cbb1feabfbe0b3c82a1495875cd9ec1c4b09016f09b42c1'
SALT '465a4aec38a85d6ecea5a0ac8f2d36d8';

Setting user passwords in Management Console

On Management Console, users with ADMIN or IT privileges can reset a user's non-LDAP password:

Sign in to Management Console and navigate to MC Settings > User management.
Click to select the user to modify and click Edit.
Click Edit password and enter the new password twice.
Click OK and then Save.

OpenText Analytics Database 26.2.x – Database users

Admin: Types of database users

Note

Admin: Creating a database user

New user privileges

Modifying users

Example

See also

Admin: User-level configuration parameters

Identifying user-level parameters

Viewing user parameter settings

Admin: Locking user accounts

Locking new accounts

Locking accounts for failed login attempts

Admin: Setting and changing user passwords

Setting user passwords in VSQL

Setting user passwords in Management Console