OpenText Analytics Database 26.2.x – Users, roles, and privileges in MC

Mc: Configuration roles in MC

Mon, 01 Jan 0001 00:00:00 +0000

A configuration role is a predefined role with a set of privileges that determine what users can configure on the Management Console. You grant configuration privileges on MC Settings > User Management when you add or edit a user account.

The following table provides a brief overview of each role:

Role	Description
SUPER	A Linux user account, the MC SUPER administrator is the default superuser that gets created when you configure the MC.
Admin	Full access to all MC functionality and databases managed by MC.
Manager	Access to MC user settings, monitors all databases managed by MC, and non-database MC alerts.
IT	Limited access to MC user settings, monitors all databases managed by MC, MC logs, and non-database MC alerts.
None	No configuration privileges. This user can access one or more databases managed by MC.

Super

The MC SUPER administrator is a Linux user account that is created when you configure the MC. This user account is unique: it cannot be altered or dropped, and you cannot grant the SUPER role to other MC users. The only property you can change for the MC SUPER administrator is the password.

The MC SUPER administrator is a Local user account, so the MC stores its login credentials and profile information internally. This account is different from the dbadmin account that is created when you install OpenText™ Analytics Database. The dbadmin account is a Linux account that owns the database catalog and storage locations, and can bypass database authorization rules, such as creating or dropping schemas, roles, and users. The MC SUPER administrator does not have the same privileges as dbadmin.

The MC SUPER administrator has the following privileges:

Oversee the entire Management Console, including all database clusters managed by the MC.

Note
The MC SUPER administrator inherits the privileges and roles of the user name provided when importing a database into MC. It is recommended that you use the database administrator's credentials when you import a database.
Create the first MC user account.
Assign MC configuration roles.
Grant database privileges to one or more databases managed by MC.
Configure federated server and identify provider authentication methods. For details, see User authentication in MC.

On MC-managed databases, MC SUPER administrator has the same privileges as the Admin database role.

Admin

A user with Admin configuration privileges can perform all administrative operations on the Management Console, including configuring and restarting the MC, and adding, editing, and deleting user accounts. An Admin has access to all databases that the MC manages and inherits the database privileges of the user account that sets up a database on the MC.

The Admin role grants a user the same configuration privileges as the MC SUPER administrator account, but you can alter and delete user accounts with Admin privileges.

Important

There is also an Admin database role that grants MC database privileges. The two Admin roles are not the same. Because the Admin configuration role inherits all database privileges from the user account that created or imported the database into the MC, you do not need to grant the Admin database role to users with the Admin configuration role.

Manager

Users assigned the Manager role can add, edit, and delete users in the MC. The Manager role grants full access to the MC Settings > User Management tab. Additionally, a Manager can view the following:

On the MC Home page, all databases monitored by MC.
MC log.
Non-database MC alerts.

The Manager role has similar database privileges to the IT database privileges role.

IT

Users assigned the IT role have the following privileges:

Monitor all MC-managed databases.
View non-database MC messages, logs, and alerts.
Disable or enable user access to MC.
Reset local user passwords.

You can assign IT users specific database privileges by mapping them to a user on a server database. The IT user inherits the privileges assigned to the mapped server user.

None

The default role for all users on MC is None, which does not grant any MC configuration privileges. A common strategy is to assign the None role to grant no MC configuration privileges, and then map the MC user to a server database user so that they can inherit database privileges from the mapped server user.

Role comparison

You grant the following configuration privileges by MC role:

Privileges	Admin	Manager	IT	None
Configure MC settings: Configure storage locations and ports Upload new SSL certificates Manage LDAP authentication Update database installation Change MC theme Map to an external data source	Yes
Configure user settings: Add, edit, delete users Add, change, delete user permissions Map users to one or more databases	Yes	Yes
Configure user settings: Enable or disable user access to MC Reset user passwords	Yes	Yes	Yes
Monitor user activity on MC using audit log	Yes
Create and manage databases and clusters: Create a new database or import an existing one Create a new cluster or import an existing one Remove databases and clusters from MC	Yes
Reset MC to its original, preconfigured state	Yes
Restart Management Console	Yes
View full list of databases monitored by MC	Yes	Yes	Yes
View MC log	Yes		Yes
View non-database MC alerts	Yes	Yes	Yes	Yes

Mc: Database privileges

Mon, 01 Jan 0001 00:00:00 +0000

You can assign database privileges with a predefined database role. Each role is associated with a set of privileges that determines what a user can access on a database that the MC manages.

You grant database privileges on MC Settings > User Management when you add or edit a user account. You can also map an MC user to a server database user, which allows the MC user to inherit database privileges from the server user.

The following table provides a brief overview of each role:

Role	Description
Admin	Full access to all databases managed by MC. Actual privileges ADMINs inherit depend on the database user account used to create or import the database into the MC interface.
Associate	Full access to all databases managed by MC. Cannot start, stop, or drop a database. Actual privileges that Associates receive depend on those defined for the database user account to which the Associate user is mapped.
IT	Can start and stop a database but cannot remove it from the MC interface or drop it.
User	Can view database information through the database Overview and Activities pages but is restricted from viewing more detailed data.

Admin

Admin is the most permissive role. It is a superuser with full privileges to monitor activity and messages on databases that the MC manages. Other database privileges (such as stop or drop the database) are inherited from its mapped server user account.

There is also an Admin configuration role that grants configuration privileges for the MC. The two Admin roles are not the same. The Admin MC configuration role can manage all MC users and all databases imported into the UI, but the MC database Admin role has privileges only on the databases you map this user to.

Associate

The Associate role has the same monitoring privileges as an Admin user—full privileges to monitor MC-managed database activity and messages. Unlike the Admin user, the Associate cannot start, stop, or drop a database. The Associate user inherits database privileges its mapped server user account, including the following:

Install or audit a license
Manage database settings
View Database Designer
View the database Activity page

IT

The IT role can view most details about a database that the MC manages, including the following:

Messages (and mark them read/unread)
Overal database health, activity, and resources
Cluster and node state
MC settings

There is also an IT role at the MC configuration access level. The two IT roles are not the same. For additional details, see Configuration roles in MC.

User

The User role has limited database privileges, such as viewing database cluster health, activity, resources, and messages. MC users with the User database role might have higher MC privileges, granted with configuration roles.

Role comparison

The following table summarizes default MC database privileges by role:

Note

Inherited indicates that MC user database privileges depend on the privileges of the mapped server user account.

Privileges	Admin	Associate	IT	User
View database Overview page	Yes	Yes	Yes	Yes
View database messages	Yes	Yes	Yes	Yes
Delete messages and mark read/unread	Yes	Yes	Yes
Audit and install database licenses	Inherited	Inherited
View database Activity page: Queries chart Internal Sessions chart User Sessions chart System Bottlenecks chart User Query Phases chart	Yes	Inherited	Inherited	Inherited
View database Activity page: Queries chart > Detail page Table Treemap chart Query Monitoring chart Resource Pools Monitoring chart	Inherited	Inherited
Start a database	Yes
Rebalance, stop, or drop databases	Inherited
View Manage page	Yes	Yes	Yes	Yes
View node details	Yes	Yes	Yes
Replace, add, or remove nodes	Inherited
Start/stop a node	Yes
View database Settings page	Yes	Yes	Yes
Modify database Settings page	Inherited	Inherited
View Database Designer	Inherited	Inherited

Granting database privileges

You can grant database privileges to new and existing users on MC Settings > User Management.

Prerequisites

Determine the database privileges that you want to grant the new MC user.
Optional: Create or import a database to associate with the new user.
Optional: Create a database user account if you want to map a server database user to an MC user account.

Mapping to server users

When you assign MC database privileges, map the MC user account to a server database user account for the following benefits:

The MC user inherits database privileges from the database user, so you need to maintain privileges for one user.
Restrict the MC user from accessing functionality not permitted by the server database user account privileges.

If there is a conflict between server and MC database privileges, server privileges supersede MC privileges. When the MC user logs in, OpenText™ Analytics Database compares the MC user database privileges to the privileges assigned to its mapped server user account. The database permits the user to perform an operation in MC only when the MC user has both MC and server database privileges for that operation.

Grant a database role

When you grant an MC user a database role, that user inherits the privileges assigned to its mapped server user account.

Note

For maximum access, use the dbadmin username and password.

Log in to Management Console as an administrator, and go to MC Settings > User management.
In the grid, select an MC user and select Edit.
Verify that MC configuration permissions lists the correct configuration role. None is the default setting.
In DB access levels, select Add and provide the following information:
1. Choose a database. Select a database from the list databases that you imported or created with the MC.
2. Database username. Enter an existing database username or select the ellipsis [...] button to browse running databases for a list of database users.
3. Database password. Enter the password to the server database user account.
4. Restricted access. Choose a database level. For details, see Admin, IT, or User.
5. Select OK.
6. If the database requires TLS, select Yes in the Use TLS Connection, then select Configure TLS for user. MC launches the Certificates wizard to let you configure TLS. For details, see MC certificates wizard.
  
  Note
  If TLS/SSL is configured in mutual mode on the database, each MC user must be configured with an individual client certificate and private key, to log into the database from MC. See Configuring mutual TLS for MC users. If the individual certificate has not been configured, you see an error message. contact your Management Console administrator.
Select Save.

Mc: User authentication in MC

Mon, 01 Jan 0001 00:00:00 +0000

The MC provides authentication options that integrate the MC with your existing corporate authentication workflows. By default, the MC provides local authentication, which stores all user information in the MC. The MC integrates with Keycloak so you can configure federated or identity provider (IDP) authentication with the MC SUPER administrator account.

Local authentication

Local user authentication is the default authentication method and does not require additional steps after you install and configure the MC. Local user information is stored on an internal database on the MC web server.

You can edit or reset local user passwords in the following locations:

Email Gateway.
MC Settings > Change Password.
In the user account menu in the toolbar, select Change Password.

Federated server authentication

Federated servers store your organization's user credentials in a single location so you can authenticate user identities across one or more applications. The MC integrates with Keycloak to support LDAP and LDAPS federated server configurations.

The MC can access only usernames in federated servers for authentication purposes—it cannot modify any other federated user information. To edit or reset a user password, contact your organization's federated server administrator.

For additional details about how LDAP and LDAPS federated services work with OpenText™ Analytics Database and MC, see LDAP authentication.

Add SSL/TLS certificate

If you authenticate users with LDAPS or StartTLS, you must upload a certificate to the MC to encrypt communications between the MC and the server. If you do not upload a valid certificate, the MC cannot verify the connection:

Log in to the Management Console, then go to MC Settings > SSL/TLS Certificates.
In the Manage Authentication Certificates section, select Add New Certificate.
Browse your filesystem and upload your certificate.
Restart the MC.

After the MC restarts, the new certificate takes effect.

Set up a federated server

This section provides guidance about how to connect the MC to a federated server for MC user authentication. Only the MC SUPER administrator can configure an MC and federated server integration.

The steps to configure a federated server for MC user authentication vary by organization. Refer to the following sources for comprehensive documentation about integrating federated servers:

LDAP documentation for protocol details.
Keycloak documentation for details about configuring Keycloak.

Note

The steps in this section serve as a guide only—your organization might require different settings and values. The MC provides tooltips for each field, and you can refer to the Keycloak documentation for details about specific values.

The following steps connect the MC and an OpenLDAP federated server:

Log in to the Management Console, then go to MC Settings > User Federation. You are prompted to add an SSL/TLS certificate. OpenLDAP does not requie a certificate, so ignore the prompt and continue.

The User Federation screen opens in a new tab.
On the User Federation screen, select ldap from the Add provider... dropdown list.

The Add user federation provider screen displays.
In Required Settings, enter or select information for the following fields:
- Console Display Name: Enter a name for the federated server. This value is listed in the grid on the User Federation screen.
- Priority: Enter 0 to indicate the highest priority.
- Edit Mode: Select READ_ONLY.
- Vendor: Active Directory is populated in this field.
- Username LDAP attribute: Enter cn=inetOrgPerson.
- RDN LDAP attribute: Enter cn=inetOrgPerson.
- UUID LDAP attribute: Enter cn=inetOrgPerson.
- User Object Classes: Enter inetOrgPerson.
- Connection URL: For LDAP, use port 389. For example, ldap://10.20.30.40:389.
  
  Note
  Like LDAP, StartTLS uses port 389. For LDAPS, use port 636. For example, ldaps://10.20.30.40:636.
- Users DN: A distinguished name (DN) consists of two DC components. For example, dc=example,dc=com.
- Bind Type: If the LDAP server supports anonymous binding, select none.
  
  Otherwise, select simple. This setting makes the Bind DN field available. In Bind DN, enter the administrator's DN and password.
Select Save.

The federated server is listed in the grid on the User Federation screen. When you add a new user in MC, the new user is authenticated to each MC session with credentials stored in the federated server.

For details on adding a federated user, see User administration in MC.

Identity provider (IDP) authentication

You can authenticate users with an IDP service. The MC integrates with Keycloak to configure IDP services and supports the following identity protocols and social IDPs:

SAML v2.0
OpenID Connect v1.0
Keycloak OpenID Connect
Various social providers, including GitHub, Facebook, and Google.

The MC can access only usernames from IDP servers for authentication purposes—it cannot modify any IDP user information. To edit or reset a user password, you must log into your IDP server and edit the information.

The steps to configure an IDP for MC user authentication vary depending on the IDP service. Refer to the Keycloak IDP documentation for comprehensive details about integrating identity providers.

Integrate MC and Azure AD IDP

The following sections explain how to configure IDP authentication with Microsoft Azure AD OpenID Connect (OIDC). This requires that you register an application in Azure, and then add that application as an IDP in the MC. For comprehensive documentation about creating an app in Azure, see the Microsoft Azure documentation.

Register the app

First, you must create your application in Microsoft Azure:

Log in to the Azure portal.
In the search bar, enter Azure Active Directory and open it.
In the + Add menu at the top, select App registration from the dropdown list.
Complete the fields on Register an application. For details about each field, see the Microsoft Azure documentation.
Select Register.

Your new application's Overview page displays.

Next, create the client secret. This secret authenticates your Azure app to the MC:

In the menu on the left, select Certificates & secrets.
On the Client secrets tab, select + New client secret.
In Add a client secret, enter a description, and choose an expiration date.
Select Add.

The new secret is listed in the Client secrets tab.
Copy the secret listed in the Value column, and store it in a secure location for later use.

Important
This secret is available to copy when you generate it. If you lose this value or need to copy it during a later session, you must delete the existing secret and generate a new one.

Next, add optional claims to your token configuration:

In the left-hand menu, select Token configuration.
Select + Add optional claim to open the Add optional claim pane to the right.
In the Add optional claim pane, select ID as the Token type, and then select the following boxes:
- email
- given_name
- family_name
- upn
Select Add.

A pop-up displays and asks you about API permissions.
In the pop-up, select the checkbox and select Add. The claims are listed on the Token configuration page.

Next, retrieve the client ID and application endpoint:

Select Overview from the left-hand menu.
In the Essentials section, copy the Application (client) ID.

Save the Application (client) ID in a secure location for later use.
At the top of the screen, select the Endpoints tab to display the application's available endpoints.
Copy the value in OpenID Connect metadata document.

Save this endpoint in a secure location.

Add Azure AD IDP to the MC

This section requires the following information from the Azure AD app:

Client secret Value
Application (client) ID
OpenID Connect metadata document endpoint

Only the MC SUPER administrator can add Azure AD as an IDP in the MC:

Log in to the Management Console, then go to MC Settings > Identity Providers.

The Identity Providers screen opens in a new tab.
Select OpenID Connect v1.0 from the Add provider... list.

The Add identity provider screen displays.
In the top section, add or select the following:
- Alias: (Optional) Edit this field to distinguish this IDP from others that you might integrate with the MC.
- Display Name: Enter Azure AD. This is the name that displays on the IDP login button after you complete configuration.
- Trust Email: Toggle to On.
- First Login Flow: Select auto_detect so that the MC can detect the new user in the IDP during the first user login.
In the OpenID Connect Config section, select or add the following:
- Client Authentication: Select Client secret sent as post.
- Client ID: Add the Azure AD Application (client) ID that you saved from the previous section.
- Client Secret: Add the Azure AD Client secret Value that you saved from the previous section.
- In Default Scopes, enter openid profile email.
Go to the Import External IDP Config section. In Import from URL, add the OpenID Connect metadata document endpoint that you saved from the previous section.
Select Import.

MC imports the Azure application configuration and populates the URL fields.
Select Save.
Copy the value in Redirect URI and store it in a secure location for later use. You must add this URI in Azure.

Complete configuration

This section requires the Redirect URI value from Add the IDP to MC. Return to Azure, and complete the MC registration:

Log in to the Azure portal.
In the search bar, enter App registrations and go to your application's overview page.
Select Authentication in the left menu.
In Platform configurations, select Add a platform.
Select Web, then add the Redirect URI value from the MC.

For details about additional Redirect URI options and your Azure AD application, see the Microsoft Azure documentation.
Select Configure.

After you complete the configuration, the MC SUPER administrator can add MC user accounts with user identities from Azure AD. Before each user can log in to the MC, they must accept the Microsoft Azure app permissions request.

Accept permissions request

After the MC SUPER administrator adds an Azure AD IDP user to the MC, the user must accept the Microsoft Azure permissions request to view the MC and access its data before they can log in to the MC:

On the MC login screen, select the Azure AD option at the bottom of the Sign in to your account section.

Note
The Azure AD option displays the Display Name value that you entered in Add Azure AD IDP to the MC.
Enter your Azure credentials for your organization's Azure AD.
When Microsoft requests permissions, select Accept to grant Azure AD access to the MC.

After you accept the permissions request, the user is authenticated to each MC session with Azure AD credentials.

Mc: User administration in MC

Mon, 01 Jan 0001 00:00:00 +0000

Management Console (MC) users are separate from server database users. MC user accounts exist in the MC only, and you cannot alter MC users with SQL statements. You add, edit, and delete MC users entirely within the MC.

Add a user

After you install and configure the MC, only the MC SUPER administrator (superuser) user exists. The MC SUPER administrator can create the other users and assign them MC configuration roles that grant privileges to perform user actions.

Prerequisites

Determine the MC configuration role that you want to grant the new MC user.
Determine the database privileges that you want to grant the new MC user.
Optional: Create or import a database to associate with the new user.
Optional: Create a database user account if you want to map a server database user to an MC user profile.

Note

If you are mapping an existing user to a new MC user profile, the user must have SYSMONITOR or DBADMIN privileges to do the following:

View data in MC monitoring tables
Load Kafka streaming data

Add a local user

To add a local user, you must have the required MC configuration privileges:

Log in to the Management Console, then go to MC Settings > User Management.
Select Add. The Add a new user screen displays.
Select or enter the following information:
- Authentication: How the user authenticates to the MC. Select Local.
- MC username: The username of the new user. After you create and save a user, you cannot edit the username, but you can delete the user account and create a new user account with a new username.
- MC password: The new user's password. The MC has the following default password requirements:
  - Cannot be the same as MC username
  - Between 3 and 30 characters in length
  - One number
  - One uppercase letter
  - One lowercase letter
  As the user enters the new password, the MC verifies that the password meets the preceding requirements. If the password does not meet the requirements, then an error message is displayed. If you have the required MC configuration privileges, you can edit password requirements in MC Settings > Configuration > MC Password configuration settings.
  
  When a new user logs in, they are prompted to create a new password.
- Email address: Required. The new user's email address.
- MC configuration privileges: The user's configuration role privileges. For details, see Configuration roles in MC.
- DB access levels: The user's database privileges. For details, see Database privileges.
- Status: Select Enabled.
Select Add user.

After you add the user, the User Management screen displays, and the user is listed in the grid.

Add a federated or IDP user

After you set up a federated server or set up an IDP, you can create MC user accounts with the user identities that the federated server or IDP manages. To add a user, you must have the required MC configuration privileges:

Log in to the Management Console, then select MC Settings > User Management.
Select Add. The Add a new user screen displays.
Select or enter the following information:
- Authentication: How the user authenticates to the MC. This list displays only the names of the federated servers or IDPs that you have set up to authenticate users:
  - For federated users, select Federated.
  - For IDP users, select IDP.
- MC username: Add the username.
  
  For IDP users, the username is their email address.
  
  For federated users, enter the username stored in the federated server. As you enter the username, the MC searches the federated server for the username and displays the results in a list. Select the username from the list. You can use the wildcard character (*) to filter names. For example, if you enter mcuser*, the MC will list all users in the federation server whose usernames begin with mcuser.
- MC configuration privileges: The user's configuration role privileges. For details, see Configuration roles in MC.
- DB access levels: The user's database privileges. For details, see Database privileges.
- Status: Select Enabled.
Note
You cannot edit the user's Email address because it is managed by the federation server.
Select Add user.

After you add the user, the User Management screen displays, and the user is listed in the grid.

Edit a user

Edit a user to update their MC configuration or database privileges. The only user account that you cannot edit is the MC SUPER administrator. You must have the required MC configuration roles to edit a user account:

Log in to the Management Console, then select MC Settings > User Management.
In the grid, select the row that lists the user that you want to edit.
Select Edit.
Update the fields. You cannot edit the MC password or Email address for federated or IDP users.

For local users, you can edit the password from the Change Password screen. To access this screen, log in to the Management Console, then select MC Settings > Change Password.
Select Save.

Delete a user

Delete a user that you no longer authorize to access the MC. When you delete an MC user, you delete the user's audit activity and their MC profile, which includes configuration roles and database access privileges. If you do not want to delete a user but you do want to revoke a user's MC authorization, consider setting the user's Status to Disabled. For details, see Edit a user.

The only user account you cannot delete is the MC SUPER administrator. If you delete a federated or IDP user, you delete their MC profile only. The MC cannot change user identity information stored in federated servers or IDPs.

You must have the required MC configuration roles to delete a user account:

Log in to the Management Console, then select MC Settings > User Management.
In the grid, select the row that lists the user that you want to delete.
Select Delete.

The Confirm window is displayed and asks you if you are sure that you want to delete this user.
Select OK.

The user is no longer listed in the User Management grid.

Note

If you delete a user that is currently logged in, that user receives a message that explains that they were removed as a user and must contact the system administrator.

OpenText Analytics Database 26.2.x – Users, roles, and privileges in MC

Mc: Configuration roles in MC

Super

Note

Admin

Important

Manager

IT

None

Role comparison

See also

Mc: Database privileges

Admin

Associate

IT

User

Role comparison

Note

Granting database privileges

Prerequisites

Mapping to server users

Grant a database role

Note

Note

Mc: User authentication in MC

Local authentication

Federated server authentication

Add SSL/TLS certificate

Set up a federated server

Note

Note

Identity provider (IDP) authentication

Integrate MC and Azure AD IDP

Register the app

Important

Add Azure AD IDP to the MC

Complete configuration

Accept permissions request

Note

Mc: User administration in MC

Add a user

Prerequisites

Note

Add a local user

Add a federated or IDP user

Note

Edit a user

Delete a user

Note

See also