Database privileges

When you create (MC) users, you first assign them MC configuration privileges, which controls what they can do on the MC itself.

You can assign database privileges with a predefined database role. Each role is associated with a set of privileges that determines what a user can access on a database that the MC manages.

You grant database privileges on MC Settings > User Management when you add or edit a user account. You can also map an MC user to a Vertica server database user, which allows the MC user to inherit database privileges from the server user.

The following table provides a brief overview of each role:

Role Description
Admin Full access to all databases managed by MC. Actual privileges ADMINs inherit depend on the database user account used to create or import the Vertica database into the MC interface.
Associate Full access to all databases managed by MC. Cannot start, stop, or drop a database. Actual privileges that Associates receive depend on those defined for the database user account to which the Associate user is mapped.
IT Can start and stop a database but cannot remove it from the MC interface or drop it.
User Can view database information through the database Overview and Activities pages but is restricted from viewing more detailed data.

Admin

Admin is the most permissive role. It is a superuser with full privileges to monitor activity and messages on databases that the MC manages. Other database privileges (such as stop or drop the database) are inherited from its mapped server user account.

There is also an Admin configuration role that grants configuration privileges for the MC. The two Admin roles are not the same. The Admin MC configuration role can manage all MC users and all databases imported into the UI, but the MC database Admin role has privileges only on the databases you map this user to.

Associate

The Associate role has the same monitoring privileges as an Admin user—full privileges to monitor MC-managed database activity and messages. Unlike the Admin user, the Associate cannot start, stop, or drop a database. The Associate user inherits database privileges its mapped server user account, including the following:

  • Install or audit a license
  • Manage database settings
  • View Database Designer
  • View the database Activity page

IT

The IT role can view most details about a database that the MC manages, including the following:

  • Messages (and mark them read/unread)
  • Overal database health, activity, and resources
  • Cluster and node state
  • MC settings

There is also an IT role at the MC configuration access level. The two IT roles are not the same. For additional details, see Configuration roles in MC.

User

The User role has limited database privileges, such as viewing database cluster health, activity, resources, and messages. MC users with the User database role might have higher MC privileges, granted with configuration roles.

Role comparison

The following table summarizes default MC database privileges by role:

Privileges Admin Associate IT User
View database Overview page Yes Yes Yes Yes
View database messages Yes Yes Yes Yes
Delete messages and mark read/unread Yes Yes Yes
Audit and install Vertica licenses Inherited Inherited

View database Activity page:

  • Queries chart

  • Internal Sessions chart

  • User Sessions chart

  • System Bottlenecks chart

  • User Query Phases chart

 Yes Inherited Inherited Inherited

View database Activity page:

  • Queries chart > Detail page

  • Table Treemap chart

  • Query Monitoring chart

  • Resource Pools Monitoring chart

 Inherited Inherited
Start a database Yes
Rebalance, stop, or drop databases Inherited
View Manage page Yes Yes Yes Yes
View node details Yes Yes Yes
Replace, add, or remove nodes Inherited
Start/stop a node Yes
View database Settings page Yes Yes Yes
Modify database Settings page Inherited Inherited
View Database Designer Inherited Inherited

Granting database privileges

You can grant database privileges to new and existing users on MC Settings > User Management.

Prerequisites

Mapping to server users

When you assign MC database privileges, map the MC user account to a Vertica server database user account for the following benefits:

  • The MC user inherits database privileges from the database user, so you need to maintain privileges for one user.
  • Restrict the MC user from accessing functionality not permitted by the Vertica server database user account privileges.

If there is a conflict between server and MC database privileges, server privileges supersede MC privileges. When the MC user logs in, Vertica compares the MC user database privileges to the privileges assigned to its mapped server user account. Vertica permits the user to perform an operation in MC only when the MC user has both MC and server database privileges for that operation.

Grant a database role

When you grant an MC user a database role, that user inherits the privileges assigned to its mapped server user account.

  1. Log in to Management Console as an administrator, and go to MC Settings > User management.

  2. In the grid, select an MC user and select Edit.

  3. Verify that MC configuration permissions lists the correct configuration role. None is the default setting.

  4. In DB access levels, select Add and provide the following information:

    1. Choose a database. Select a database from the list databases that you imported or created with the MC.

    2. Database username. Enter an existing database username or select the ellipsis [...] button to browse running databases for a list of database users.

    3. Database password. Enter the password to the server database user account.

    4. Restricted access. Choose a database level. For details, see Admin, IT, or User.

    5. Select OK.

    6. If the Vertica database requires TLS, select Yes in the Use TLS Connection, then select Configure TLS for user. MC launches the Certificates wizard to let you configure TLS. For details, see MC certificates wizard.

  5. Select Save.