MC Database Privileges
When you create MC users, you first assign them MC configuration privileges, which controls what they can do on the MC itself. In the same user-creation operation, you grant access to one or more MC-managed databases. MC database access does not give the MC user privileges directly on Vertica; it provides MC users varying levels of access to assigned database functionality through the MC interface.
Assign users an MC database level through one of the following roles:
- ADMIN Role (db)—Full access to all databases managed by MC. Actual privileges ADMINs inherit depend on the database user account used to create or import the Vertica database into the MC interface.
- Associate Role (Database)—Full access to all databases managed by MC. Cannot start, stop, or drop a database. Actual privileges that Associates receive depend on those defined for the database user account to which the Associate user is mapped.
- IT Role (db)—Can start and stop a database but cannot remove it from the MC interface or drop it.
- USER Role (db)—Can view database information through the database Overview and Activities pages but is restricted from viewing more detailed data.
Mapping MC Users to Database to Avoid Conflicts
When you assign an MC database level to an MC user, map the MC user account to a database user account to ensure that:
- The MC user inherits the privileges assigned to that database user
- You prevent the MC user from doing or seeing anything not allowed by the privileges for the user account on the server database
Privileges assigned to the database user supersede privileges of the MC user if there is a conflict, such as stopping a database. When the MC user logs into MC using an MC user name and password, Vertica compares privileges for database-related activities to the privileges on the database account to which you mapped the MC user. Vertica allows the user to perform operations in MC only when that user has both MC privileges and corresponding database privileges.
As a best practice, you should identify, in advance, the appropriate Vertica database user account that has privileges or roles similar to one of the MC database roles.
See Creating an MC User for more information.
MC Database Privileges By Role
The following table summarizes MC database-level privileges by user role. The table shows the default privileges each role has. Operations marked "database user privilege" are dependent on the privileges of the Vertica database user account to which the MC user is mapped.
Default database-level privileges | ADMIN | ASSOCIATE | IT | USER |
---|---|---|---|---|
View database Overview page |
Yes |
Yes |
Yes |
Yes |
View database messages |
Yes |
Yes | Yes |
Yes |
Delete messages and mark read/unread |
Yes |
Yes |
Yes |
|
Audit and install Vertica licenses | Database user privilege | Database user privilege | ||
View database Activity page:
|
Yes |
Database user privilege |
Database user privilege |
Database user privilege |
View database Activity page:
|
Database user privilege | Database user privilege | ||
Start a database |
Yes |
|||
Rebalance, stop, or drop databases | Database user privilege | |||
View Manage page |
Yes |
Yes |
Yes |
Yes |
View node details |
Yes |
Yes |
Yes |
|
Replace, add, or remove nodes | Database user privilege | |||
Start/stop a node |
Yes |
|||
View database Settings page | Yes | Yes | Yes | |
Modify database Settings page | Database user privilege | Database user privilege | ||
View Database Designer | Database user privilege | Database user privilege |