Manage Users, Groups, and Roles
An can have more than one database, and multiple applications can run within a single database. Administrators have the ability to define and manage users in to meet the needs of a multi-tenant environment. Through Ocient’s user, group, and role management capabilities, administrators can make sure that users only have privileges to the objects and databases to which they need.
Users in Ocient are represented by a user name and password. They can have privileges to the system and/or one or more databases within the system. A user’s privileges can be granted directly to the user itself or inherited through groups or roles. Users can also belong to zero or many groups and can have zero or many pre-defined roles in the system. A user id might be used by someone logging directly into Ocient through the Ocient CLI or by an application connecting to a database.
A fully qualified user name (FQUN) follows the pattern "<user_name>@<database_name>" and uniquely identifies a user. Use a FQUN to reference a user associated with a database other than the one you are connected to.
If a FQUN is not given when referencing a user object, Ocient assumes the user is associated with the database of the active connection.
A group is a collection of users that has a set of privileges assigned to it. Administrators can create groups that represent an application or a specific job role for users within the database. For example, a group called, "US_Analysts," might only have privileges that allow access to data from the US. Groups belong to individual databases. In other words, you cannot define a group with privileges that span multiple databases.
A service class defines a set of limits on groups. The database applies service classes on a per-group basis. By default, all groups are in the DEFAULT service class that has no limits. For details, see Workload Management and Service Classes.
For each database, there is the concept of a public group to which each user of the database belongs. This allows administrators to simply grant and revoke privileges to all users of the database using the PUBLIC keyword in the grant statement. Reference the DCL section for examples and to learn more.
Similar to groups, users can inherit privileges by being granted one of the pre-defined roles in Ocient. The names of and privileges assigned to roles in Ocient are pre-defined by the system. Roles can be applicable to the Ocient system or one of the user-defined defined database. The roles in Ocient are as follows:
- Security Administrator: Can read, create, and modify all users/groups
- System Administrator: Can read, create, and modify system objects such as tables, clusters, databases etc. Can also kill running queries system wide
- System Analyst: Read-only access to the entire system
- DB Admin: Can read, create, and modify database objects such as tables, clusters, databases, etc. Can also create users for the database and kill running queries
- Analyst: Read-only rights to database objects and data within the database
These roles are named with the convention "<database_name> <role_name>", and will show up in the sys.roles virtual table as such.