Roles
- Jason Kinchen
Analytics
Overview
A role is a named binding between a set of users (the role membership) and a set of access rights (the role permissions). According to Wikipedia,
Within an organization, roles are created for various job functions. The permissions to perform certain operations are assigned to specific roles. Members or staff (or other system users) are assigned particular roles, and through those role assignments acquire the computer permissions to perform particular computer-system functions. Since users are not assigned permissions directly, but only acquire them through their role (or roles), management of individual user rights becomes a matter of simply assigning appropriate roles to the user's account; this simplifies common operations, such as adding a user, or changing a user's department.
In SciDB, roles are used:
- to control access to namespaces and the arrays they contain, and
- to control access to database administrative functions.
When a user connects to SciDB, she acquires all access rights from all roles of which she is a member.
Role Operators
This table summarizes the AFL operators that manipulate roles.
| Operator | Description |
|---|---|
| /wiki/spaces/SD/pages/241369191 | List existing roles. |
| /wiki/spaces/SD/pages/242974828 | Create a new role. |
| /wiki/spaces/SD/pages/241631436 | Remove a role. |
| /wiki/spaces/SD/pages/242843809 | Add a user account to one or more roles. The user account becomes a member of those roles. |
| /wiki/spaces/SD/pages/242745423 | Remove a user account from one or more roles. The user account loses its membership in those roles. |
| /wiki/spaces/SD/pages/241500313 | Show a user account's role memberships. |
| /wiki/spaces/ESD169/pages/50856184 | Show a role's members. |
| /wiki/spaces/SD/pages/242811019 | Associate a role with access rights to an entity (typically a namespace). |
| /wiki/spaces/SD/pages/241369164 | Show the access rights associated with the role. |
The /wiki/spaces/SD/pages/241664119 operator creates a role with the same name as the created user account. This allows access rights to be granted on a per-user basis. The automatically created per-user role is automatically removed by /wiki/spaces/SD/pages/242778269. The role has only a single member, the corresponding user account.
The Special admin and operator Roles
The role names admin and operator are special. When these roles are created, they are automatically associated with access rights to an unnamed entity that represents the SciDB database. The output of /wiki/spaces/SD/pages/241369164 for an ordinary namespace access role, experimenter, and the two special roles illustrates this:
FL% show_role_permissions('experimenter');
{i} entity,name,permissions
{0} 'namespace','trials','clru'
AFL% show_role_permissions('operator');
{i} entity,name,permissions
{0} 'database','','o'
AFL% show_role_permissions('admin');
{i} entity,name,permissions
{0} 'database','','a'
The next sections describe the privileges associated with the operator and admin roles.
Operator Privileges
User accounts granted the operator role can perform the following administrative functions:
- May use the iquery --admin option to issue queries on a high priority communications channel
- May view and reset statistics with the stats_instance, stats_query, and stats_instance_reset operators.
- May examine array distributions with the /wiki/spaces/SD/pages/242778304 operator.
- May view extended cluster membership information with the /wiki/spaces/SD/pages/242942105 operator.
- May view all active queries, not just their own, with the /wiki/spaces/SD/pages/241369191 operator.
- May manipulate user accounts with the /wiki/spaces/SD/pages/241664119, /wiki/spaces/SD/pages/242778269, and /wiki/spaces/SD/pages/242450488 operators.
- May manipulate roles with the /wiki/spaces/SD/pages/242974828, /wiki/spaces/SD/pages/241631436, and /wiki/spaces/SD/pages/242811019 operators.
- May grant and revoke roles with the /wiki/spaces/SD/pages/242843809 and /wiki/spaces/SD/pages/242745423 operators, but with the caveat that operators may not grant or revoke the special roles admin and operator.
- May examine the privileges and roles of other users with the /wiki/spaces/SD/pages/668696626 operator.
Admin Privileges
The database administrator account scidbadmin and all user accounts granted the admin role have all the operator privileges listed above, plus the following:
- May create and drop namespaces with the /wiki/spaces/SD/pages/241631429 and /wiki/spaces/SD/pages/241598582 operators.
- May create and drop the special roles admin and operator.
- May add and remove user accounts from the special roles admin and operator.
- May perform file I/O using unrestricted path names. See File I/O Restrictions.
- May load and unload plugins using the /wiki/spaces/SD/pages/241631465 and /wiki/spaces/SD/pages/242778316 operators.
- May change cluster membership using the /wiki/spaces/SD/pages/242712696, /wiki/spaces/SD/pages/241401954, and /wiki/spaces/SD/pages/241664150 operators.