Users and roles in Managed Service for Greenplum®
Greenplum® manages database access rights using roles. Roles can own database objects, such as tables, and have attributes and privileges. You can assign privileges to other roles on behalf of a particular role.
In Greenplum®, a user is a role that can log in to the database. To do this, it is granted the LOGIN
attribute.
You can manage cluster users using SQL commands run on behalf of the admin user with the mdb_admin
role. The admin username and password are set when creating a cluster. For more information, see Managing roles and users.
To grant the admin user privileges to another user, assign the mdb_admin
role to it:
GRANT mdb_admin TO <username>;
Attributes
The role has attributes that define which jobs it can run in the database.
Attributes | Description |
---|---|
SUPERUSER or NOSUPERUSER |
Defines whether the role is a superuser. In Managed Service for Greenplum®, the SUPERUSER attribute is assigned to the gpadmin and monitor service roles and is not available to service users. |
CREATEDB or NOCREATEDB |
Determines whether a database may be created. The default attribute is NOCREATEDB . |
CREATEROLE or NOCREATEROLE |
Determines whether other roles may be created and managed. The default attribute is NOCREATEROLE . |
INHERIT or NOINHERIT |
Determines whether the role inherits the privileges of the roles it is a part of. The default attribute is INHERIT . |
LOGIN or NOLOGIN |
Determines whether the role may log in to the system, i.e., whether it is a user. The default attribute is NOLOGIN . |
CONNECTION LIMIT <value> |
Number of concurrent connections for the role with the LOGIN attribute. The default value is -1 (unlimited). |
CREATEEXTTABLE or NOCREATEEXTTABLE |
Determines whether external tables may be created. The default attribute is NOCREATEEXTTABLE . |
PASSWORD '<password>' |
Setting a password for the role. If no authentication is required for the role, you can skip this attribute. |
ENCRYPTED or UNENCRYPTED |
Save the password as a hash string or plain text. The default attribute is ENCRYPTED . For more information about protecting authorization passwords, see the Greenplum® documentation |
Group roles
Some roles can become a part of other roles and inherit their privileges. When privileges of the parent role are changed, privileges of all roles within it are changed as well. For more information about group roles, see the Greenplum® documentation
Privileges
Privileges determine what a role can do with database objects.
Do not use the mdb_admin
role for routine tasks, because an incorrect command sent on its behalf may cause the cluster to fail. For these tasks, create separate roles with the minimum required privileges:
Object type |
Privileges |
Tables, external tables, view |
|
Columns |
|
Sequences |
|
Databases |
|
Domains |
|
External data shells |
|
External servers |
|
Functions |
|
Procedural languages |
|
Schemas |
|
Tablespaces |
|
Types |
|
Protocols |
|
For more information about privileges and how to manage them, see the Greenplum® documentation
Greenplum® and Greenplum Database® are registered trademarks or trademarks of VMware, Inc. in the United States and/or other countries.