CLI cookbooks: enabling and configuring environment permissions

This topic describes how to enable the environment permissions feature to restrict what users can do with environments.

By default, all engine users can list all environments and hosts and see their details. Moreover, all users are able to link dSources from and provision VDBs to any environment without requiring any permissions on environments, as long as they have appropriate permissions on the target group where the dsource or VDB will be located.

Enabling environment and permissions

To restrict non-administrator users from seeing, linking from, and provisioning to any environment, Engine Administrators can enable environment authorizations.

Copy 
delphix> authorization configuration
delphix authorization configuration > ls
Properties    type: AuthorizationConfig
environmentAndHostAuth: false Operations update

delphix authorization configuration> update
delphix authorization configuration update *> set environmentAndHostAuth=true
delphix authorization configuration update *> commit

Similarly, to go back to the default state in which all users have permission to perform those operations, the Engine Administrator must set the environmentAndHostAuth property back to false.

Granting and revoking permissions on environments and hosts

When environment permissions are enabled, only Engine Administrators can list environments and hosts, see their details, or link dSources from or provision VDBs to environments.

To authorize any other user to perform such an operation on an environment or host, a Engine Administrator must create an appropriate authorization.

Copy 
delphix> authorization create
delphix authorization create *> set user=someuser
delphix authorization create *> set role=PROVISIONER
delphix authorization create *> set target=SourceEnvironment:/somehost.example.com

To revoke an authorization, a Engine Administrator must delete the corresponding authorization object.

Copy 
delphix> authorization
delphix> ls
REFERENCE        USER      ROLE   TARGET
AUTHORIZATION-1  sysadmin  OWNER  sysadmin
AUTHORIZATION-2  admin     OWNER  admin
AUTHORIZATION-3  admin     OWNER  domain0
AUTHORIZATION-4  someuser  Data   SourceEnvironment:/somehost.example.com 

delphix authorization> select `AUTHORIZATION-4
delphix authorization '(USER-2, ROLE-2, UNIX_HOST_ENVIRONMENT-1)'> delete
delphix authorization '(USER-2, ROLE-2, UNIX_HOST_ENVIRONMENT-1)' delete *
> commit

Environment and host permissions

Role

Environment privileges

Host privileges

Owner

  • Can provision VDBs from the environment

  • Can link dSources from the environment

  • Can access the same information as a Reader

Can access the same information as a Reader

Provisioner

  • Can access statistics on the dSource, VDB, or snapshot such as usage, history, and space consumption

  • Can provision VDBs from owned dSources and VDBs

Can access the same information as a Reader

Data Operator

  • Can access statistics on the dSource, VDB, or snapshot such as usage, history, and space consumption

  • Can refresh or rollback VDBs

  • Can snapshot dSources and VDBs

Can access the same information as a Reader

Reader

  • Can see the configuration of the environment

Can see the configuration of the host

Self-Service Only

  • Can access the same information as a Reader

Can see the configuration of the host