Users and groups
User types and user management
There are three user types in the Delphix user model: the system administrator, the Delphix user, and the Self-service user.
System administrators
System administrator users are responsible for managing the Delphix Engine itself, but not the objects (Environments, dSources, VDBs) within the server. For example, a system administrator is responsible for setting the time on the Delphix Engine and its network address, restarting it, creating new system administrator users (but not Delphix users), and other similar tasks.
A user called sysadmin is the default system, administrator user. While this user can be suspended, it may not be deleted. When the Delphix Management application first launches, this user can log in using the username sysadmin and password sysadmin.
To create or modify system administrators, first, log in to Delphix Setup and navigate to the Users section of the homepage. Here, you can:
- 
                                                    Add new system administrators with the plus sign 
- 
                                                    Change system administrator passwords with the pencil icon 
- 
                                                    Delete system administrators with the trashcan icon 
- 
                                                    Suspend system administrators with the pause button 
- 
                                                    Reinstate system administrators with the play button 
Delphix users
Delphix users are responsible for managing the environments and datasets within Delphix, such as dSources, virtual databases (VDBs), users, groups, and related policies and resources.
Delphix users can be marked as Engine Administrators. Engine Administrators have three special privileges:
- 
                                                    With user management permissions assigned, they can manage other Delphix users 
- 
                                                    They implicitly have Owner privileges for all Delphix objects 
- 
                                                    They can create new groups and new environments 
The default Delphix user provided with a Delphix Engine is a Engine Administrator and is called admin. Like the sysadmin user, the admin cannot be deleted. When the Delphix Management application launches, the admin user can log in using the password specified during the initial setup when Delphix was first launched.
Only these two users require password-based authentication. Also, other users may use other mechanisms such as LDAP or Kerberos, as described in Configuring and managing kerberos and Configuring and using LDAP with the Delphix Engine.
Self-service users
Delphix Self-Service has two types of users: the admin user and the data user.
Admin users have full access to all report data and can configure Delphix Self-Service, additionally, they can:
- 
                                                    Use the Delphix Engine to add/delete users 
- 
                                                    Change tunable settings 
- 
                                                    Add/delete tags 
- 
                                                    Create and assign data templates and containers 
Data users have access to production data provided in a data container. The data container provides these users with a playground in which to work with data using the Self-Service Toolbar.
For more information on Self-service users, visit our Self-service documentation.
Default support user - Delphix
The Delphix engine includes a default OS support user account named Delphix. This account is used exclusively by Delphix support teams for troubleshooting. Before support teams can use this account, you need to grant access to your engine and network in a remote session.
This account does not require a password, and instead uses a unique challenge-response authentication method to log in. To use this account, the Delphix engine must be registered.
For more information on support access, read security.
User privileges for Delphix objects
The user roles on Delphix objects consist of four types, which the Engine Admin user assigns: Provisioner, Owner, Data Operator, and Reader. These privileges apply both to objects, such as dSources and Virtual Databases (VDBs), and to groups, which are containers that hold those objects.
The Engine Administrators user can assign privileges to groups, dSources, and VDBs. Privileges are inherited, meaning that privileges assigned to a group are effective for the dSources and VDBs contained in that group.
If a user does not have a privilege in relation to an object or group, then he or she has no visibility into that object or group.
Roles and Privileges for Delphix Objects
| Role | Object privileges | Group privileges | 
|---|---|---|
| Owner | 
 | 
 | 
| Provisioner | 
 | 
 | 
| Data Operator | 
 | 
 | 
| Reader | 
 | 
 | 
| Self-Service Only | 
 | 
Managing groups
Creating groups helps you manage policies and privileges over objects within that group. When privileges are created for users at the group level, those privileges apply to all objects of that type within the group. When new objects are created or added to the group, the policies and privileges you have created at the group level will be applied to them.
Authentication mechanisms
Delphix supports a variety of authentication mechanisms to connect to several different interfaces and systems. For example, you can connect via the UI using the default users described above, or you can connect to the CLI using an API token.
There are three categories of authentication related to Delphix: the Delphix UI, the Delphix CLI/API, and external systems such as Kerberos access to connected source and target hosts. Below are detailed pages related to each of these three sections:
- 
                                                    UI authentication: - 
                                                            Data Control Tower, formerly Central Management 
- 
                                                            Username and password 
- 
                                                            LDAP: Directory-based authentication to Delphix engines rather than the default local access 
- 
                                                            Single Sign-on: Integration and support for identity providers to authenticate users on a per engine basis using SAML2-SSO. 
 
- 
                                                            
- 
                                                    CLI authentication: - 
                                                            Username and password 
- 
                                                            Auto-authentication via SSH keys: to automatically sign in to the Delphix CLI without requiring user-input credentials 
 
- 
                                                            
- 
                                                    API authentication - 
                                                            Username and password 
- 
                                                            API Tokens (for Delphix Engines registered with Data control tower) 
- 
                                                            OAuth2 JSON Web Tokens 
 
- 
                                                            
- 
                                                    External systems: - 
                                                            Username and password 
- 
                                                            SSH keys 
- 
                                                            Kerberos: Authentication for environments and data sources using Kerberos 
 
- 
                                                            
Kerberos support is for access to connected environments, rather than the Delphix engine itself. This is an advanced topic and will require a solid understanding of Delphix concepts and architecture.