Managing Users¶
The CREATE USER
statement (see Syntax of the CREATE USER statement) allows creating a new
user in the Server. There are two types of users:
“Administrator” users (created by adding the
ADMIN
parameter to this statement). These users can perform any action over any database. You cannot restrict the privileges of an administrator user.Only administrator users can create administrator users.
“Normal” users. After creating them you have to grant them privileges so they can perform operations over the elements of the Server databases.
There are two authentication methods for Virtual DataPort users:
“Normal”: the credentials of the user are stored in Virtual DataPort.
“LDAP” (indicated with the
LDAP
parameter): when the user tries to connect to the Server, the Server connects to an LDAP server to check that the password provided by the user is correct.To use this authentication method, you have to create an LDAP data source that will be used to connect to the LDAP server, in order to check that the passwords provided by users are correct.
The parameter
LDAP
has two parameters:DATASOURCE
. The syntax is<databaseName>.<dataSourceName>
.<databaseName>
is the Virtual DataPort database where the LDAP data source is stored and<dataSourceName>
is the name of the data source.USERNAME
. It is the name of the user in the LDAP server. For example, the value'cn=test,ou=People,dc=denodo,dc=com'
identifies thetest
user in an organizational unitPeople
for the domaindenodo.com
.
CREATE [ OR REPLACE ] USER [ ADMIN ] <name:identifier> <authentication> [ <description:literal> ] [ <grant> ]* <authentication> ::= <password:literal> SHA512 | LDAP ( DATASOURCE <databaseName:identifier>.<dataSourceName:identifier> USERNAME <name:literal> )
<grant> ::= (see Syntax of the clauses GRANT/REVOKE of CREATE USER and ALTER USER)
The section Modifying the Privileges of a User explains how to modify the privileges of existing users.
SHA512
indicates that the password will be stored as a SHA512 hash.
Note
The LDAP authentication of users is different from databases with LDAP authentication.
When the authentication type of a user is LDAP
, the LDAP
server is only used to check that the password provided by the user is
correct. However, the privileges of this user are still managed from
Virtual DataPort.
In a database with LDAP authentication, the privileges of the users are also obtained from the LDAP server.
Note
We do not recommend creating users with LDAP authentication. Instead, create databases with LDAP authentication, which will simplify the management of users and their privileges. See more about this type of databases in the section Creating a Database with LDAP Authentication of the Administration Guide.
Note
If an LDAP data source is deleted on cascade (see section Removing Elements from the Catalog), then the users depending on it will be also deleted. This operation can only be executed by an administrator user.
Example
Creating a user with some privileges over the database “customer”:
-- Encrypt the password that you want the new user to have
ENCRYPT_PASSWORD 'new password of the user';
-- Create the user
CREATE OR REPLACE USER new_user '<result of the command ENCRYPT_PASSWORD>' ENCRYPTED TRANSFER
GRANT CONNECT, METADATA, EXECUTE, WRITE ON customer;