Adding Roles for LDAP Logins
A role manager assigns a DSE role by matching the username provided for authentication with a DSE role name. Create a role for each LDAP user who needs to access the database.
The LDAP |
Procedure
-
Create a
login
role that matches theusername
:CREATE ROLE <ldap_user_role> WITH LOGIN = true;
-
<ldap_user_role>
- The username passed from the authenticator to the role manager; the string is exactly as the user entered it at login, including case. -
LOGIN - Required to allow the user basic access to the database.
-
SUPERUSER - Grants full database access, except on objects that a permission has been restricted (see Restricting access to data).
Do NOT set a password.
-
-
Bind the assignment to an authentication scheme:
GRANT EXECUTE on LDAP SCHEME to <ldap_user_role>;
-
To allow another role to manage the new role:
GRANT AUTHORIZE FOR ALTER, DROP ON <new_role_name> TO <management_role>;
All superusers have authorize permissions on all roles. And the role that created the role is granted all permissions on the role.
What is Next
Assign permissions to the role, see Assigning permissions.