Add roles for LDAP users
A role manager assigns a Hyper-Converged Database (HCD) role by matching the username provided for authentication with a HCD role name. Create a role for each LDAP user who needs to access the database.
|
The LDAP |
Create and bind a login role
-
Create a
loginrole that matches theusername.Don’t set a password.
CREATE ROLELDAP_USER_ROLEWITH LOGIN = true;Replace
LDAP_USER_ROLEwith the name of the LDAP user. The username is passed from the authenticator to the role manager. The string is exactly as the user entered it at login, including case.SUPERUSERis the name of a role that is granted full database access, except on objects with a restricted permission. For more information, see Restrict access to data.WITH LOGINis required for basic database access. -
Bind the assignment to an authentication scheme. This step is required only when enabling scheme permissions.
GRANT EXECUTE on LDAP SCHEME to <`LDAP_USER_ROLE`>; -
To allow another role to manage the new role:
GRANT AUTHORIZE FOR ALTER, DROP ON <new_role_name> TO <management_role>;All superusers have authorize permissions on all roles. And the role that created the role is granted all permissions on the role.
Next steps
Assign permissions to the role.