Add roles for LDAP logins

A role manager assigns a Hyper-Converged Database (HCD) role by matching the username provided for authentication with a HCD role name. Create a role for each LDAP user who needs to access the database.

The LDAP username attribute is defined in ldap_user_search_filter, such as the UID (Open LDAP) or SamAccountName (Microsoft Active Directory).

Create a login role that matches the username:

CREATE ROLE LDAP_USER_ROLE WITH LOGIN = true;

Replace LDAP_USER_ROLE with the name of the LDAP user.

Parameter	Description
`LDAP_USER_ROLE`	The username passed from the authenticator to the role manager. The string is exactly as the user entered it at login, including case. Note: SUPERUSER is name of a role that is granted full database access, except on objects with a restricted permission. For more information, see Restrict access to data.
LOGIN	REQUIRED. Allows the user basic database access.

Parameter

Description

LDAP_USER_ROLE

The username passed from the authenticator to the role manager. The string is exactly as the user entered it at login, including case.

Note: SUPERUSER is name of a role that is granted full database access, except on objects with a restricted permission. For more information, see Restrict access to data.

REQUIRED. Allows the user basic database access.

Do NOT set a password.

Bind the assignment to an authentication scheme:
```
GRANT EXECUTE on LDAP SCHEME to <`LDAP_USER_ROLE`>;
```
This step is required only when enabling scheme permissions.
To allow another role to manage the new role:
```
GRANT AUTHORIZE FOR ALTER, DROP
ON <new_role_name>
TO <management_role>;
```
All superusers have authorize permissions on all roles. And the role that created the role is granted all permissions on the role.

Next steps

Assign permissions to the role. For more information, see Assign permissions.

Add roles for LDAP logins

Next steps

Was this helpful?

Give Feedback

Add roles for LDAP logins

Create and bind a login role

Next steps

Was this helpful?