This topic describes how to enable the environment permissions feature to restrict what users can do with environments.

By default, all engine users can list all environments and hosts and see their details. Moreover, all users are able to link dsources from and provision VDBs to any environment without requiring any permissions on environments, as long as they have appropriate permissions on the target group where the dsource or VDB will be located.

Enabling Environment and Permissions

To restrict non-administrator users from seeing, linking from, and provision to any environment, Delphix administrators can enable environment authorizations.

delphix> authorization configuration
delphix authorization configuration > ls
Properties
    type: AuthorizationConfig
    environmentAndHostAuth: false

Operations
update
delphix authorization configuration> update
delphix authorization configuration update *> set environmentAndHostAuth=true 
delphix authorization configuration update *> commit

Similarly, to go back to the default state in which all users have permission to perform those operations, the Delphix administrator must set the environmentAndHostAuth  property back to false .

Granting and Revoking Permissions on Environments and Hosts

When environment permissions are enabled, only Delphix administrators can list environments and hosts, see their details, or link dsources from or provision VDBs to environments.

To authorize any other user to perform such an operation on an environment or host, a Delphix administrator must create an appropriate authorization.

delphix> authorization create
delphix authorization create *> set user=someuser
delphix authorization create *> set role=PROVISIONER
delphix authorization create *> set target=SourceEnvironment:/somehost.example.com

To revoke an authorization, a Delphix administrator must delete the corresponding authorization object.

delphix> authorization
delphix> ls
REFERENCE        USER      ROLE   TARGET                                  
AUTHORIZATION-1  sysadmin  OWNER  sysadmin
AUTHORIZATION-2  admin     OWNER  admin
AUTHORIZATION-3  admin     OWNER  domain0
AUTHORIZATION-4  someuser  Data   SourceEnvironment:/somehost.example.com

delphix authorization> select `AUTHORIZATION-4
delphix authorization '(USER-2, ROLE-2, UNIX_HOST_ENVIRONMENT-1)'> delete
delphix authorization '(USER-2, ROLE-2, UNIX_HOST_ENVIRONMENT-1)' delete *> commit

Permissions on Environments and Hosts

RoleEnvironment PrivilegesHost Privileges
Owner
  • Can provision VDBs from environment
  • Can link dsources from environment
  • Can access the same information as a Reader
  • Can access the same information as a Reader
Provisioner
  • Can access statistics on the dSource, VDB, or snapshot such as usage, history, and space consumption
  • Can provision VDBs from owned dSources and VDBs
  • Can access the same information as a Reader
Data Operator
  • Can access statistics on the dSource, VDB, or snapshot such as usage, history, and space consumption
  • Can refresh or rollback VDBs
  • Can snapshot dSources and VDBs
  • Can access the same information as a Reader
Reader
  • Can see the configuration of the environment
  • Can see the configuration of the host
Self-Service Only
  • Can access the same information as a Reader
  • Can see the configuration of the host