Secure User Management is best achieved by integration with your centralized authentication service. Once integration is complete, create LDAP authenticated named users to facilitate separation of duties, least privileges, and auditing. Disable the out-of-the-box generic ADMIN and SYSADMIN accounts.
Use LDAP for Authentication
As described under System Configuration above, enable LDAP authentication to leverage your enterprise authentication service and enable SSL/TLS to secure LDAP connections.
Create Named Users
Do not create generic functional accounts such as “QA,” “DEV,” or “TEST.” Such accounts will not leave a proper audit trail and violate the separation of duties principle. Instead, create LDAP authenticated named users.
For additional information, see User Privileges for Delphix Objects.
Assign Least Privileges
Restrict the admin and sysadmin roles to 1-2 trusted named users each. These roles are highly privileged and must be carefully managed. These roles typically map to a DBA and System Administrator respectively.
For subordinate users who need to refresh VDBs, assign “Data Operator” privilege on the VDB and “Reader” privilege on the dSource.
For subordinate users who need to provision new VDBs from dSources, assign “Provisioner” privilege on the dSource and “Provisioner” privilege on the Group to which they will assign the VDB.
Consider Delphix Self-Service Functionality
The Delphix Self-Service functionality is targeted towards developer and tester self-service, and it contains a more sophisticated privilege model. With this functionality, Delphix Self-Service users do not have access to the Administrator GUI.
Administrators can define multiple data sources as a complete template. They also allocate server resources as a “data container.” The end user has the ability to update data from the source, from peers using the same source, and from prior images of the source that they have created.
Disable ADMIN and SYSADMIN
Once you have established named Delphix Administrators and Systems Administrators, disable the out-of-the-box
admin accounts. You can disable accounts through the CLI.
When engines created before 5.3.1 are upgraded to 5.3.1 or later they will retain their old username 'delphix_admin'. To avoid complications Delphix recommends creating users with an admin role and then Disabling delphix_admin.