User Types and User Management
There are three user types in the Delphix user model: the system administrator, the Delphix user, and the Self-service user.
System administrator users are responsible for managing the Delphix Engine itself, but not the objects (Environments, dSources, VDBs) within the server. For example, a system administrator is responsible for setting the time on the Delphix Engine and its network address, restarting it, creating new system administrator users (but not Delphix users), and other similar tasks.
A user called sysadmin is the default system, administrator user. While this user can be suspended, it may not be deleted. When the Delphix Management application first launches, this user can log in using the username sysadmin and password sysadmin.
To create or modify system administrators, first, log in to Delphix Setup and navigate to the Users section of the homepage. Here, you can:
- Add new system administrators with the plus sign
- Change system administrator passwords with the pencil icon
- Delete system administrators with the trashcan icon
- Suspend system administrators with the pause button
- Reinstate system administrators with the play button
Delphix users are responsible for managing the environments and datasets within Delphix, such as dSources, virtual databases (VDBs), users, groups, and related policies and resources.
A Delphix user can be marked as a Delphix Administrator. Delphix Administrators have three special privileges:
- They can manage other Delphix users
- They implicitly have Owner privileges for all Delphix objects
- They can create new groups and new environments
The default Delphix user provided with a Delphix Engine is a Delphix Administrator and is called admin. Like the sysadmin user, admin cannot be deleted. When the Delphix Management application launches, the admin user can log in using the password specified during the initial setup when Delphix was first launched.
Only these two users require password-based authentication. Also, other users may use other mechanisms such as LDAP or Kerberos, as described in Configuring and Managing Kerberos and Configuring and using LDAP with the Delphix Engine.
Delphix Self-Service has two types of users: the admin user and the data user.
Admin users have full access to all report data and can configure Delphix Self-Service, additionally, they can:
- Use the Delphix Engine to add/delete users
- Change tunable settings
- Add/delete tags
- Create and assign data templates and containers
Data users have access to production data provided in a data container. The data container provides these users with a playground in which to work with data using the Self-Service Toolbar.
For more information on Self-service users, visit our Self-service documentation.
User Privileges for Delphix Objects
The user roles on Delphix objects consist of four types, which the Engine Admin user assigns: Provisioner, Owner, Data Operator, and Reader. These privileges apply both to objects, such as dSources and Virtual Databases (VDBs), and to groups, which are containers that hold those objects.
The Delphix Administrator user can assign privileges to groups, dSources, and VDBs. Privileges are inherited, meaning that privileges assigned to a group are effective for the dSources and VDBs contained in that group.
If a user does not have a privilege in relation to an object or group, then he or she has no visibility into that object or group.
Roles and Privileges for Delphix Objects
Creating groups helps you manage policies and privileges over objects within that group. When privileges are created for users at the group level, those privileges apply to all objects of that type within the group. When new objects are created or added to the group, the policies and privileges you have created at the group level will be applied to them.
Delphix supports a variety of authentication mechanisms to connect to several different interfaces and systems. For example, you can connect via the UI using the default users described above, or you can connect to the CLI using an API token.
There are three categories of authentication-related to Delphix: the Delphix UI, the Delphix CLI/API, and external systems such as Kerberos access to connected source and target hosts. Below are detailed pages related to each of these three sections:
- UI Authentication:
- Data Control Tower, formerly Central Management
- Username and password
- LDAP: Directory-based authentication to Delphix engines rather than the default local access
- Single Sign-on: Integration and support for identity providers to authenticate users on a per engine basis using SAML2-SSO.
- CLI/API Authentication:
- Username and password
- Auto-authentication via SSH keys: to automatically sign in to the Delphix CLI without requiring user-input credentials
- API Tokens
- External systems:
- Username and password
- SSH keys
- Kerberos: Authentication for environments and data sources using Kerberos
Kerberos support is for access to connected environments, rather than the Delphix engine itself. This is an advanced topic and will require a solid understanding of Delphix concepts and architecture.