Administering Users in your Organization

This tutorial is helpful if you've just been given access to a new DeltaStream . It discusses the responsibilities of different administrator roles.

One of the first things to do when you begin to assemble a new organization in DeltaStream is to invite users to add other administrators to administrative roles, including:

• sysadmin

• securityadmin

• useradmin

• orgadmin

Note the role hierarchy illustrated in the diagram below:

Admin roles are built into DeltaStream. There are 4 types of admin roles:

1. ORGADMIN — Root of the the role hierarchy. This role manages operations at the organization level.

2. SYSADMIN — Role that has privileges to create, manage, and drop objects.

3. USERADMIN — Role that has privileges to manage users and roles within the organization.

4. SECURITYADMIN — Role that manages any object grants globally. This role inherits privileges from the useradmin role.

Using the OrgAdmin Role

The orgadmin role is the single most powerful role in DeltaStream. Use it only only for routine administrative tasks, such as inviting and removing users. Do not use it to grant access to resources for activities such creating and querying streams. For example, when you create objects such as databases, schemas, or relations, use the sysadmin or lower roles in the hierarchy. Similarly, when you invite new users or create new roles, use the useradmin role.

When someone first gets access to DeltaStream, they're granted the orgadmin role. In turn they inherit the sysadmin and securityadmin roles, and their default role sysadmin.

1. Adding OrgAdmin Users

INVITE USER 'user@demo.org' WITH (
  'roles' = (orgadmin, sysadmin), 
  'default' = sysadmin
);

2. Switching to a different role

After you invite others to be orgadmin, switch to use a different role.

USE ROLE useradmin;

Using the UserAdmin Role

1. Managing Invitations

Inviting other people to the organization

INVITE USER 'user@demo.org' WITH (
  'roles' = (useradmin, "public"), 
  'default' = "public"
);

Listing Invitations

<no-db>/<no-store># LIST PENDING INVITATIONS;
             Invitation ID             | Org name |                            Org ID                            |     Email     | Invited by  |    User roles    | Default role
---------------------------------------+----------+--------------------------------------------------------------+---------------+-------------+------------------+---------------
  8f7a4504-ce64-4ee3-a9b5-227925e9dq44 | doc_org  | 830e26fe-de4g-4996-839f-bccb258f8f91                         | user@demo.org | useradmin   | useradmin,public | public

Revoking Invitations

REVOKE INVITATION 8f7a4504-ce64-4ee3-a9b5-227925e9dq44;

Describing a User

<no-db>/<no-store># DESCRIBE USER 'user@demo.org' ;
  Given name | Family name |     Email     | Locale
-------------+-------------+---------------+---------
  user       | Demo        | user@demo.org | en

  GrantedRoles | Inherited
---------------+------------
  useradmin    |
  public       | ✓

2. Managing Roles

Granting a specific role to an individual or to another role

GRANT ROLE sysadmin TO USER 'user@demo.org';

The below example shows how to grant the custom role my_role to the sysadmin role:

GRANT ROLE my_role TO ROLE sysadmin;

Revoking a role from either a user or another role

REVOKE ROLE sysadmin FROM USER 'user@demo.org';

The below example shows how to revoke the custom role my_role from the sysadmin role:

REVOKE ROLE my_role FROM ROLE sysadmin;

Creating a custom role

CREATE ROLE production_role;

Dropping a custom role

DROP ROLE production_role;

Using the SecurityAdmin Role

The securityadmin role should be the default role for managing object grants. As the securityadmin role inherits privileges from the useradmin role, it's also a powerful role. And as with the orgadmin and useradmin roles, take care to give the role of securityadmin only to people who will need it.

1. Granting Privileges to Roles

GRANT CREATE_DATABASE ON ORGANIZATION TO ROLE my_role;

Revoking privileges from existing roles

REVOKE CREATE_DATABASE ON ORGANIZATION FROM ROLE my_role;

2. Granting Ownership of Objects to Different Roles

You can only transfer ownership of an object when:

• the current role is the owner of the object and has been granted the destination role

• the current role is securityadmin

Custom roles should be owned by the useradmin. You can grant the Sysadmin or other custom roles but not grant ownership.

GRANT OWNERSHIP ON DATABASE db TO my_role;

Using the SysAdmin Role

The sysadmin role has the privileges to create, manage, and drop objects. Most day-to-day tasks are done in the sysadmin role or in a custom role thesysadmin is granted.

Some of the main actions that sysadmin can perform include:

See also:

• Creating Stores for Streaming Data

• Using Multiple Stores in Queries

• Creating Relations to Structure Raw Data

• Namespacing with Database and Schema

• Creating and Querying Materialized Views