Mamori Users & Roles

Overview

Mamori comes with a built in directory that provides users, roles and permissions.

Permissions

There are two types of permissions

  • Mamori Server level permissions
  • Resource permissions

Permissions are granted to a user or role via their respective editors.

Interesing feature

Mamori database resources permissions are able to further restrict database permissions granted by a database credential. For example, if a user connects with a DBA credential, but are only granted SELECT in Mamori then the user will only be able to select.

This allows admins to define workload specific database access without having to create special credentials and roles in the target databases.

Mamori users

Common questions

If I have integrated a directory do I need to manually add directory users to Mamori?

No, by default if a login authenticates against the configured AD in the authentication chain, then that user is logged in. This default behavior can be changed to only allow directory users you have added manually or are in a specific Directory Group.

When should I create a Mamori user?

  • When you don't have a corporate directory like AD, Azure AD, Okta or DUO.
  • When you need an access account but don't want to add it to your corporate directory.

Can I use both Mamori users and directory users?

Yes, as long as the login names are unique

Add a user

Click Users

Click

Next, enter details in user dialog

login id, email, password and user profile

Click Create

Enter the role grants and other permissions

Click Update

User Password Policies

Administrators can specify the security policies for Mamori user passwords.

The values listed here are configurable per installation:

Policy NameDescriptionPotential Values
failed_attempts_limitThe number of consecutive failed login attempts before a user account is placed into a locked state.0-100
password_history_lockoutThe number of recent passwords which the user cannot use when specifying a new password. For example, if this value is set to '2', then the user cannot re-use their previous 2 passwords.0-100
password_length_minimumThe minimum number of characters for a user password. This value must be less than or equal to password_length_maximum, or disabled by specifying "0". If this policy is disabled, the minimum password length default to the Mamori minimum length0-100
password_length_maximumThe maximum number of characters for a user password. This value must be greater than or equal to password_length_minimum, or disabled by specifying "0". If this policy is disabled, the maximum password length defaults to the Mamori maximum length.0-100
password_lower_case_minimumThe minimum number of lowercase letters required in a user password. If this policy is disabled, no lowercase letters will be required.0-100
password_upper_case_minimumThe minimum number of uppercase letters required in a user password. If this policy is disabled, no uppercase letters will be required.0-100
password_punctuation_minimumThe minimum number of special characters required in a user password. If this policy is disabled, no special characters will be required. When enabled or required, the supported special characters are0-100
password_numeral_minimumThe minimum number of numerical digits required in a user password. If this policy is disabled, no digits will be required.0-100
password_character_type_minimumThe minimum number of character types (lowercase, uppercase, punctuation, and numeral) which must be included in a user password. For example, if this value is set to '2', then the password must include at least two of the four types. If this policy is disabled, users will not be required to include a minimum number of character types unless each type is required individually.0-4
password_expiration_daysThe number of days after their current password was created at which the user is automatically required to create a new password. If this policy is disabled, users will not be required to change their password at any interval.0-1000

MSQL Syntax

-- SEE EXISTING 
SELECT * FROM SYS.SYSPOLICIES

-- ALTER POLICY
ALTER POLICY type SET OPTIONS ( policy_name  'newValue' [, policy_name2 'newValue2' ]);

Arguments

  • newValue: the value to assign to policyName.
  • policyName: one of the policy values listed in the table above.

Example

ALTER POLICY PASSWORD SET OPTIONS ( password_expiration_days '10', password_character_type_minimum '2', failed_attempts_limit '5');


Mamori Roles

Mamori roles are containers for Mamori and resource permissions, and can be permantly or temporarily granted to a user or another role.

Roles can be granted:

  • by a Mamori admin
  • by an on-demand resource access policy
  • automatically when a role linked to a directory group that the current logged in user is a member of

Add a role

Click Roles

Click

Next, enter details in role dialog

FieldDescription
Role IdRole unique identified
External NameA directory group name or CN
eg.,CN=ADGroupTest,CN=Users,DC=mamori,DC=io
PriorityWhen a user has multiple roles providing conflicting policies on the same target, then the highest priority (lowest numner) takes precedence

Click Create

Enter the role grants and other permissions

Click Update

Grant roles to users

Click Roles

Click on Change Assigned Users grid menu for the role

Select users

Grant roles to roles

Click Roles

Click on Change Assigned Roles grid menu for the role

Select roles

Edit this page on GitHub Updated at Fri, May 19, 2023