Mamori Users & Roles
Overview
Mamori comes with a built in directory that provides users, roles and permissions.
Permissions
There are two types of permissions
- Mamori Server level permissions
- Resource permissions
Permissions are granted to a user or role via their respective editors.
Mamori database resources permissions are able to further restrict database permissions granted by a database credential. For example, if a user connects with a DBA credential, but are only granted SELECT in Mamori then the user will only be able to select.
This allows admins to define workload specific database access without having to create special credentials and roles in the target databases.
Mamori users
Common questions
If I have integrated a directory do I need to manually add directory users to Mamori?
No, by default if a login authenticates against the configured AD in the authentication chain, then that user is logged in. This default behavior can be changed to only allow directory users you have added manually or are in a specific Directory Group.
When should I create a Mamori user?
- When you don't have a corporate directory like AD, Azure AD, Okta or DUO.
- When you need an access account but don't want to add it to your corporate directory.
Can I use both Mamori users and directory users?
Yes, as long as the login names are unique
Add a user
Click Users
Click
Next, enter details in user dialog
login id, email, password and user profile
Click Create
Enter the role grants and other permissions
Click Update
User Password Policies
Administrators can specify the security policies for Mamori user passwords.
The values listed here are configurable per installation:
| Policy Name | Description | Potential Values |
|---|---|---|
| failed_attempts_limit | The number of consecutive failed login attempts before a user account is placed into a locked state. | 0-100 |
| password_history_lockout | The number of recent passwords which the user cannot use when specifying a new password. For example, if this value is set to '2', then the user cannot re-use their previous 2 passwords. | 0-100 |
| password_length_minimum | The minimum number of characters for a user password. This value must be less than or equal to password_length_maximum, or disabled by specifying "0". If this policy is disabled, the minimum password length default to the Mamori minimum length | 0-100 |
| password_length_maximum | The maximum number of characters for a user password. This value must be greater than or equal to password_length_minimum, or disabled by specifying "0". If this policy is disabled, the maximum password length defaults to the Mamori maximum length. | 0-100 |
| password_lower_case_minimum | The minimum number of lowercase letters required in a user password. If this policy is disabled, no lowercase letters will be required. | 0-100 |
| password_upper_case_minimum | The minimum number of uppercase letters required in a user password. If this policy is disabled, no uppercase letters will be required. | 0-100 |
| password_punctuation_minimum | The minimum number of special characters required in a user password. If this policy is disabled, no special characters will be required. When enabled or required, the supported special characters are | 0-100 |
| password_numeral_minimum | The minimum number of numerical digits required in a user password. If this policy is disabled, no digits will be required. | 0-100 |
| password_character_type_minimum | The minimum number of character types (lowercase, uppercase, punctuation, and numeral) which must be included in a user password. For example, if this value is set to '2', then the password must include at least two of the four types. If this policy is disabled, users will not be required to include a minimum number of character types unless each type is required individually. | 0-4 |
| password_expiration_days | The number of days after their current password was created at which the user is automatically required to create a new password. If this policy is disabled, users will not be required to change their password at any interval. | 0-1000 |
MSQL Syntax
-- SEE EXISTING
SELECT * FROM SYS.SYSPOLICIES
-- ALTER POLICY
ALTER POLICY type SET OPTIONS ( policy_name 'newValue' [, policy_name2 'newValue2' ]);
Arguments
- newValue: the value to assign to policyName.
- policyName: one of the policy values listed in the table above.
Example
ALTER POLICY PASSWORD SET OPTIONS ( password_expiration_days '10', password_character_type_minimum '2', failed_attempts_limit '5');
Mamori Roles
Mamori roles are containers for Mamori and resource permissions, and can be permantly or temporarily granted to a user or another role.
Roles can be granted:
- by a Mamori admin
- by an on-demand resource access policy
- automatically when a role linked to a directory group that the current logged in user is a member of
Add a role
Click Roles
Click
Next, enter details in role dialog
Field Description Role Id Role unique identified External Name A directory group name or CN
eg.,CN=ADGroupTest,CN=Users,DC=mamori,DC=ioPriority When a user has multiple roles providing conflicting policies on the same target, then the highest priority (lowest numner) takes precedence Click Create
Enter the role grants and other permissions
Click Update
Grant roles to users
Click Roles
Click on Change Assigned Users grid menu for the role
Select users
Grant roles to roles
Click Roles
Click on Change Assigned Roles grid menu for the role
Select roles