A mamori role allows you to centrally manage privileges to mamori server privileges and pre-configured databases, SSH and SFTP users.
Roles can be granted to:
- Existing roles
- mamori users
- LDAP and Azure-AD users who have logged into the mamori server portal
- Directory service groups by specifying the External group or Distinguished name
Mamori server comes with pre-configured roles which cannot be edited:
- PUBLIC which is granted to all users to allow them to login to the mamori server portal.
- ADMINISTRATOR which grants all mamori server privileges via ALL PRIVILEGES.
Direct database credentials
Grant database credentials to any database you’ve added to mamori server.
These credentials behave as if the user is logging directly to the database.
You can choose to manage privileges on the database, or use mamori Object Privileges to take advantage of additional features.
Object privileges depend on Direct Credentials on the datasource, and can be granted on Datasources, Databases, Schemas and Objects.
Click Create data policy to learn how to secure column data.
You can restrict the use of Object Privileges:
- with time and date limits,
- by specifying the maximum number of rows returned, and
- adding a WHERE clause to limit results.
Four privileges can be granted.
ALTER RESULT SET is used with Database Policies. Click Result Sets to learn more.
Meanwhile, PASSTHROUGH has three variations.
|PASSTHROUGH||Execute native SQL statements without limits.|
|MASKED PASSTHROUGH||Applies masking rules where possible and if not executes the statement anyway|
|PROTECTED PASSTHROUGH||Applies masking rules and fails the statement if it can not be proved to be safe to execute|
PASSTHROUGH privileges affect data security should be granted sparingly.
CREATE TABLE can be granted on any schema and used with object privileges on that table.
Grantable table privileges are:
- ALTER TABLE
- DROP TABLE
- TRUNCATE TABLE
Two mamori server privileges may be of use to users granted Direct datasource credentials and object privileges.
WEB SQL EDITOR and WEB EXPORT DATA allow your users to run SQL queries through the mamori server portal.
ALL PRIVILEGES grants all mamori privileges, which include a SQL editor.
These editors depend upon grants of Direct datasource credentials and object privileges.
Grant encryption keys to allow users to decrypt columns protected by Data Policies.
Click Add Encryption Keys to learn more.
Grant a Data Policy to protect column data from misuse. To avoid data leakage, mamori server hides SQL Statement results that include masked columns
Click Data policy to learn more.
To complete this guide your user will need one or more of the following mamori server privileges:
- ALL PRIVILEGES - all privileges to mamori server
- CREATE ROLE - create a mamori role
These privileges are granted automatically to Administrators.
You’ll need your directory service
External Group or
Distinguished Name to grant roles to LDAP or Azure-AD user groups.
Click Next to create or edit a role.