A mamori role allows you to centrally manage privileges to mamori server privileges and pre-configured databases, SSH and SFTP users.

Roles can be granted to:

  • Existing roles
  • mamori users
  • LDAP and Azure-AD users who have logged into the mamori server portal
  • Directory service groups by specifying the External group or Distinguished name

Mamori server comes with pre-configured roles which cannot be edited:

  • PUBLIC which is granted to all users to allow them to login to the mamori server portal.
  • ADMINISTRATOR which grants all mamori server privileges via ALL PRIVILEGES.

Direct database credentials

Grant database credentials to any database you’ve added to mamori server.

These credentials behave as if the user is logging directly to the database.

You can choose to manage privileges on the database, or use mamori Object Privileges to take advantage of additional features.

Object privileges

Object privileges depend on Direct Credentials on the datasource, and can be granted on Datasources, Databases, Schemas and Objects.

Click Create data policy to learn how to secure column data.

You can restrict the use of Object Privileges:

  • with time and date limits,
  • by specifying the maximum number of rows returned, and
  • adding a WHERE clause to limit results.

Datasource/Database privileges

Four privileges can be granted.

ALTER RESULT SET is used with Database Policies. Click Result Sets to learn more.

Meanwhile, PASSTHROUGH has three variations.

Privilege Description
PASSTHROUGH Execute native SQL statements without limits.
MASKED PASSTHROUGH Applies masking rules where possible and if not executes the statement anyway
PROTECTED PASSTHROUGH Applies masking rules and fails the statement if it can not be proved to be safe to execute

PASSTHROUGH privileges affect data security should be granted sparingly.

Schema privileges

CREATE TABLE can be granted on any schema and used with object privileges on that table.

Table privileges

Grantable table privileges are:

  • SELECT
  • DELETE
  • INSERT
  • UPDATE
  • ALTER TABLE
  • DROP TABLE
  • TRUNCATE TABLE

Direct privileges

Two mamori server privileges may be of use to users granted Direct datasource credentials and object privileges.

  • WEB SQL EDITOR and WEB EXPORT DATA allow your users to run SQL queries through the mamori server portal.

  • ALL PRIVILEGES grants all mamori privileges, which include a SQL editor.

These editors depend upon grants of Direct datasource credentials and object privileges.

Encryption keys

Grant encryption keys to allow users to decrypt columns protected by Data Policies.

Click Add Encryption Keys to learn more.

Data Policies

Grant a Data Policy to protect column data from misuse. To avoid data leakage, mamori server hides SQL Statement results that include masked columns

Click Data policy to learn more.

Requirements

To complete this guide your user will need one or more of the following mamori server privileges:

  • ALL PRIVILEGES - all privileges to mamori server
  • CREATE ROLE - create a mamori role

These privileges are granted automatically to Administrators.

You’ll need your directory service External Group or Distinguished Name to grant roles to LDAP or Azure-AD user groups.

Next step

Click Next to create or edit a role.