Access to dbWatch is controlled through operators. Operators have a password and a set of privileges on dbWatch.
How to get here
The operator configuration view can be accessed by clicking on Operators on the main toolbar.
Operators main view
The operators view consists of two main parts. A tree view on the left and a details view on the right, showing information about the selected element in the tree.
When a dbWatch Server is selected you will see two sections on the right. Secured areas and Secured access. Secured areas typically define if adding or removing certain entity types are allowed, and Secured access define what entities the user has access to.
The areas that can be secured are:
- Instance system : If this is selected users will not be allowed to add or remove instances unless they have privileges on the dbw_instance_system object set.
- Security system : If this is selected users will not be allowed to add or remove users, rights or roles unless they have privileges on the dbw_security_system object set.
- Tasks system : If this is selected users will not be allowed to create or edit the task specifications unless they have privileges on the dbw_tasks_system object set.
- Reports system : If this is selected users will not be allowed to create or edit report specifications or schedule reports unless they have privileges on the dbw_report_system object set.
- Resource system : If this is selected users will not be allowed to upload resource files unless they have privileges on the dbw_adminSpec_system object set.
- Group system : If this is selected users will not be allowed to add, edit or delete groups unless they have privileges on the dbw_group_system object set.
- Extension system : If this is selected users will not be allowed to enable or disable extensions unless they have privileges on the dbw_extention_system object set.
Currently the entity types that can have restricted access is:
- Instances : If this is selected dbWatch will only make available the instances that the user has privileges on.
- Object set : If this is selected dbWatch will only make available the object sets that the user has privileges on.
The concepts used in the dbWatch access control systems are:
In order to connect to the dbWatch Server you have to identify yourself as a user. (This is a dbWatch user, and is not related to the database user or the OS user). You will typically want to define one user for each person that will use dbWatch.
A user has a username and password. In addition to this there are two properties defining if an empty password is allowed and if the user is required to change his/her password when they first connect (you typically want to require this when creating a new user).
A user has a set of grants defining what rights the user has on the entities in dbWatch.
There are 3 “atomic” rights that can be defined in dbWatch (these are familiar to the file rights in a *nix operating system).
- read : The user can view the entity (but not modify)
- write : The user can modify the entity
- execute : The user can execute the entity (or something on the entity).
A role is set of rights (and potentially other roles), that can be optionaly defined on object sets.
Objects Sets define a collection of entities in dbWatch that can be granted rights and roles on, or simply used to group entities together.
These sets are defined using DBWQL.
In a clean dbWatch installation there are 4 predefined object sets:
- Default Management : This defines the management specification files that are used to generate the functionallity under the management tab.
- Development instances : Contains all the instances in the Development group
- Production instances : Contains all the instances in the Production group
- Test instances : Contains all the instances in the Test group
The last 3 are primarily there as an example of how you can use object sets to group entities based on their properties.
Internal Object sets
There are a number of special internal object sets that are always available. They are used by the security system.
A selection of the most important being:
- dbw_all_instances : An object set containing all the defined instances
- dbw_all_users : An object set containing all the defined users
- dbw_all_roles : An object set containing all the roles
- dbw_all_lists : An object set containing all the defined object sets
Following is an example of how to set up a particular security scheme.
- I have a consultant coming in to do some work on our Oracle instances. I want to create a user for him so that he can only modify the Oracle instances.
We now have a user “consultant” with the “Consultant role” (read, write, execute rights) on all Oracle instances.
The system is very flexible and it is possible to set this up without creating the role, but by simply assigning the rights directly onto the object set for the user. However using roles is recommended as it gives a very readable and reusable setup.