Role Based Access Control
For Premium-tier organizations, Database Performance Monitor allows restricting user access to data based on roles assigned to teams. This approach is generally referred as Role-based-access-control (RBAC).
Before reading more about RBAC, if you aren’t familiar with how environments and teams work, please make sure you check out the Environments & Teams documentation.
Roles
A Role is a set of actions (or “privileges”) that is granted to a user in a certain context. For example, a role of Read-Only in the “Production” environment grants read access to a user for all non-sensitive data in the environment.
Roles are assigned exclusively to teams. In order to have a user affected by a certain role we must make that user a member of a team for which this role has been assigned to.
Roles are assigned at two levels:
- at the organization level, where we assign a role to a team in a more general way
- at the environment level, where we assign a role to a specific environment-team pair, thus making it specific to the environment at hand.
By assigning a role to a team at the organization level (click on “Settings” and then “Teams” under the “Organization Settings” section) you are controlling the default privileges on that team. These actions include things like adding users to your organization, inviting people to a team, managing teams, or creating new environments. (See section “Privileges” below for a detailed list).
By assigning a role to an environment-team pair you can override the default role of a team and grant specific privileges on a per environment basis. To do so select the environment you want to affect in the upper left corner of the UI, then click in “Settings” and then “Teams” under the “Environment Settings” section. For example: if a team of “Developers”, has access to both “Production” and “Staging” environments, you may grant full access to the “Staging” environment, but only read access to the “Production” environment.
Privileges
There are currently four roles available:
- Owner
- Read-Write
- Read-Only (with samples)
- Read-Only
The Owner role grants full access to an organization. This role is special, and cannot be assigned to teams other than Owners.
The Read-Write role allows users to do things such as update host credentials, add new hosts, and view query samples. It does not allow users to modify user access to an environment.
The Read-Only (with samples) role removes sensitive information, such as credentials and API tokens, but raw query samples are available.
The Read-Only role only grants the privilege of looking at reports in DPM. No sensitive information, such as host credentials, query samples, or API tokens, can be accessed.
Users may belong to one or many teams. If a user belongs to more than one team, their privileges will add up.
The following is a detailed description of the privileges corresponding to each role. The Read-Write role has all of the permissions of the Read-Only role, and the Owner role has all of the permissions of the Read-Write role.
| env:read | Read actions in the environment, such as requesting metrics |
| acct:licenses:read | Read the number of used/total licenses |
| env:read | Read actions in the environment, such as requesting metrics |
| acct:licenses:read | Read the number of used/total licenses |
| env:samples:read | Read raw query sample data |
| env:write | Update actions in the environment, such as starting or stopping agents |
| env:samples:read | Read raw query sample data |
| env:settings:read | Read the environment settings |
| env:settings:write | Update the environment settings such as hosts credentials |
| acct:licenses:write | Update the number of licenses for the account |
| env:team:add | Add teams to the environment |
| org:config:update | Update organization configuration settings |
| org:env:create | Create new environments in the account |
| org:user:invite | Invite users to the organization |
| org:team:read | Read information about the teams in your account |
| org:team:update | Update the teams |
| org:user:read | Read information about the users of your organization |
| org:user:update | Update the users of your organization |
| acct:cancel | Close the account |
| acct:billing:write | Update the billing configuration of the account |
| acct:auth:update | Update the authentication configuration of the account |
| acct:owner:update | Update the owner of the account |