As a busy database administrator managing and monitoring tens or hundreds of database instances, you are plenty busy enough as it is. While you’re busy with your daily routine, sometimes your manager or developers would ask for your assistance regarding the status of a certain database you’re in charged with. As they were experiencing slow running queries, blocking sessions or deadlocks within the staging environment.
Normally you would have to drop what you are doing in order to help them out, before you can resume with your own tasks again. With dbWatch, you have another time-saving option: You can give restricted or limited access to specific databases or instances, so your manager or developers can check status themselves without having to ask for your help all the time.
dbWatch offers role-based access controls. With this you can create specific roles with very specific and restricted rights to access certain databases and perform certain specific operations. Using the role-based access controls you can grant developers, managers and others the exact rights they need to perform their tasks, but not more than they need. You can limit or secure access to specific databases or instances, and specific operations.
For example, you only want your users to view the monitoring module and select the development group, which you can do by granting the specific role for a specific user.
Here is an example on how to set this up.
We will start by creating a new user.
On top choose Configure under Server Configuration.
Select Manage users and roles
In this window shows the different users, roles and object sets available.
Users are the one who have the right to connect to dbWatch.
Roles in dbWatch define a set of rights that can be granted to users.
While object sets in dbWatch define the objects you can have rights on.
Also, in this window you need to secure areas such as the restriction on various instances within the management and monitoring module, user rights and roles, creation of tasks, customization of reports, customization of server groups, extensions, file access and object sets. by default, the boxes are unchecked meaning all users can have the read, write and execute permission to the areas mentioned.
In order to secure these areas, make sure to check the boxes.
And click apply to save the changes
Currently we’re using the admin user- let’s create a separate user credential for the developers.
Right click on the user’s folder and click add new user
In this window specify your credential.
You can demand a password change on first login and allow empty password if you want.
But in this case, we will set a username – OPSDEV
After creating the new user, we will create a new role.
Under users right click on Roles > choose to add new role
Specify your role name- DevRole
After creating the role, grant permission to the role by clicking add Grant button
Specify the rights for this role by clicking the ellipses
A drop-down box will appear showing the options read, write, execute and administrator rights.
We will grant a read permission for this role.
At the right specify an object set which you will assign the specified read permission on.
For this developer role we will select default monitoring and development instances only.
Click apply to save the changes made to the role.
Go back to the OPSDEV user to assign the DevRole.
Click the add grant button.
Click the ellipses.
A drop down will appear select the DevRole.
Click Apply to save the changes made to the user then click Done.
Let’s use the OPSDEV Credential we’ve created.
At the task bar below right click the server > and choose Change Authentication.
In this window specify the user we’ve created.
Go to management module and if you try to click on an instance and expand it.
A window will appear asking for valid credentials that has permission to access the instances in the management module. Take note that you only have a read access for monitoring of the development server group for the user OPSDEV which we’ve created.
Go to the Monitoring Module.
Let’s select the SQL Express instance.
Choose the database backup task.
Right click and select Run Now.
An error message will appear stating that the user has insufficient privilege. As we’ve only provided the user the read only permission using the DevRole.
We have successfully created a user account for developers with limited access to the monitoring dashboard (Development server group), based on this example you should be able to easily customize and create your own roles based on what we did in this example.
For more information visit: wiki.dbWatch.com