Users and groups
User types and user management
There are three user types in the Delphix user model: the system administrator, the Delphix user, and the Self-service user.
Usernames must start with a letter and contain only alphanumeric characters, hyphens, underscores, and/or periods.
System administrators
System administrator users are responsible for managing the Delphix Engine itself, but not the objects (Environments, dSources, VDBs) within the server. For example, a system administrator is responsible for setting the time on the Delphix Engine and its network address, restarting it, creating new system administrator users (but not Delphix users), and other similar tasks.
A user called sysadmin is the default system, administrator user. While this user can be suspended, it may not be deleted. When the Delphix Management application first launches, this user can log in using the username sysadmin and password sysadmin.
To create or modify system administrators, first, log in to Delphix Setup and navigate to the Users section of the homepage. Here, you can:
Add new system administrators with the plus sign
Change system administrator passwords with the pencil icon
Delete system administrators with the trashcan icon
Suspend system administrators with the pause button
Reinstate system administrators with the play button
Delphix users
Delphix users are responsible for managing the environments and datasets within Delphix, such as dSources, virtual databases (VDBs), users, groups, and related policies and resources.
A Delphix user can be marked as a Engine Administrators. Engine Administratorss have three special privileges:
They can manage other Delphix users
They implicitly have Owner privileges for all Delphix objects
They can create new groups and new environments
The default Delphix user provided with a Delphix Engine is a Engine Administrators and is called admin. Like the sysadmin user, the admin cannot be deleted. When the Delphix Management application launches, the admin user can log in using the password specified during the initial setup when Delphix was first launched.
Only these two users require password-based authentication. Also, other users may use other mechanisms such as LDAP or Kerberos, as described in Configuring and managing kerberos and Configuring and using LDAP with the Delphix Engine.
Self-service users
Delphix Self-Service has two types of users: the admin user and the data user.
Admin users have full access to all report data and can configure Delphix Self-Service, additionally, they can:
Use the Delphix Engine to add/delete users
Change tunable settings
Add/delete tags
Create and assign data templates and containers
Data users have access to production data provided in a data container. The data container provides these users with a playground in which to work with data using the Self-Service Toolbar.
For more information on Self-service users, visit our Self-service documentation.
User privileges for Delphix objects
The user roles on Delphix objects consist of four types, which the Engine Admin user assigns: Provisioner, Owner, Data Operator, and Reader. These privileges apply both to objects, such as dSources and Virtual Databases (VDBs), and to groups, which are containers that hold those objects.
The Engine Administrators user can assign privileges to groups, dSources, and VDBs. Privileges are inherited, meaning that privileges assigned to a group are effective for the dSources and VDBs contained in that group.
If a user does not have a privilege in relation to an object or group, then he or she has no visibility into that object or group.
Roles and Privileges for Delphix Objects
Role | Object privileges | Group privileges |
---|---|---|
Owner |
|
|
Provisioner |
|
|
Data Operator |
|
|
Reader |
|
|
Self-Service Only |
|
|
Managing groups
Creating groups helps you manage policies and privileges over objects within that group. When privileges are created for users at the group level, those privileges apply to all objects of that type within the group. When new objects are created or added to the group, the policies and privileges you have created at the group level will be applied to them.
Authentication mechanisms
Delphix supports a variety of authentication mechanisms to connect to several different interfaces and systems. For example, you can connect via the UI using the default users described above, or you can connect to the CLI using an API token.
There are three categories of authentication related to Delphix: the Delphix UI, the Delphix CLI/API, and external systems such as Kerberos access to connected source and target hosts. Below are detailed pages related to each of these three sections:
UI authentication:
Data Control Tower, formerly Central Management
Username and password
LDAP: Directory-based authentication to Delphix engines rather than the default local access
Single Sign-on: Integration and support for identity providers to authenticate users on a per engine basis using SAML2-SSO.
CLI authentication:
Username and password
Auto-authentication via SSH keys: to automatically sign in to the Delphix CLI without requiring user-input credentials
API authentication
Username and password
API Tokens (for Delphix Engines registered with Data control tower)
OAuth2 JSON Web Tokens
External systems:
Username and password
SSH keys
Kerberos: Authentication for environments and data sources using Kerberos
Keberos support
Kerberos support is for access to connected environments, rather than the Delphix engine itself. This is an advanced topic and will require a solid understanding of Delphix concepts and architecture.