Table of Contents
This chapter describes how to manage access to your MySQL Enterprise Monitor installation.
MySQL Enterprise Monitor Access Control enables you to manage the following:
Asset visibility: the rights to access data collected from hosts or MySQL instances. Access can be strictly limited to specific groups of monitored assets.
Application administration: the rights to view or change the MySQL Enterprise Monitor configuration.
Specific data access: the rights to view specific types of potentially sensitive data.
Role reuse: rather than define permissions per user, permission sets are defined in Roles and multiple users can be assigned to each Role.
The MySQL Enterprise Monitor access control system is based on Users and Roles. Users have no rights assigned to them directly. All rights are defined on Roles. Users are assigned to Roles and inherit the rights defined on those Roles.
Roles are collections of permissions to which users are assigned. Roles define what the user is permitted to see and do in the application. Users can be assigned to multiple roles.
If users are assigned to multiple roles, MySQL Enterprise Monitor always takes the highest permission defined on those roles for that user. For example, if the user is assigned to a role with the Advisor Configuration set to Read-Only, and another role with Advisor Configuration set to Administer, Administer is the permission used for that user.
This section describes the permissions available in MySQL Enterprise Monitor Roles.
There are two distinct permissions scopes in MySQL Enterprise Monitor:
System-wide Permissions: apply to all assets and groups defined on the system. System-wide roles grant access to all monitored assets.
Group-specific Permissions: grant access to specific groups of monitored assets. Permissions defined against a specific group apply to that group only. This setting affects everything the user sees. For example, Events are displayed for members of the group, only, and the status summary bar only displays information on the members of the group, and so on.
ImportantIt is not possible to assign permissions to the All group.
If you log in to the application as a group-specific user, the Asset Selector displays the group to which you are assigned, and the All group, which contains only those assets to which you have access.
Permissions are grouped in the following way:
Core Monitored Assets: grant or deny access to the monitored assets and collected data.
MEM/Service Manager: grant or deny access to the application and its settings.
The following grant types:
None: no access to the functional area.
Read-Only: read-only access to the functional area. The user can view, but not edit.
Administer: complete access to the functional area. The user can view and edit.
The Core Monitored Assets permissions define access to the monitored assets, groups, and Query Analyzer data. The Monitoring Services permissions are dependent on these permissions.
Defines the permissions for the monitored assets, groups, and visibility of the collected data in the Query Analyzer.
Server Group and MySQL Instances are linked. If one is set to Read-Only, the other is set also. Similarly, if one is set to Administer, the other is set also. MySQL Instances requires Server Group be set to a value other than None. If Server Group is set to None, MySQL Instances is set to None also.
Grants access to the monitored assets and groups. This permission must be used with the MySQL Instances permission.
None: no access to any monitored asset. As a result, no information is displayed.
Read-Only: Can view Groups of assets. This permission, or higher, is required for all other permissions which use Groups. Permissions such as Event Handling and Server Group Creation require access to the defined Groups. If the role requires access to those functional areas, this permission must be set.
Selecting Read-Only automatically selects Server Group Read-Only also.
Administer: Can edit group information and delete groups of assets, but cannot create groups. Creating a group requires the Server Group Creation permission.
Grants access to the monitored instances. This permission must be used with the Server Group permission. If Server Group is set to Read-Only, or higher, it is impossible to set MySQL Instances to None. That is, if Server Group is set to Read-Only, or higher, MySQL Instances must be set to Read-Only at least.
MySQL Instances: grants access to the data collected on the monitored MySQL Instances. Possible values are:
None: No access to MySQL Instances or the data collected on them.
Read-Only: access to the MySQL instances, but no rights to create, modify, or delete connections to those instances.
Administer: access to the MySQL instances, and can create, modify, and delete connections to those servers.
Administer is also required to access the bad connections, unreachable agents, and unmonitored instance lists on the MySQL Instances dashboard.
Administer is also required by the Database File I/O, which requires the
sysschema. To install SYS schema from the MySQL Enterprise Monitor User Interface, the user must be assigned to a role with the Administer permission.WarningIt is not possible to add, or start monitoring, a new instance without setting the MySQL Enterprise Monitor permission to Administer.
The Query Analysis permissions define access to the Query Analysis page.
Query Analysis Aggregate Data: access the data collected for the Query Analyzer. This permission also defines access to events which contain Query Analyzer data. Possible values are:
None: No access to the aggregated data collected for the Query Analyzer. If this permission is set, the user can open the Query Analyzer page, but the page does not load any aggregated data. This also affects the Query Analyzer graphs.
Events containing query analysis data are not displayed. Currently, this is limited to events generated by the SQL Statement Generates Warnings or Errors and Average Statement Execution Time advisors.
Read-Only: Aggregated data is presented to the user, and the Query Analyzer page is populated.
Administer: grants the right to close events containing Query Analysis aggregated data.
Query Analysis Example and Explain Data: access the data for example and explain plans in the Query Analyzer. This permission depends on the Query Analysis Aggregate Data permission. This permission also defines access to events which contain EXAMPLE and EXPLAIN data. Possible values are:
None: no access is granted to the Query Analyzer EXAMPLE and EXPLAIN data.
Read-Only: EXAMPLE and EXPLAIN data is accessible. If Query Analysis Aggregate Data is not set to Read-Only, EXAMPLE and EXPLAIN data cannot be accessed.
Administer: grants the right to close events containing Query Analysis EXAMPLE and EXPLAIN data.
NoteThe Query Analyzer permissions depend on the MySQL Instances permission. If MySQL Instances is set to Read-Only, both Query Analyzer permissions are also set to Read-Only. It is possible to set MySQL Instances to Read-Only, or higher, and manually set both Query Analyzer permissions to None, if required.
Each of the Monitored Asset permissions is dependent on the others. For a new role, all permissions default to None. Setting Server Group to Read-Only automatically sets all other Monitored Asset permissions to Read-Only. Similarly, if you set Server Group to Administer, MySQL Instances is also set to Administer. It is not possible to set MySQL Instances to None if Server Group is set to Read-Only or higher.
This permission is for use by Agent Roles only. Possible values are:
None: No Agent access.
Read-Only: Agent has access to the MySQL Enterprise Service Manager
ImportantIf you are defining an agent role, you must set all other permissions to None. The agent does not require them.
The MySQL Enterprise Monitor permission grants access to the various configuration settings of the MEM interface. Possible values are:
None: no access to the configuration settings.
Read-Only: configuration settings are visible, but cannot be edited.
Authentication-level settings, such as the External Authentication and HTTP Proxy Settings on the Settings page are not visible if this is set to Read-Only.
Administer: configuration settings are visible and editable.
Setting any of these values automatically sets the same value for all nested permissions.
The following permissions require Web Application Login and MySQL Enterprise Monitor set to Read-Only, or higher.
Advisor Configuration defines access to the Advisor page and its settings.
Advisors do not run as the user who created or enabled them, but as the system role. This is done to avoid problems such as user deletion, replication topology visibility (advisors collect on complete topology, but user may only see part of that topology). As such, the Advisors cannot be set on a group-specific level; they can only be set at a global level.
None: no access to the Advisors. If the user attempts to load the Advisors page, an Access Denied error is displayed.
Read-Only: read-only access to the Advisors. The user can view the Advisors, but cannot save changes.
Administer: the user has complete access to the Advisors.
Overriding an Advisor at the top-level, not on an individual asset, overrides that Advisor globally, for all users, regardless of their roles. If an Advisor's schedule is changed, or disabled, at the top-level, it affects all users of MySQL Enterprise Service Manager regardless of their group setup.
Event Blackout: Possible values are:
None: no access to Event Handler Blackout menu on MySQL Instances dashboard.
Administer: Event Handler Blackout menu is displayed and can be selected.
The Event Handling permission grants access to the Event Handling page and menu item. Possible values are:
None: no access to Event Handling. The Event Handling menu item is not displayed on the Settings menu.
Read-Only: read-only access to Event Handling. The Event Handling page is accessible, but it is not possible to create, delete, or edit event handlers.
Administer:full access to Event Handling page. Users associated with this role can create, edit, suspend, and delete Event Handlers.
If the user does not also have Server Group set to at least Read-Only, they are unable to add groups to an Event Handler.
The New Group Creation permission enables creation of groups. Possible values are:
None: no access to server group creation. If Server Group is set to Administer, assigned users can delete and modify existing groups, but cannot create new groups.
Administer: full access to server groups. If Server Group is set to Administer, the assigned user can create, delete, and edit server groups. If Server Group is set to Read-Only, the assigned user can create new groups, but cannot modify existing groups.
This permission depends on the Server Group permission. If Server Group is set to None, the user associated with this role cannot access groups and, as a result, cannot create or edit groups, even if New Group Creation is set to Administer.
The Settings permission grants access to the Settings menu item and Settings page. Possible values are:
None: the Settings menu item is not displayed.
Read-Only: read-only access to the Settings. Assigned users can open the Settings page, but cannot change any settings.
Administer: full access to the Settings. Assigned users can open the Settings page and edit the values.
ImportantSettings this permission to Administer does not grant access to the External Authentication section of the Settings page.
Users and Roles: Possible values are:
None: no access to the User or Roles pages.
Read-Only: read-only access to the Users and Roles pages. Assigned users can view, but not edit.
Administer: full access to the Users and Roles pages. Assigned users can view and edit both Users and Roles.
The default roles enable migration of defined roles from earlier versions. It is not possible to edit the default roles.
The following default users are created when MySQL Enterprise Service Manager is first installed and setup:
Agent user: defines the username and password used by all agents to connect to MySQL Enterprise Service Manager. This user is automatically added to the Agent role. The username defined on the initial setup page is used.
The Manager user: defines the username and password of the Manager user. This user is automatically added to the Manager role which has all rights granted. The username defined on the initial setup page is used.
This section describes the default roles.
It is not possible to edit or delete the default roles. They are present to enable upgrades from earlier versions, only.
The following are the default roles and a brief explanation of how they map to user definitions from earlier versions:
agent: the role used by the agent user. This role has only the Agent Services access permission defined because the agent does not need access to any MySQL Enterprise Service Manager functionality.
dba: maps to the dba role from previous versions. Any user with dba defined in 3.0, is added to dba in 3.1.
Display Query Analyzer: maps to View Query Analyzer tab in 3.0. Any user with View Query Analyzer tab defined in 3.0, is added to the Display Query Analyzer role in 3.1.
Display Query Analyzer Examples: maps to View actual (example) queries in 3.0. Any user with View actual (example) queries defined in 3.0, is added to the Display Query Analyzer Examples role in 3.1.
manager: maps to the manager role in previous versions.
readonly: maps to the readonly role in previous versions.
Users are added to the default roles based on the rights assigned to them in the earlier version of MySQL Enterprise Monitor. For example, if a user is assigned to the dba role and has both View Query Analyzer tab and View actual (example) queries enabled, the user will be added to the following Roles in 3.1:
dba
Display Query Analyzer
Display Query Analyzer Examples
This section describes how to create users and roles.
It is not possible to save a new user without an assigned role. It is recommended to create Roles before creating Users.
To create a role, do the following:
Select Roles from the Settings menu (gear icon). The Roles page is displayed.
On the Roles page, click Create. The Create Role page is displayed.
On the Details tab, enter a name in the Role Name field and add a description of the role.
If you are using an external authentication system, such as LDAP or Active Directory, enter the external role name in the External Roles field.
Click Permissions to open the Permissions tab.
If this role applies to a specific group only, select Group-Specific Permission, and select the required group from the drop-down list.
Define your permissions as required. For more information, see Section 23.3, “Monitored Assets Permissions” and Section 23.4, “Monitoring Services”
If users exist, you can add them to this Role using the Assigned Users tab.
To add a user, click on the user name in the Available Users field. The user is moved to the Assigned Users field.
Click Save to save your changes, or click Cancel to discard your changes.
This section describes how to create a user.
To create a user, do the following:
Select Users from the Settings menu (gear icon). The Users page is displayed.
Click Create. The Create User page is displayed.
Enter the following:
User Login: the username the user will use to login.
Full Name: the user's full name.
Password: the user's password.
Confirm Password: enter the user's password again.
Authenticate this user using LDAP: select only if you intend to use LDAP to authenticate this user.
It is not possible to save a user without assigning the user to a Role.
Select the Assign Roles tab.
Assign roles to the user by clicking the required role in the Available Roles field.
Save your changes.
It is not possible to edit a user's role, if the user is authenticated by LDAP and their role is also provided by LDAP.