Request Access Overview

The portal functionality supports the following databases: PostgreSQL, MySQL, SQL Server, Oracle, Greenplum and Redshift.

The Request Access tab within the Portal provides the capability to request a session for specific roles in the designated Data Source.

Upon submitting a session request, the relevant approvers will be notified, possessing the authority to approve or deny access to the specified roles.

Only after receiving approval for all roles, the session will be approved, and a temporary user will be created. The requester will then be able to log in to the database using the specified temporary user credentials for a defined period.

There are several possible scenarios during role requests:

  1. There may be a situation where a particular role cannot be selected at all. This means that the requesting user is also the only approver for this role and cannot approve themselves.

  2. After selecting a role, there might be an alert indicating that the configuration is incomplete. This suggests that there may not be a configuration created in Roles Management for that role or its mapped roles. Additionally, the envelope icon will be grayed out with the information "No approvers found" upon hovering over it.

  3. It is also possible that immediately after requesting a specific role in a session, it gets auto-approved. This means that a notification is attached to that role without being associated with any emails. In other words, no approvals are required for such a role.

Fields

  • Data Source: Data Source in which the user wishes to request access to roles.
  • Roles: Roles that the user wishes to have in the database during the session. The list of roles consists of roles that match the user's LDAP group memberships and roles available in the database. Moreover, for a role to appear on this list, it must be configured in Roles Management, taking into account Group Mappings if they exist for the role.
  • Inherit special permissions: If selected, roles will be inherited. This option is available for PostgreSQL, where roles are not inherited by default. By checking this checkbox, it will be possible to inherit special roles such as SUPERUSER, CREATEDB, REPLICATION, BYPASSRLS, LOGIN or CREATEROLE if any of the ordinary roles possesses them.
  • Justification: Information for approvers justifying why the user is requesting such a session. If the 'Require specific justification format' checkbox is selected in Portal Configuration, justification is required; however, if it does not match the provided regex, an appropriate message will appear.
  • Start Timestamp: Indicates the time when the approved session is scheduled to start. It can be set to a time in the past.
  • Duration: Session duration, with the option to choose in various time units. The duration cannot be greater than the set maximum time for the selected role; otherwise, it will not be possible to request a session.

And there is also an icon next to each role, which shows the emails of approvers associated with that role. The envelope icon is visible only when this option is selected in the Admin tab.

Warning: This feature is NOT functional when using MySQL with version < 8.0.