Diff for "UserManagement"

User Management

Duke OIT's Group Management

Whether or not a user has an account in Babase, s/he needs a Duke NetID, and this ID needs to be added to Duke OIT's "babase users" group. This management is done in a web browser using Duke's Group Manager.

Non-Duke users can be sponsored for an "affiliate" NetID by Duke faculty members. So only Susan or Jenny.

Adding a Babase User

After logging in to the Group Manager, you'll see a list of the groups of which you are a member. (Or maybe it lists only the groups of which you are an "owner"?). Find and click the "babase users" group name.

Scroll down to the "GROUP MEMBERS" pane. Click the "Add Individual Member +". In the field that opens, you can enter a person's name, their Duke NetID, or their Duke UniqueID. Suggestions will appear as you type (e.g. if you only type "Jane" there will be lots of possibilities, but this will narrow as you type more of her name). Click the suggestion that matches the user you're adding, then click "Submit". Check the list of group members and verify that you successfully added the new user.

When finished, you can click the "log out" button at the upper-right, or just close your browser window.

Removing a Babase User

Log in to the Group Manager and select the "babase users" group. Scroll down to the list of group members, and locate the line for the user whose ID you want to remove. Click the "remove" button in the far right column.

When finished, you can click the "log out" button at the upper-right, or just close your browser window.

Babase User Management

Forgotten Babase Password

There is no way to recover a forgotten password -- the user's password must be reset to a new value.

To reset the password of the user foo to abcdef login to Babase as the administrator, babase_admin, and issue the following SQL command:

ALTER ROLE foo PASSWORD 'abcdef';

After changing a user's password please have the user login and change their password to a value known only to themself.

Adding a User to Babase

Users can be added to babase, as well as a schema created, and permissions set, by completing the following steps using a SSH client.

PGPASSWORD='*********' babase-user-add YOURADMINNAME USERNAME babase_readers

• The ********* here would be the password that goes with your administrative user name.
• The YOURADMINNAME is your username that has administrative privileges.
• The Username selected will become not only the babase username and temporary password but also the schema name.
• It is very important that the user immediately change their password using PPA's password change option.

Adding an Admin User to Babase

Admin users can be added to babase, with no additional schema created, by completing the following steps using a SSH client.

PGPASSWORD='*********' babase-user-add -a YOURADMINNAME NEWADMINNAME

• The ********* here would be the password that goes with your administrative user name.
• The YOURADMINNAME is your username that has administrative privileges.
• The Newadminname selected will become the babase username and temporary password.

• It is especially important that the user immediately change their password; admin accounts should be as secure as possible! Password can be changed using PPA's alter role option, or using the directions listed above for forgotten passwords.

Changing a User's Role in Babase

To change the role of a babase user, use grant and revoke. For example, below we grant the babase_editors role to the user and revoke the babase_readers role from the user.

GRANT babase_editors to USERNAME;
REVOKE babase_readers from USERNAME;

Deleting a User from Babase

WARNING: The process described in this section deletes the user's personal schemas. Be sure to examine the tables in these schemas before deletion to be sure that nothing should be saved. A table may be transferred to another schema by the babase administrator with the following SQL command:

ALTER TABLE oldschema.sometable SET SCHEMA newschema;

Users can be deleted from babase, and their personal schemas deleted as well, by running the following command on papio using a SSH client:

babase-user-delete YOURADMINNAME USERNAME

The password requested is that of your administrative user name, the YOURADMINNAME.

Be sure to peruse the output as it not only displays all the tables and other database objects deleted but may also contain error messages and descriptions of why the operation failed. Lines containing error messages and further information are are prefixed with 'ERROR:' and 'DETAIL:'.

Errors are generally due to the user having explicit permissions to or ownership of objects that are not in their personal schema. These issues are resolved by connecting to the database in question (usually babase) as the database administrator and either using PPA's management features or directly issuing SQL commands. The SQL command to remove permissions from, say, a table is:

REVOKE ALL ON TABLE sometable FROM someuser;

If the database object in question is not a table then change the word TABLE in the above command to kind of object in question.

To reassign ownership of, say, a table to another user use the following SQL command:

AlTER TABLE sometable OWNER TO anotheruser;

Again, if the database object in question is not a table then change the word TABLE in the above command to kind of object in question.

Note that each user has a personal schema in each database, babase, babase_test, and babase_copy. The babase-user-delete command can succeed in deleting schemas from some databases and not others. If this occurs the command can be re-run once the situation which prevents schema deletion is rectified. In this case you may receive errors which say that schemas do not exist. These can be safely ignored.