Managing user access
BigAnimal uses role-based access controls to grant users access to different parts of the application using organization-level and project-level roles. Roles are sets of permissions. BigAnimal uses roles to manage permissions assigned to users.
Each customer has a unique BigAnimal organization. Each organization has at least one project by default. An organization's database clusters are deployed and managed in the customer's cloud account within a project. You can create multiple projects within a single organization.
With multiple projects within an organization you can:
- Separate workflows to provide secure and isolated environments.
- Assign different users to different projects or give different roles to users in different projects to ensure they have the correct level of permissions.
To access a BigAnimal organization, first each user needs to be added to the organization's identity provider. For more information, see Setting up your identity provider. Your identity provider establishes the identity of users that can log in to BigAnimal.
Note
You can invite people to your organization by copying a link from the Users page in the BigAnimal portal and sending it to their email. They'll need to create an EDB account if they don't have one already.
Once a user has logged in to BigAnimal, you can assign them a role.
Organization-level roles
The following roles grant privileges within an organization.
Organization owner — This role has management privileges to the organization and can perform the following actions:
- Create and view projects within their organization
- Update and delete their own projects
- View and assign organization-level and project-level roles
- View an activity log for the whole organization and each project
- View and download a usage report for the whole organization and each project
- View the identity provider details
Note
- The first user in a BigAnimal organization is an organization owner and project owner of the initial project, by default.
- At least one user must be an organization owner.
Organization admin — This role has read-only permissions to the organization. They can:
- View a list of projects within the organization
- View and download a usage report for the whole organization
- View other users with organization-level roles
- View the identity provider details of the BigAnimal subscription
Project-level roles
The following roles grant privileges within a project:
Project owner — This role has management privileges to the project and can perform the following actions within the project:
- Connect the cloud service provider accounts to BigAnimal
- View, edit, and delete the project
- Create, view, edit, and delete clusters
- Activate, suspend, and deactivate regions
- View and assign project-level roles
- View an activity log
- View and download a usage report
Note
At least one user must be a project owner.
Project editor — This role has edit privileges to the project and can perform the following actions within the project:
- View the cloud service provider accounts connected to BigAnimal
- Create, view, edit, and delete clusters
- Activate regions
- View users with project-level roles
- View an activity log
- View and download a usage report
Project viewer — This role has read-only permissions to the project. They can:
- View clusters
- View users with project-level roles
Users
Organization owners can assign users organization-level roles to complete certain tasks:
From the menu next to your organization name in the top right of the portal, select User Management.
Select the edit icon for the user.
Select Assign Roles.
Select the roles for the user.
Select Submit.
See Adding a user to a project for information on adding users to projects.
Machine users
A machine user is used to drive access to BigAnimal through an approach other than using the UI. This access can occur by way of user-customized automation scripts, BigAnimal CLI commands, Terraform manifest, or BigAnimal's first-party binaries that run from your environment.
- Any user with the organization's owner role can create, update, and delete a machine user.
- The organization owner can be a user authenticated by way of IDP or a machine user.
- An organization owner can manage the access key for the machine user but not for the normal user.
- The organization owner and project owner can assign and unassign the roles to any machine user in the same organization.
- BigAnimal's authorization system performs permission checks on machine users as well as normal users.
- The machine user is associated with only one organization and can't switch to another organization.
- The machine user can't be invited, and the only way to authenticate and authorize a machine user is with an access key.
Note
There is quota limit for the number of machine users if you hit it and need more, please contact our support team.
Add machine user
Only the organization owner can add a machine user.
To add a machine user:
- From the menu next to your organization name in the top right of the portal, select User Management.
- Select Add New User.
- Select Machine User as the user type.
- Provide the Username.
- Optionally, provide the Email ID.
- Optionally, select the Create Access Key check box.
- If you select the check box, an access key is created for this user.
- If you don't select the check box, no access key is created while adding this user. You can create the access key for this user from the user's home page later.
- Provide the Access Key Name.
- Select the Expires in (Day/s) value for the access key.
- To save the settings and provide the generated access key for the user, select Add User.
Copy and this access key and save it in a secure location. The access key is available only when you create it. If you lose your access key, you must delete it and create a new one. For more information, see Access key.
Assign some organization role or project role to this newly created machine user. For more information, see users.
Note
The user management on BigAnimal's UI at project level is used to assign the project role to the machine user, and not for managing the machine users and their access key.