Users and groups

This page introduces the concept of placing users in hierarchical groups to simplify privilege control and data access.

Overview

On a Kognitio system all users belong to one or more groups. A PUBLIC group is created when Kognitio is installed, and all users belong to it. The user with SYS privileges, normally the System Administrator, creates other groups. Groups are defined as follows.

  • Groups share the user namespace and user id space; no user can have the same name or id as a group and vice versa.

  • Any permission that can be granted to a user can also be granted to a group. Grantable permissions can also be assigned to a group.

  • Groups can be members of other groups. This relationship can be cyclic (that is, Group A is in Group B, which is in group C, which is in Group A).

  • A user has an effective permission on an object if they are a member of any group that has the permission. Likewise a group has an effective permission if it is a member of any group that has a permission and so on. Effective permissions are used to access an object, but not for grant/revoke. This means that if a user X is in group Y and Y has select on a table T, X will be able to select from T because the user has effective permission. The user doesn’t actually have the permission, so REVOKE SELECT ON T FROM X will fail.

  • Groups can only be created and dropped by a user with SYS privileges. Users can only be added/removed from groups by a user with SYS privileges.

The SQL required to administer users and groups: