Neoview User Management and Security Administration Guide (R2.5)
occurs on the Neoview platform, allowing them to take action even if an external directory server
is unavailable.
Different users on the platform can have different access privileges, but on the Neoview platform
privileges are not defined as attributes of the user. Rather, each user is associated with a Neoview
role (such as ROLE.MGR or ROLE.DBA), which has privileges defined for it. You use a set of
dialogs in the HP Database Manager (HPDM) or a set of commands in the Neoview Command
Interface (NCI) to create, associate, and manage Neoview users and roles. For information about
performing these tasks, see “User and Role Management” (page 95).
Many users can be assigned the same Neoview role. For example, mkessler, lizdaly, and jrodriguez
could all have the ROLE.DBA role and therefore identical access privileges. When any of these
users attempts an operation on a resource (for example, if mkessler attempts to alter a table), the
role is used to authorize the user—to verify that the user has permission to perform the requested
operation.
It is also possible for the same database user to be assigned multiple roles. For example, you
could define roles that correspond to user groups and dictate the data that a particular user is
entitled to view or alter. Thus mkessler could have the role ROLE.EMP for access to an employee
database and the role ROLE.INV for access to an inventory database. Neoview client applications
provide the means for specifying, as part of the logon procedure, the role applicable to the current
session.
In contrast with database privileges, access to objects such as files, programs, and processes is
under control of the Neoview operating system. Access controls, which come into play primarily
in the context of maintenance activities inside the platform, prevent a user from accessing a file,
running a program, or stopping the process unless the user has appropriate authority to do so.
Granting and Revoking Privileges
The interfaces you use for granting and revoking privileges differ depending on the type of
privilege you wish to grant:
• To grant and revoke most database privileges, you use GRANT and REVOKE commands
described in the Neoview SQL Reference Manual. For more information about database
privileges on the Neoview platform, see “Database Security” (page 131).
• To grant and revoke administrator privileges, which are necessary for most workload
management tasks, you can use the ADD ADMIN and DELETE ADMIN commands in the
Neoview Command Interface, in Neoview Service (NS) mode or WMS mode. Alternatively,
you can use the WMS configuration screens in the Neoview Performance Analysis Tools
(NPAT). For more information about workload management on the Neoview platform, see
the Neoview Workload Management Services Guide.
• To grant and revoke operator privileges, which are necessary for managing data sources in
HPDM, you can use either NCI commands or the graphical user interface provided on the
HPDM Connectivity tab. For more information about connectivity commands in NCI, see
the Neoview Command Interface (NCI) Guide. For more information about data source
management in HPDM, see the HPDM Online Help or the HP Database Manager (HPDM)
User Guide.
LDAP Integration
The Neoview security infrastructure can make use of an external directory compatible with
Lightweight Directory Access Protocol (LDAP), version 2 or 3. A process called the LDAP daemon
(LD) runs on the Neoview platforms and binds with the external LDAP server to authenticate
user credentials (name and password). Many LDAP daemon processes run in parallel—two on
each processing node on each Neoview segment—to allow simultaneous authentication of a
large number of requests.
The Neoview platform supports integration with Microsoft Active Directory and with standard
LDAP implementations such as openLDAP. LDAP server configuration metadata on the Neoview
18 Introduction to Security on the Neoview Platform