Manage Logins

Manage access to managed server instances and databases

Overview

In Data Bridge, a login is an entity that enables a licensed Intelligent Risk Platform™ user account to access a server instance on the Data Bridge cluster.

A Data Bridge login consists of a login name, a password, and a role:

  • The login name uniquely identifies the login.
  • The password enables the user to log into a managed server instance in the Data Bridge cluster.
  • The role determines the operations that login may perform in the server instance. A role may be assigned to a group, which is granted access to a data resource.

The login enables the user account to connect to and perform permitted operations on a server instance. The user account must call the operation from an IP address on the tenant's access control list. A single login may be assigned to multiple Intelligent Risk Platform user accounts.

Role-based access controls

Data Bridge implements role-based access controls to manage API access to managed server instances. Principals are assigned roles based on group membership. Every Data Bridge principal is assigned to the Contributor or Consumer group and inherits the privileges assigned to that group:

  • The Consumer group identifies users with read-only access to the databases on a managed server instance. Principals belonging to this group cannot modify data in databases or upload databases to Data Bridge.
  • The Contributor group identifies users that may modify data, import or export data, and add or remove databases on managed server instances.

Group membership also determines the level of access that a user is granted to custom databases on Data Bridge. Moody's RMS maps the Consumer and Contributor groups to predefined database roles available by default on all managed server instances. Users are automatically added to one or the other database role. To learn more, see Administer Custom Databases.

Role-based permissions are encoded in the API key or OAUTH token that the client passes in each request. For detailed information about the administration of Intelligent Risk groups and role-based access controls, see the Intelligent Risk Platform Administrator Guide.

View server instance logins

The Get logins by server instance operation (GET /v1/sql-instances/{instanceName}/Logins) returns information about the logins to a specific SQL Server instance. The data returned by the operation depends on the role assigned to the user making the call.

  • If the user belongs to the Contributor group, the operation returns a list of the logins owned by the user.
  • If the user belongs to the Administrator group, the operations returns a list of all of the logins to the SQL Server instance.

The operation takes one required parameter. The instanceName path parameter identifies the name of a SQL Server instance (for example, dbinstance-1).

Create server instance logins

The Create logins operation (POST /v1/sql-instances/{instanceName}/Logins) enables a user to create a new SQL Server login. The scope of the login created depends on the role assigned to the user making the call.

The operation takes one required parameter. The instanceName path parameter identifies the name of a SQL Server instance (for example, dbinstance-1).

curl --location -g --request POST 'https://path.to.parameter/databridge/v1/sql-instances/dbinstance-1/Logins' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer XXXXXXXXXXXXXXXXXXXX'

In the request body, specify the login name, the login password, and the role of that user.

{
  "login": "TestLoginConsumerdelete",
  "password": "Automaion@1234",
   "role": "consumer"
}

  • The login property specifies a unique name for the user account. You can use this unique name to identify the user account to edit or delete the user.
  • The password property specifies the user’s password. The user must specify the login name and password to access the Data Bridge SQL Server instance.
  • The role property specifies the level of access available to the user. One of Consumer or Contributor.

Update server instance login passwords

The Update login password operation (PATCH /v1/sql-instances/{{instanceNname}}/lLogins/{loginName}) enables administrators to update the password for a specified login.

The operation takes to required path parameters. The instanceName path parameter identifies the SQL Server instance. The loginName path parameter specifies the login of a user.

Delete server instance login

The Delete login operation (DELETE /v1/sql-instances/{{instancename}}/Logins/{loginName}) enables administrators to delete a SQL Server login from a specific SQL Server instance.

The operation takes two required path parameters. The instanceNname path parameter identifies the SQL Server instance. The loginName path parameter identifies the login of the user to delete.