IBM Cloud Docs
Managing Users and Roles

Managing Users and Roles

IBM Cloud® Databases for EnterpriseDB uses a system of roles to manage database permissions. Roles are used to give a single user or a group of users a set of privileges. Determine roles, groups, and privileges for all roles across your deployment by using the psql command \du.

The \du command lists all users in the current database server. It can also be used to determine roles, groups, and privileges for all roles across a deployment.

Add users in the UI in Service Credentials, with the Cloud Databases CLI plug-in, or the Cloud Databases API.

The admin user

When you provision a Databases for MongoDB deployment, an admin user is automatically created.

Set the admin password before using it to connect.

The biggest difference between the admin user and any other users you add to your deployment is the pg_monitor and pg_signal_backend roles. The pg_monitor role provides a set of permissions that makes the admin user appropriate for monitoring the database server. The pg_signal_backend role provides the admin user the ability to send signals to cancel queries and connections that are initiated by other users. It does not provide the ability to send signals to processes owned by superusers.

You can also use the admin user to grant these two roles to other users on your deployment.

To expose the ability to cancel queries to other database users, grant the pg_signal_backend role from the admin user. The command looks like:

GRANT pg_signal_backend TO joe;

You can also grant pg_signal_backend to all users with the ibm-cloud-base-user role with a command that looks like:

GRANT pg_signal_backend TO "ibm-cloud-base-user";

This privilege allows the user or users to terminate any connections to the database.

To set up a specific monitoring user, mary, use a command like:

GRANT pg_monitor TO mary;

Grant pg_signal_backend to all the users with the ibm-cloud-base-user role with a command like:

GRANT pg_monitor TO "ibm-cloud-base-user";

Setting the Admin Password in the UI

Set your Admin Password through the UI by selecting your instance from the Resource List in the IBM Cloud Dashboard. Then, select Settings. Next, select Change Database Admin Password.

Setting the Admin Password in the CLI

Use the cdb user-password command from the IBM Cloud CLI Cloud Databases plug-in to set the admin password.

For example, to set the admin password for a deployment named example-deployment, use the following command:

ibmcloud cdb user-password example-deployment admin <newpassword>

Setting the Admin Password in the API

The Foundation Endpoint that is shown on the Overview panel Deployment Details section of your service provides the base URL to access this deployment through the API. Use it with the Set specified user's password endpoint to set the admin password.

curl -X PATCH `https://api.{region}.databases.cloud.ibm.com/v5/ibm/deployments/{id}/users/admin` \
-H `Authorization: Bearer <>` \
-H `Content-Type: application/json` \ 
-d `{"password":"newrootpasswordsupersecure21"}` \

Service Credential Users

Users that you create through the Service Credentials are members of ibm-cloud-base-user. They are able to log in, create users, and create databases.

When a user in a group creates a resource in a database, like a table, all users that are in the same group have access to that resource. Resources that are created by any of the users in ibm-cloud-base-user are accessible to other users in ibm-cloud-base-user, including the admin user.

Users who are created through the CLI

Users that you create through the Cloud Databases CLI plug-in are members of ibm-cloud-base-user. They are able to log in, create users, and create databases.

When a user creates a resource in a database, like a table, all users that are in the same group have access to that resource. Resources that are created by any of the users in ibm-cloud-base-user are accessible to other users in ibm-cloud-base-user, including the admin user.

Users that are created directly from the Cloud Databases CLI plug-in do not appear in Service Credentials, but you can add them.

Users who are created through the API

Users that you create through the Cloud Databases API are members of ibm-cloud-base-user. They are able to log in, create users, and create databases.

When a user creates a resource in a database, like a table, all users that are in the same group have access to that resource. Resources that are created by any of the users in ibm-cloud-base-user are accessible to other users in ibm-cloud-base-user, including the admin user.

Users that are created directly from the Cloud Databases API do not appear in Service Credentials, but you can add them.

The read-only user

The ibm-cloud-base-user-ro manages privileges for users that are created to access read-only replicas. For more information, see Configuring Read-only Replicas.

Other ibm Users

If you run the \du command with your admin account, you see the ibm, ibm-cloud-base-user, and ibm-replication users.

The ibm-cloud-base-user is used as a template to manage group roles for other users. It is used to manage users who are created through the CLI and API. It also enables integration with the Service Credentials user creation. A user that is a member of ibm-cloud-base-user inherits the create role and create database attributes from ibm-cloud-base-user. The ibm-cloud-base-user is not able to log in.

The ibm and the ibm-replication accounts are the only superusers on your deployment. A superuser account is not available for you to use. These users are internal administrative accounts that manage replication, metrics, and other functions that ensure the stability of your deployment.

Users created with psql

You can bypass creating users through IBM Cloud by creating users directly in EnterpriseDB with psql. psql makes use of PostgreSQL's native role and user management. Users and roles that are created in psql must have all of their privileges set manually, including privileges to the objects that they create.

Users that are created directly in Databases for EnterpriseDB do not appear in Service Credentials, but you can add them.

Note that these users are not integrated with IAM controls, even if added to Service Credentials.

The emp_admin user

The emp_admin is an internal Databases for EnterpriseDB user that is used by the EDB Migration Portal to communicate directly with EnterpriseDB databases. Connect to the EDB Migration Portal by using your IAM login information.

Do no drop this user.

The aq_administrator_role user

The aq_administrator_role user is a system-defined privilege that allows a user to interact with queues. This user is provided by default from EnterpriseDB and is not managed by Databases for EnterpriseDB. For more information, see CREATE QUEUE.

Do not drop this user.