DBM uses a layered permission model. Permission bitmask semantics: null = no access, 0 = base access (can see), > 0 = specific bits enabled.
Platform-level role that bypasses all permission checks. Can manage everything including other superadmins.
UserGlobalPermissions)| Permission | Effect |
|---|---|
USER_MODERATOR |
View all application users |
USER_ADMIN |
Edit all application users |
HOST_ADMIN |
Manage all hosts and host-bound entities (instances, DB roles, services) |
CLIENT_ADMIN |
Manage all client interfaces |
LANGUAGE_ADMIN |
Manage global languages |
ENUM_ADMIN |
View enums |
ADMIN_MANAGER |
Manage user permissions globally and on individual entities |
Permissions can be assigned as global (all entities of that category) or per-entity.
UserHostPermissions)| Permission | Effect |
|---|---|
INSTANCE_SOURCE |
Create instances (becomes instance admin + user moderator) |
INSTANCE_MANAGER |
Delete/upgrade instances where assigned as admin; edit user permissions, see services |
INSTANCE_ADMIN |
Full instance management on the host |
HOST_ROLE_SOURCE |
Create DB roles (becomes role admin + user moderator) |
HOST_ROLE_INSTANCE_MODERATOR |
Edit instance permissions of all host roles |
HOST_ROLE_ADMIN |
Full DB role management |
SERVICE_SOURCE |
Create services (becomes service admin + user moderator) |
SERVICE_OPERATOR |
Control service state |
SERVICE_MANAGER |
Edit service configuration |
SERVICE_ADMIN |
Full service management including deleted |
USER_MODERATOR |
Edit user host permissions |
ADMIN |
Edit host/tablespaces/catalog; see deleted entities |
UserHostRolePermissions)| Permission | Effect |
|---|---|
DATABASE_USER |
View credentials |
INSTANCE_MODERATOR |
Edit role-to-instance permissions |
ADMIN |
Full role lifecycle, inheritance, user bindings, history |
UserServicePermissions)| Permission | Effect |
|---|---|
SERVICE_OPERATOR |
Control service state |
SERVICE_MANAGER |
Edit service configuration |
ADMIN |
Full lifecycle, state, user permissions, history |
UserClientPermissions)| Permission | Effect |
|---|---|
DETAIL_MANAGER |
Create/edit/delete client manuals and files |
CLIENT_MANAGER |
Edit/delete the client itself |
HOST_ROLE_MANAGER |
Manage client host role permissions |
USER_MODERATOR |
Manage user client permissions |
ADMIN |
Full visibility including history and deleted |
To modify user permissions on any entity, you need both:
Exception: Assigning users to an instance only requires ADMIN or USER_MODERATOR on the instance (no global user search — you must know the exact username). This enables local instance managers without broad global rights.
A full instance administrator has either:
ADMIN on the instance + INSTANCE_MANAGER on the host, ORINSTANCE_ADMIN on the hostFull admins can manage instance version, services, DB roles, and other advanced settings.
See also: Instance Permissions for permissions inside an instance.