There are multiple layers of admin roles and permissions.
- A superadmin role is application-related.
- Global permissions are valid for all entities (e.g. users, instances, hosts).
- Entity-related permissions are limited to specific entity (e.g. a user, an instance, a host).
- An instance admin permissions are utilised in administration and in the instance itself. Other intance permissions are limited onto the instance.
- Project, table and object permissions are limited onto their own scope.
A Superadmin can do practically anything. It also inherits all global permissions. Only a Superadmin can manually manage other Superadmins.
These permissions are global. They can be set up in the administration section of an user by a Global Admin Managers.
- Global User Moderator - can see all application users
- Global User Admin - can see and edit all aplication users
- Global Host Admin - can create, edit, delete all hosts and their DB roles, instances and services and their user permissions
- Global Client Admin - can create, edit, delete all clients and their user permissions
- Global Language Admin - can create, edit, delete languages
- Global Enum Admin - can view enums
- Global Admin Manager - can see all users and edit their global permisions, and their permissions to any host, DB role, service, client or instance
These user permissions are client-related. They can be edited by a Client User Moderator allowed to see all application users. A Global Client Admin permission implicitly inherits all permissions for all clients. New clients can be created only by a Global Client Admin.
- Default - can see the client
- Client Detail Manager - can create, edit, delete the client's details and files
- Client Manager - can edit, delete the client itself
- Client DB Role Admin - can change the client's DB roles permissions
- Client User Moderator - can edit users permissions to the client
- Client Admin - can see the client's details and history, can use deleted clients, details, files, and their services and host roles
These user permissions are host-related. They can be edited by a Host User Moderator allowed to see all application users. A Global Host Admin permission implicitly inherits all permissions for all hosts. New hosts can be created only by a Global Host Admin.
- Default - can see the host and tablespaces
- Host Instance Source - can create instances on the host
- Host Instance Manager - can edit, delete the host's instances where is specified as Instance Admin, can manage their user permissions and see their services
- Host Instance Admin - can edit, delete the host's instances (all), can manage their user permissions and see their services
- Host DB Role Source - can create DB roles on the host
- Host DB Role Instance Moderator - can edit DB role's permissions to instances for the host's DB roles (all)
- Host DB Role Admin - can edit, delete the host's DB roles (all), their user permissions and credentials
- Host Service Source - can create services on the host
- Host Service Operator - can edit control of the host's services (all)
- Host Service Manager - can edit the host's services (all)
- Host Service Admin - can edit, delete and see all (even deleted) services of the host and their controls and user permissions
- Host User Moderator - can edit users permissions to the host
- Host Admin - can edit the host and its tablespaces and catalog, can see its deleted instances, services and DB roles
These user permissions are DB-role-related. They can be edited by a DB Role Admin allowed to see all application users. A Global Host Admin permission implicitly inherits all permissions for all DB roles.
- Default - can see the DB role
- DB Role Database User - can see the DB role's credentials
- DB Role Instance Moderator - can edit the DB role's permissions to instances
- DB Role Admin - can edit, delete the DB role, its inheritance and user permissions, can see its history
These user permissions are service-related. They can be edited by a Service Admin allowed to see all application users. A Global Host Admin permission implicitly inherits all permissions for all services.
- Default - can see the service
- Service Operator - can edit control of the service
- Service Manager - can edit the service
- Service Admin - can edit, delete the service, its state and user permissions, see its history and deleted services