Documentation Home
MySQL Enterprise Monitor 8.0 Manual
Related Documentation Download this Manual
PDF (US Ltr) - 6.0Mb
PDF (A4) - 6.0Mb


24.2 Strict Permission Set

The Strict scenario is a group-based implementation. Users are assigned to roles with varying access to the groups.

This scenario focuses on two groups, Development and Production. Development is the group of MySQL instances where the product is developed and tested. Production is the group of MySQL instances to which the finished product is deployed for customers to use.

Figure 24.1 Strict Permission Set Overview

Architecture of strict permission set showing production and development MySQL instances, monitored by MySQL Enterprise Service Manager, and viewed by different user types, DBAs, developers, and Administrators.

Users, Roles and Groups

This implementation requires the following asset groups:

  • Development: all assets used by the development and quality teams are grouped in the Development group.

  • Production: all assets deployed for use by the customer are grouped in the Production group.

Note

When installing agents to monitor the assets, it is critically important to chose the correct group during the installation process. If the incorrect group, or no group, is chosen, the assets fall outside the scope of the Roles defined here and cannot be seen by any user except those in the SeniorDBA roles.

This implementation requires the following roles types:

  • GroupAdmin: System-wide role. Members are responsible for user, role, and group management only. This role is limited in the sense that it does not have the Server Group or MEM Web Application permission set to a usable value. To access the UI or create groups, the users assigned to this role must also be assigned to roles with usable Server Group permissions (Read-Only or Administer).

  • SeniorDBA: System-wide role. Members have access to all monitored assets on both Production and Development groups. No group-specific permission sets.

  • JuniorDBA: members have read-only access to the monitored assets in the Development group, only.

  • SeniorDev-Development: members have limited access to monitored assets in Development group. Members of this role need permissions to view events, Query Analyzer data, and create event handlers on the Development assets. Members of this role are responsible for inspecting the impact their code has on performance and existing functionality.

  • SeniorDev-Production: Same members as SeniorDev-Development, but restricted rights on the monitored assets. Permissions to observe, only, no rights to create event handlers, set blackouts, or access the Query Analyzer's Explain or Example functionality. This role does not include any observation of customer data, but does allow its members to view events generated on the monitored assets.

    If a member of this role requires an event handler or advisor threshold edit on the Production group, it must be requested from a member of the SeniorDBA role.

  • JuniorDev-Development: members have access to the Development group, only. For the most part, their permissions are read-only. They are entitled to view events, Query Analyzer data, and so on.

This implementation requires the following users:

  • DBA Teamlead: manages the DBA team and has complete access to all monitored assets. This user is a member of the SeniorDBA and GroupAdmin roles. This combination of permissions gives them complete access to all monitored assets.

  • Senior DBAs: responsible for the monitored assets. Has complete access to all monitored assets. No user management rights.

  • Junior DBAs: responsible for investigating issues. Read-only rights on all Development assets. No access to Production assets.

  • Senior Developers: responsible for deploying code to the Development group and reviewing impact on performance and functionality. No user management rights, event blackout rights, and so on. Permitted to view events on the Production group, but not to add event handlers, notification groups, and so on.

  • Junior Developers: responsible for deploying code and viewing events on the Development group. No access to the Production group.

System-Wide Role Definitions

For each of these roles, select System-Wide Permissions in the Core Monitored Assets frame.

Table 24.3 System-Wide Role Definition

Permission SeniorDBA GroupAdmin

Server Group

Administer

None

MySQL Instances

Administer

None

Query Analysis Aggregate Data

Administer

None

Query Analysis Example and Explain Data

Administer

None

Web Application Login

Read-Only

None

MySQL Enterprise Monitor

Administer

None

Advisor Configuration

Administer

None

Event Blackout

Administer

None

Event Handling

Administer

None

New Group Creation

None

Administer

Settings

Administer

None

Users and Roles

None

Administer


The membership of these Roles is:

  • SeniorDBA Role: DBA manager and Senior DBAs.

  • GroupAdmin: DBA manager and at least one Senior DBA, for redundancy.

Development Group Roles

For each of these roles, select Group-Specific Permissions in the Core Monitored Assets frame, and select Development from the group drop-down list.

Table 24.4 Development Group Role Definition

Permission SeniorDev JuniorDev JuniorDBA

Server Group

Administer

Read-Only

Read-Only

MySQL Instances

Read-Only

Read-Only

Read-Only

Query Analysis Aggregate Data

Read-Only

Read-Only

Read-Only

Query Analysis Example and Explain Data

Read-Only

Read-Only

Read-Only

Web Application Login

Read-Only

Read-Only

Read-Only

MySQL Enterprise Monitor

Read-Only

Read-Only

Read-Only

Advisor Configuration

Read-Only

Read-Only

Read-Only

Event Blackout

None

None

None

Event Handling

Read-Only

None

Read-Only

New Group Creation

None

None

None

Settings

None

None

None

Users and Roles

None

None

None


Note

Currently, Advisor Configuration and Event Handling are global permissions. Changes made at that level can affect all users of the MySQL Enterprise Monitor. As such, only a senior user, with System-Wide permissions, should be permitted to change these settings.

Production Group Roles

For this role, select Group-Specific Permissions in the Core Monitored Assets frame, and select Production from the group drop-down list.

Table 24.5 Production Group Role Definition

Permission SeniorDev

Server Group

Read-Only

MySQL Instances

Read-Only

Query Analysis Aggregate Data

None

Query Analysis Example and Explain Data

None

Web Application Login

Read-Only

MySQL Enterprise Monitor

Read-Only

Advisor Configuration

Read-Only

Event Blackout

None

Event Handling

None

New Group Creation

None

Settings

None

Users and Roles

None


Distributed Departments

The Strict implementation is also useful for large companies with globally distributed teams, accessing central server farms.

This implementation involves the following:

  • Company server farm with DBAs and individuals responsible for liaising with departments.

  • Departments with their own DBAs, Developers, and so on. This implementation includes the following departments, each with an identical permissions set: BlueTeam, RedTeam, GreenTeam, YellowTeam, and OrangeTeam.

  • Groups must be configured for each department. In this scenario, BlueGroup, RedGroup, GreenGroup, YellowGroup, and OrangeGroup. Where each group contains the assets dedicated to each department.

Figure 24.2 Strict Permission Set Grouped

Architecture of strict permission set showing specific departments limited to viewing only the MySQL instances to which they have access.