Users (and Service Accounts) are provisioned within the strongDM Admin UI.
Roles represent a collection of permissions, and typically correspond to teams, Active Directory OUs, use cases, or any other organizational scheme.
Datasource and Server privileges are granted to Roles.
All User access privileges are inherited via Roles, with two exceptions:
- Temporary Access
- No Role
Occasionally it might be necessary to grant a Temporary or "Time-boxed" access. These grants occur at the User level, rather than Role level.
Example: Alice needs 30 minutes of read-only access to the production
redis replica to diagnose a customer issue. Bob grants her temporary access, which closes any active connections automatically the moment the grant expires. Alternately, Bob may also revoke that access manually before 30 minutes expires.
Users may also reside within the No Role section. In this area, access is granted to a User individually. Temporary Access works the same for Users within the No role section, as those within a specific Role.