Access Management

This section describes how to manage access in your Exasol SaaS environment.

Authentication and authorization

Authentication ensures that only users with adequate credentials can access the web console and databases in Exasol SaaS. Users log in to the web console using an organization account and a user account, authenticating with a username and password.

Authorization ensures that an authenticated user can access only the databases to which they are granted access, and controls which operations they can perform on those databases. Exasol SaaS uses role based access control to manage authorization and access.

Organization account

A SaaS organization account represents a company or other type of organization. It contains one or more databases and has one or more users who can use these databases. When you sign up for Exasol SaaS, an organization account representing your organization is created for you as well as a user account. Each organization account has an account ID. You will need this account ID when you sign up and log in to Exasol SaaS.

User account

When you sign up for Exasol SaaS or are invited to access an Exasol SaaS database, an Exasol user account is created for you. This account includes your email address and first and last name. You need your user account credentials together with the organization account ID to log in to the web console and to access databases. A user can be a member of multiple SaaS organization accounts.

Role based access control

The level of access that a user has in the web console and the tasks they can perform is determined by their assigned role. There are two roles in Exasol SaaS, Member and Owner.

Member
The member role has limited permissions in the web console. A user with a member role can view and use the databases they are granted access to, but they cannot manage databases or perform database operations such as adding , stopping, or starting databases or clusters.
Owner
The owner role has full permissions in the web console. A user with an owner role can manage users, add users, perform database and cluster operations, and view and manage billing and security settings.

View account ID and role

To view information about your account and role, open the user profile menu in the web console. From the profile menu you can also generate a Personal Access Token that you can use to connect other tools to the database.

To view a list of the users who have access to this account and to the databases, see Manage Users.

Database access management

Exasol SaaS uses the OpenID Connect protocol (OIDC) to authenticate database users. This enables single sign-on (SSO) and avoids the need for repetitive requests for user credentials when performing database operations in the web console.

When you create a database, you are automatically added as a database user using OIDC authentication and granted the DBA role. You can then invite new users and grant access to the database to them and to existing users using the web console.

Privileges and roles within the database are managed using SQL statements. Exasol SaaS automatically creates a database user for each new user, using OIDC as the authentication method. The new database user is granted the CREATE SESSION privilege.

To grant system or object privileges in the database, you must connect to the database using a Worksheet or a SQL client. When you invite a user, Exasol SaaS automatically creates a new Worksheet with example privileges that you can grant to the user.

To learn more about database privileges, see Privileges.