Role Based Access Control (RBAC) & Auditing

RBAC (Role Based Access Control) allows you to control access to SQDR configuration and operation.  It also has the ability to log some or all operations for auditing purposes.  Enabling RBAC or logging is optional.

Even without using RBAC, you can control access by use of the Windows Firewall by restricting which remote computers can access the gRPC ports used by SQDR (default 7737 & 7738). Also, you can use the SQDR Service Properties application to restrict SQDR to listen on only certain network interfaces e.g. defining the listener settings grpcADDRPORT and grpcTransADDRPORT to use 127.0.0.1 rather than 0.0.0.0 will allow connections only from the local machine.  

However, RBAC allows much finer control, including the ability to create users with limited functionality. For example, you may wish to create an operator who can monitor, stop and start replications and replication groups and a read-only user that can observe but not operate.  Roles are fully customizable, though many users will find the default role definitions to be sufficient.

RBAC controls access via any mechanism - the Data Replicator Manager GUI application, the SQDRPowerShell cmdlet, and the SQDR Service Properties application.

The definitions of users, passwords, groups, and roles are stored in tables in the SQDR control database (e.g. SQDRC for Db2 LUW, ControlDB for SQL Server).  These definitions are accessed using either SQDR Configuration or Data Replicator Manager.  If the service is running on Windows, those applications might be run locally or remotely; for a service running on Linux, those applications will always be run from a remote Windows system (e.g. an administrator’s workstation).

Access to the definitions using SQDR Configuration relies on database security - i.e. you need the user and password for the database, which are stored encrypted in the file sqdr.properties, so restricting access to that file is important.  You also use SQDR Configuration to enable or disable RBAC and/or logging.

Access to the definitions using Data Replicator Manager requires connecting to the service with a userID that has been defined with sufficient authorities, or by using the Encryption seed (ie. a super password) when prompted.  The default value for the Encryption seed is *DEFAULT.

The definitions are created, viewed, and modified by the following panels:

An additional panel (Methods) is accessible only in the SQDR Configuration application.  This panel defines a minimum role level required to perform a specific operation.