In scenarios, where Active Directory authentication is activated, there is no out-of-the-box DV connect role available. Additionally, we would like a developer to have access to all things they create, without an admin having to grant them permissions. In a development/test/(acceptance/)production CI/CD scenario, a different role/person will be in charge to implement the changes on a 'higher' instance.
In our example we will first allow the developer role everything, but reduce the permissions later on.
In detail, we prevent the developers from creating/adding/removing data sources and users. We also prevent them from setting permissions for themselves.
The developer-role must exist (coming from AD/LDAP) and be assigned to developers.
EXEC SYSADMIN.setPermissions("role_name" => 'developer-role', "resourceName" => '*', "permissions" => 'CRUDEAL', "condition" => NULL, "isConstraint" => true, "mask" => NULL, "maskOrder" => NULL) ;EXEC SYSADMIN.setPermissions("role_name" => 'developer-role', "resourceName" => 'SYSADMIN.createDataSource', "permissions" => '', "condition" => NULL, "isConstraint" => false, "mask" => NULL, "maskOrder" => NULL) ;EXEC SYSADMIN.setPermissions("role_name" => 'developer-role', "resourceName" => 'SYSADMIN.createConnection', "permissions" => '', "condition" => NULL, "isConstraint" => false, "mask" => NULL, "maskOrder" => NULL) ;EXEC SYSADMIN.setPermissions("role_name" => 'developer-role', "resourceName" => 'SYSADMIN.addRole', "permissions" => '', "condition" => NULL, "isConstraint" => false, "mask" => NULL, "maskOrder" => NULL) ;EXEC SYSADMIN.setPermissions("role_name" => 'developer-role', "resourceName" => 'SYSADMIN.addUser', "permissions" => '', "condition" => NULL, "isConstraint" => false, "mask" => NULL, "maskOrder" => NULL) ;EXEC SYSADMIN.setPermissions("role_name" => 'developer-role', "resourceName" => 'SYSADMIN.addUserRole', "permissions" => '', "condition" => NULL, "isConstraint" => false, "mask" => NULL, "maskOrder" => NULL) ;EXEC SYSADMIN.setPermissions("role_name" => 'developer-role', "resourceName" => 'SYSADMIN.deleteRole', "permissions" => '', "condition" => NULL, "isConstraint" => false, "mask" => NULL, "maskOrder" => NULL) ;EXEC SYSADMIN.setPermissions("role_name" => 'developer-role', "resourceName" => 'SYSADMIN.deleteUser', "permissions" => '', "condition" => NULL, "isConstraint" => false, "mask" => NULL, "maskOrder" => NULL) ;EXEC SYSADMIN.setPermissions("role_name" => 'developer-role', "resourceName" => 'SYSADMIN.deleteUserRole', "permissions" => '', "condition" => NULL, "isConstraint" => false, "mask" => NULL, "maskOrder" => NULL) ;EXEC SYSADMIN.setPermissions("role_name" => 'developer-role', "resourceName" => 'SYSADMIN.dropConnection', "permissions" => '', "condition" => NULL, "isConstraint" => false, "mask" => NULL, "maskOrder" => NULL) ;EXEC SYSADMIN.setPermissions("role_name" => 'developer-role', "resourceName" => 'SYSADMIN.dropDatasource', "permissions" => '', "condition" => NULL, "isConstraint" => false, "mask" => NULL, "maskOrder" => NULL) ;EXEC SYSADMIN.setPermissions("role_name" => 'developer-role', "resourceName" => 'SYSADMIN.execExternalProcess', "permissions" => '', "condition" => NULL, "isConstraint" => false, "mask" => NULL, "maskOrder" => NULL) ;EXEC SYSADMIN.setPermissions("role_name" => 'developer-role', "resourceName" => 'SYSADMIN.executeCli', "permissions" => '', "condition" => NULL, "isConstraint" => false, "mask" => NULL, "maskOrder" => NULL) ;EXEC SYSADMIN.setPermissions("role_name" => 'developer-role', "resourceName" => 'SYSADMIN.importConnection', "permissions" => '', "condition" => NULL, "isConstraint" => false, "mask" => NULL, "maskOrder" => NULL) ;EXEC SYSADMIN.setPermissions("role_name" => 'developer-role', "resourceName" => 'SYSADMIN.importDataSource', "permissions" => '', "condition" => NULL, "isConstraint" => false, "mask" => NULL, "maskOrder" => NULL) ;EXEC SYSADMIN.setPermissions("role_name" => 'developer-role', "resourceName" => 'SYSADMIN.importUser', "permissions" => '', "condition" => NULL, "isConstraint" => false, "mask" => NULL, "maskOrder" => NULL) ;EXEC SYSADMIN.setPermissions("role_name" => 'developer-role', "resourceName" => 'SYSADMIN.removeConnection', "permissions" => '', "condition" => NULL, "isConstraint" => false, "mask" => NULL, "maskOrder" => NULL) ;EXEC SYSADMIN.setPermissions("role_name" => 'developer-role', "resourceName" => 'SYSADMIN.removeDataSource', "permissions" => '', "condition" => NULL, "isConstraint" => false, "mask" => NULL, "maskOrder" => NULL) ;EXEC SYSADMIN.setPermissions("role_name" => 'developer-role', "resourceName" => 'SYSADMIN.setPermissions', "permissions" => '', "condition" => NULL, "isConstraint" => false, "mask" => NULL, "maskOrder" => NULL) ;
We do not need to replicate the standard connect-role, as granting all permissions in the beginning also includes all connect-role permissions, listed for your reference in the screenshot below.