Administration Guide > Composite Domain Administration > User Management > Built-in Users and Their Privileges
 
Built-in Users and Their Privileges
The composite domain has the following permanent users that are automatically created. These users cannot be removed:
admin—This user has privileges to access and use any resource in the system; admin can also grant and revoke privileges to other users. The admin user cannot be removed from the system. The admin user has a home folder (/users/admin).
anonymous—This user is provided for anonymous login for JDBC clients and Web service clients. By default, anonymous logins are disabled. anonymous users must be explicitly given privileges to access TDV resources.
nobody—This user cannot log in or be removed. Abandoned resources owned previously by a user that no longer exists in the system are given to nobody.
system—This user cannot be removed. It owns items that even the users with administrative privileges cannot modify. The SYSTEM account is used to control TDV communication with the repository. The SYSTEM account cannot be used to login to a TDV instance.
Monitor—This user is for TDV to communicate with the monitor.
The all group includes all composite users and all dynamic users, but not the user named nobody. All members of this group have READ privileges for all folders created with the installation, but not newly created folders and resources. Privileges must be assigned by the creator or owner of the resource, or by an administrator or user explicitly given the GRANT right on that object.
All semi-editable folders (for example, /shared, /services/databases, /services/Webservices) have no privileges, but they are editable.
All precreated tables and procedures have SELECT and EXECUTE privileges for the all groups in the composite and dynamic domains, and the anonymous user in the composite domain. For example:
/services/databases/system
/services/webservices/system
/lib
 
By default, anonymous users cannot invoke any Web services. To make Web services available to anonymous users, grant the READ privilege to /services/webservices, and grant the READ privilege to the data service, service, and port that you want the anonymous user to be able to access and use. The global option anonymousOptionsRequest controls whether to allow an HTTP anonymous login request even if the server configuration for anonymous login is disabled.
Anonymous users cannot connect to the server using JDBC, because no TDV data service of the type database is automatically available. To enable them to connect, grant READ privileges to services/databases, the data service, and any catalogs or schemas that you want to make available.
Resources in the Data Services area point to resources in the work area. To access a resource in the Data Services area, the anonymous user needs permission to read all the folders above that item, and have appropriate permission on the item to which the resource points.
To expose a resource to Web services or JDBC clients, grant the READ privilege to all the folders above the resource, and the appropriate permission to the resource itself. If the resource uses other resources, repeat the process with those resources as well.
This is similar to what you would do for any other user, except that for those folders that have the READ privilege by default for the all group, you might need to override privileges on those folders.
The anonymous user is denied access to the /users folder; admin cannot change this. All published resources you want anonymous to be able to use must reside in the /shared folder.