A high level of protection must be assured of your data. We put great emphasis on security, and ensure that data is protected at all times. As part of that, our user management is based on a solid, well-tested user concept.

The first question we have to answer when talking about security is: “What is a user?”. Having a clear picture in mind is important to understand the big picture.

There are three basic types of user authentication:

• Case A: “Database user” equals “application user”
• Case B: “Database user” is mapped to a “login user”
• Case C: “Database user” is mapped to single-sign on users

In the first case, life is fairly simple: You can log into an application using the same name and password as your database user. For many basic applications, this is perfectly fine.

However, sometimes (Case B) you are facing the situation that various “login users” should point to the same database role.

Here’s an example: jane@example.com and jack@example.com are both fulfilling the role of “bookkeeper”. We definitely want to separate the logins, but behind the scenes, they have the same permissions. In small companies, this is usually the default way of handling things.

To map login names to database users, you use the CYPEX admin panel to achieve the proper configuration.

Case C is the most “enterprise-ready” way of handling user authentication. CYPEX is able to handle generic modules to map CYPEX internals to external systems, which allows us to connect to systems usually used for single-sign on (LDAP, ActiveDirectory, etc). There are a variety of ways to connect to single-sign on systems: First of all, you can use PostgreSQL onboard, which means using authentication and the “Case A”-style.

Depending on your infrastructure, various levels of complexity and customization of the authentication module might be required.

In general, it’s always advisable to strongly focus on database-side permissions. In particular, PostgreSQL Row-Level-Security has proven to be a valuable asset in real-world applications.

It makes sense to change passwords on a regular basis. In this section you’ll learn how to perform such a task and which features are supported by CYPEX:

The first thing to look at is how to change your own password. To do that, click on the user profile icon on the right side of the panel. A small overlay will appear and a click on the “SETTINGS” button opens the “change password” form.

To change the password, type in the “New Password” field.

The new password will be active instantly. However, active sessions will not be terminated unless a user proactively logs out. As long as the JWT (= JavaScript Web Token) is valid, users can continue working normally.

Changing passwords as admin for other users

In addition to changing your own password, superusers can also change other users’ passwords quickly and efficiently. In the “authentication” section of the CYPEX admin panel you can click on “users”. There you’ll find a list of users:

By clicking at the “pen” you’ll find your way to the desired form which allows you to change the password easily. Again, changing the password isn’t going to terminate existing sessions:

Please ensure that passwords are sufficiently strong. At the moment, CYPEX does not enforce password rules. The reason is that the PostgreSQL protocol is implemented in a way that the server never sees the plain-text password. Therefore, we cannot guarantee the strength of the password on the server side.