Access Control in Oxla

Oxla supports basic RBAC features (role-based access control) like roles, privileges or ownership. The way they work is similar to those currently available on the market, in popular database solutions.

Enabling Access Control

Access Control is enabled by default on new Oxla installations but might be disabled in config on demand. For information on how to set desired access control level please check our Oxla Configuration File doc.

To preserve backward compatibility on old Oxla versions, with non-empty Oxla Home instances, one must explicitly set access control flag to ON, otherwise it will be disabled

Default Superuser

Currently, we only support a single superuser, which is also a default user pre-created in Oxla. Username and password credentials for that user are both set to oxla.

On Oxla’s first start, non-default password for default superuser can be provided in the config via access_control.initial_password parameter. Once set, parameter can be deleted from the config.

We highly recommend changing the password for security purposes!

Important Notes & Limitations

  • There’s only one superuser (their default password can be changed by themselves)
  • Only superuser has SELECT privilege on internal system tables
  • Privileges to internal system tables cannot be granted or revoked
  • Only superuser and database owners can create new schemas
  • Only superuser can create new roles
  • Every role is granted CONNECT privilege to a default database at the moment of creation (can be revoked)
  • Concept known as role membership isn’t available in Oxla, thus there’s no privilege inheritance
Once access control is enabled and Oxla Home isn’t empty, it cannot be disabled. Running Oxla with access control flag in OXLA_HOME set to OFF, where it was previously enabled, will result in Oxla entering a degraded state.