Database Ownership in Enterprise Environment

Baserow Help
,
#1

Hi. We are about to install the Enterprise edition and use SSO and create a shared database. What is the best practice to ensure transferability of the admin/ownership of a well-established database in the event the admin is suddenly promoted to heaven or otherwise disappears?

IT might have a permanent fake system SSO profile that could be used (I know we have them for RPA), but I’d rather not go down that path. Is it easy for the Baserow admin to simply change ownership of a database at a later point (I haven’t seen the admin dashboard)?

PS, your list of “optional tags” is really lacking … no SSO … no Enterprise … etc.

#2

Hello @deet, when self-hosting, there is a status higher than an admin on an individual workspace: the “staff/super admin” member of the entire self-hosted server. Any staff member can change the password of any other staff member. Therefore, if you have access to a super admin of the entire server, you can change the password of other admins to gain access.

Moreover, if you have technical access to the Baserow server, you can issue technical command-line commands to create a new super admin, change passwords, etc.

This page explains how to make another user a staff user in a self-hosted instance: Admin panel - Users // Baserow.

What is the best practice to ensure transferability of the admin/ownership of a well-established database in the event the admin is suddenly promoted to heaven or otherwise disappears?

I’ll check this question with my colleagues and will get back to you.

PS, your list of “optional tags” is really lacking … no SSO … no Enterprise … etc.

Thanks for pointing this out, I’ll add the missing tags.

#3

Baserow will not be able to change an SSO password.

#4

Hi @deet ,

There is no concept of ownership in Baserow, and so nothing to transfer as long as another admin has access to a particular database.

Any staff member of the instance can also impersonate any non-staff member, so if you have access to a staff member account still you can at any time recover access to any database using this impersonation. FYI the first user to sign up in a brand new Baserow self hosted installation is made the first staff member automatically.

Finally, anyone with technical access to the Baserow installation and who is able to run commands or access the postgres database directly can make any user a staff member to regain access if you do not have a staff member left. For example if you are deploying Baserow using our default docker-compose.yml the following command can be run to make an existing user with a particular email address a staff member:

echo "UPDATE auth_user SET is_staff = '1' WHERE email = 'builder@baserow.io';" | docker exec -i baserow-backend-1 /baserow/backend/docker/docker-entrypoint.sh manage dbshell

Please note this command/method will vary depending on your Baserow installation method.