If I want an IT user to be able to check Stardog's status, perform backups and start/stop the server (for hardware/VM maintenance), but nothing else.
What action permissions do I give to that user? It seems that I would have to give the user "execute" privileges but these exceed what I want the person to do. For example, they could create/delete dbs and other users.
Maybe this is too fine-grained a distinction, but is this something that I can define?
In order to backup a database, the user/role would require [READ, DATABASE, "db"] permission and [EXECUTE, ADMIN, "db"]. The latter would also let them online/offline, optimize, etc. the database. [EXECUTE, DBMS_ADMIN, "shutdown"] would allow the user to shut down the server.
We are looking into changing the requirement for backup from READ, DATABASE to EXECUTE, ADMIN exclusively, but that has yet to happen.
Realistically this role would only need [EXECUTE, ADMIN, *] and [EXECUTE, DBMS_ADMIN, "shutdown"] to perform the functions you want (and the READ access, for now). This would not let them create/drop databases, users, or roles; those are separate CREATE and DELETE permissions.
NOTE: Stardog Studio (as of v1.29.1) does not include the DBMS_ADMIN resource, so you would need to set it via the CLI (stardog-admin role grant -n myRole -a execute -o dbms-admin:shutdown)