Access Control
Last updated
Last updated
An organization is the unit of tenant isolation in DeltaStream. All objects (databases, stores, queries, and so on) are set up under the organization.
A user represents an authenticated identity within DeltaStream. A user may be a member of multiple organizations. Within each organization, a user can hold one or more roles.
Within DeltaStream, objects are entities you can protect with access controls. Access to an object is denied by default; it must be explicitly granted privileges to a role. Each object resides within a hierarchy, with the organization as the root. Organizations contain stores, schema registries, descriptors, databases, function sources, and queries. Databases contain schemas, which in turn contain relations.
Every object is owned solely by the role used when the object was created. The owner role has all privileges on the object and can grant or revoke privileges to other roles. Object ownership can be transferred from one role to another.
In DeltaStream, privileges determine which role can access and perform operations on a given object. Every object has a set of privileges that can be granted on it. Privileges are managed using the GRANT and REVOKE commands.
Use of these commands is restricted to:
The role that owns an object (that is, the role with OWNERSHIP
privilege on the object)
Any roles that have the MANAGE_GRANTS
global privilege for the object
By default, this is SECURITYADMIN
.
Note A role that holds the global MANAGE_GRANTS
privilege can grant additional privileges to the current (grantor) role.
USAGE
Allows viewing and basic usage of the object. Additional privileges may be required for some actions
CREATE
For databases, allows new schemas to be created with in the database. For schemas, allows defining new relations within the schema.
A role is an entity to which privileges can be granted. You assign roles to users to allow them to perform actions against an object.
Users can have multiple roles. This enables them to switch roles to perform actions with a different set of privileges.
Note DeltaStream includes a set of built-in roles under every organization. Built-in roles cannot be dropped and the privileges assigned to these roles cannot be revoked.
Roles also can be granted to other roles. This creates a hierarchy of roles wherein the privileges associated with one role are inherited by any role that's higher in the hierarchy.
Here's an example: In the diagram below, the SysAdmin
role automatically inherits any privilege assigned to a custom role.
The following are built into DeltaStream and are available "out of the box:"
ORGADMIN — Root of the the role hierarchy. This role manages operations at the organization level.
SYSADMIN — Has privileges to create, manage, and drop objects.
USERADMIN — Has privileges to manage users and roles within the organization.
SECURITYADMIN — Manages any object grants globally. This role inherits privileges from the USERADMIN
role.
PUBLIC — A pseudo role granted to all roles within the organization. This role can be granted privileges on objects that are inherited by all other roles.
Custom roles can be created in two ways:
by someone with the USERADMIN
(or a higher) role
by any other role to which the MANAGE_MEMBERS
privilege has been granted.
When you create a new role it is not assigned to any user, nor granted to any other role. For roles you intend to be owners of objects, we recommend you use a custom role hierarchy wherein the top-most custom role in the hierarchy is assigned to the SYSADMIN
system role. This enables system administrators to manage all the objects in the organization, while still restricting management of users and roles to the USERADMIN
role.
If you do not assign SYSADMIN
through a role hierarchy to a custom role, the system administrator cannot manage objects owned by the custom role. This means that only roles that have been granted the MANAGE_GRANTS
privilege (the SECURITYADMIN
role by default) can view the objects and modify their access grants.
For instructions to create custom roles, see CREATE ROLE.
We recommend the following best practices for access control:
Reserve the ORGADMIN
role for administrative tasks only. It must not be used for day-to-day access.
Administrators should have 2 separate logins:
a login with the ORGADMIN
role for administrative tasks
a separate role for day-to-day access.
ORGADMIN
must not own any objects and it must never be granted to any other roles.
SECURITYADMIN
is also a very powerful role with the MANAGE_GRANTS
privilege. Only use this role in limited cases.
USERADMIN
should be the default role for managing users and role grants. This role typically is the owner of all other custom roles.
SYSADMIN
should be the default role for managing objects and should always be the eventual owner of all other objects. You can grant custom roles to SYSADMIN.
But you must never grant it ownership of other roles. This maintains the separation of responsibility between SYSADMIN
and USERADMIN
.
When you build a custom role hierarchy, define functional roles and access roles. You can grant privileges on objects to access roles, and you can grant access roles to functional roles.
Use SCIM-based automation to manage grants of functional roles to users.