Comment on page
Access Control
An Organization is the unit of tenant isolation in DeltaStream. All objects (Databases, Stores, Queries, etc) are set up under the Organization.
A user represents an authenticated identity within DeltaStream. A user may be a member of multiple Organizations. A user holds one or more roles within each Organization.
Objects are entities within DeltaStream which can be protected with access controls. Unless explicitly granted privileges, access is denied. Each object resides within a hierarchy, with the Organization being the root. Organizations contain Stores, Schema Registries, Descriptors, Databases, Function Sources, and Queries. Databases contain Schemas, which in turn contain Relations.
Securable object container hierarchy
Every Object has a single owner, which is the Role used when creating the object. The owner role has all Privileges on the object and can grant or revoke privileges to other Roles. Ownership can be transferred to another Role.
Use of these commands is restricted to the role that owns an object (i.e., the role has the OWNERSHIP privilege on the object) or any roles that have the MANAGE_GRANTS global privilege for the object (only the SECURITYADMIN role by default).
Note that a role that holds the global MANAGE_GRANTS privilege can grant additional privileges to the current (grantor) role.
Privilege | Applicable object | Description |
|---|---|---|
CREATE_DATABASE | Allows databases to be created | |
CREATE_STORE | Allows stores to be created | |
CREATE_SCHEMA_REGISTRY | Allows schema registries to be created | |
CREATE_DESCRIPTOR_SOURCE | Allows descriptor sources to be created | |
CREATE_FUNCTION_SOURCE | Allows function sources to be created | |
CREATE_FUNCTION | Allows functions to be created | |
CREATE_QUERY | Allows queries to be run | |
MANAGE_MEMBERS | Allows management of users and roles | |
MANAGE_GRANTS | Allows management of privileges | |
USAGE | Allows viewing and basic usage of the object. Additional privileges may be required to some actions | |
CREATE | For databases, allows new schemas to be created with in the database.
For schemas, allows defining new relations within the schema. | |
SELECT | Allows select queries to use to the relation | |
INSERT | Allows queries to inserting data into the relation |
There are a set of built-in roles under every Organization. Built-in roles cannot be dropped and the Privileges assigned to these roles cannot be revoked.
Roles can be also granted to other roles. This creates a hierarchy of roles where the privileges associated with a role are inherited by any roles above that role in the hierarchy.
Role hierarchy
The following are the built in roles in DeltaStream that are available to use without creating them.
- ORGADMIN — Root of the the role hierarchy. This role manages operations at the organization level.
- SYSADMIN — Role that has privileges to create, manage, and drop objects.
- USERADMIN — Role that has privileges to manage users and roles within the Organization.
- SECURITYADMIN — Role that manages any object grants globally. This role inherits privileges from the USERADMIN role.
- PUBLIC — A pseudo role that is granted to all roles within the Organization. This role can be granted privileges on objects that will be inherited by all other roles.
Custom roles can be created using the USERADMIN (or a higher) role as well as by any role to which the MANAGE_MEMBERS privilege has been granted.
When a new role is created it is not assigned to any user, nor granted to any other role. For the roles that will be owners of objects, DeltaStream recommends to use a custom role hierarchy where the top-most custom role in the hierarchy is assigned to the system role SYSADMIN. With this strategy, system administrators can manage all the objects in the organization, while restricting management of users and roles to the USERADMIN role.
On the other hand, not assigning SYSADMIN through a role hierarchy to a custom role, prevents the system administrator from managing the objects owned by the custom role. This results in limiting the roles that can view the objects and modify their access grants to those roles that have been granted the MANAGE GRANTS privilege (only the SECURITYADMIN role by default).
DeltaStream recommends the following best practices for access control:
- Reserve the ORGADMIN role for administrative tasks only. It must not be used for day-to-day access.
- Ideally, administrators should have 2 separate logins, one with the ORGADMIN role for administrative tasks and a separate role for day-to-day access.
- ORGADMIN must not own any objects and it must never be granted to any other roles.
- SECURITYADMIN is also a very powerful role with the MANAGE_GRANTS privilege and must only be used in limited cases.
- USERADMIN should be the default role for managing users and role grants. This role should normally be the owner of all other custom roles.
- SYSADMIN should be the default role for managing objects and should always be the eventual owner of all other objects. You can grant the custom roles to SYSADMIN but must never grant ownership of other roles. This maintains the separation of responsibility between SYSADMIN and USERADMIN.
- When building custom role hierarchy, define functional roles and access roles. Privileges on objects can be granted to access roles and access roles can be granted to functional roles.
Last modified 1mo ago