Access Control

Organization

An Organization is the unit of tenant isolation in DeltaStream. All objects (Databases, Stores, Queries, etc) are set up under the Organization.

User

A user represents an authenticated identity within DeltaStream. A user may be a member of multiple Organizations. A user holds one or more Roles within each Organization.

Object

Objects are entities within DeltaStream which can be protected with access controls. Unless explicitly granted privileges, access is denied. Each object resides within a hierarchy, with the Organization being the root. Organizations contain Stores, Schema Registries, Descriptors, Databases, Function Sources, and Queries. Databases contain Schemas, which in turn contain Relations.

Every Object has a single owner, which is the Role used when creating the object. The owner role has all Privileges on the object and can grant or revoke privileges to other Roles. Ownership can be transferred to another Role.

Privilege

In DeltaStream, privileges determine which role can access and perform operations on a given object. Every object has a set of privileges that can be granted on it. Privileges are managed using the GRANT and REVOKE commands.

Use of these commands is restricted to the role that owns an object (i.e., the role has the OWNERSHIP privilege on the object) or any roles that have the MANAGE_GRANTS global privilege for the object (only the SECURITYADMIN role by default).

Note that a role that holds the global MANAGE_GRANTS privilege can grant additional privileges to the current (grantor) role.

Available privileges

PrivilegeApplicable objectDescription

CREATE_DATABASE

Allows databases to be created

CREATE_STORE

Allows stores to be created

CREATE_SCHEMA_REGISTRY

Allows schema registries to be created

CREATE_DESCRIPTOR_SOURCE

Allows descriptor sources to be created

CREATE_FUNCTION_SOURCE

Allows function sources to be created

CREATE_FUNCTION

Allows functions to be created

CREATE_QUERY

Allows queries to be run

MANAGE_MEMBERS

Allows management of users and roles

MANAGE_GRANTS

Allows management of privileges

USAGE

Allows viewing and basic usage of the object. Additional privileges may be required to some actions

CREATE

For databases, allows new schemas to be created with in the database. For schemas, allows defining new relations within the schema.

SELECT

Allows select queries to use to the relation

INSERT

Allows queries to inserting data into the relation

Role

A role is an entity to which privileges can be granted. Roles are assigned to Users in order to allow them to perform actions against an Object. A user can be assigned multiple roles. This allows the user to switch roles in order to perform actions with a different set of privileges.

There are a set of built-in roles under every Organization. Built-in roles cannot be dropped and the Privileges assigned to these roles cannot be revoked.

Roles can be also granted to other roles. This creates a hierarchy of roles where the privileges associated with a role are inherited by any roles above that role in the hierarchy.

Built-in roles

The following are the built in roles in DeltaStream that are available to use without creating them.

  • ORGADMIN — Root of the the role hierarchy. This role manages operations at the organization level.

  • SYSADMIN — Role that has privileges to create, manage, and drop objects.

  • USERADMIN — Role that has privileges to manage users and roles within the Organization.

  • SECURITYADMIN — Role that manages any object grants globally. This role inherits privileges from the USERADMIN role.

  • PUBLIC — A pseudo role that is granted to all roles within the Organization. This role can be granted privileges on objects that will be inherited by all other roles.

Custom roles

Custom roles can be created using the USERADMIN (or a higher) role as well as by any role to which the MANAGE_MEMBERS privilege has been granted.

When a new role is created it is not assigned to any user, nor granted to any other role. For the roles that will be owners of objects, DeltaStream recommends to use a custom role hierarchy where the top-most custom role in the hierarchy is assigned to the system role SYSADMIN. With this strategy, system administrators can manage all the objects in the organization, while restricting management of users and roles to the USERADMIN role.

On the other hand, not assigning SYSADMIN through a role hierarchy to a custom role, prevents the system administrator from managing the objects owned by the custom role. This results in limiting the roles that can view the objects and modify their access grants to those roles that have been granted the MANAGE_GRANTS privilege (only the SECURITYADMIN role by default).

For instructions to create custom roles, see CREATE ROLE.

Best Practices

DeltaStream recommends the following best practices for access control:

  • Reserve the ORGADMIN role for administrative tasks only. It must not be used for day-to-day access.

  • Ideally, administrators should have 2 separate logins, one with the ORGADMIN role for administrative tasks and a separate role for day-to-day access.

  • ORGADMIN must not own any objects and it must never be granted to any other roles.

  • SECURITYADMIN is also a very powerful role with the MANAGE_GRANTS privilege and must only be used in limited cases.

  • USERADMIN should be the default role for managing users and role grants. This role should normally be the owner of all other custom roles.

  • SYSADMIN should be the default role for managing objects and should always be the eventual owner of all other objects. You can grant the custom roles to SYSADMIN but must never grant ownership of other roles. This maintains the separation of responsibility between SYSADMIN and USERADMIN.

  • When building custom role hierarchy, define functional roles and access roles. Privileges on objects can be granted to access roles and access roles can be granted to functional roles.

  • Use SCIM based automation to manage grants of functional roles to users.

Last updated