Access Control
Organization
An Organization is the unit of tenant isolation in DeltaStream. All objects (Databases, Stores, Queries, etc) are set up under the Organization.
User
A user represents an authenticated identity within DeltaStream. A user may be a member of multiple Organizations. A user holds one or more Roles within each Organization.
Object
Objects are entities within DeltaStream which can be protected with access controls. Unless explicitly granted privileges, access is denied. Each object resides within a hierarchy, with the Organization being the root. Organizations contain Stores, Schema Registries, Descriptors, Databases, Function Sources, and Queries. Databases contain Schemas, which in turn contain Relations.
Every Object has a single owner, which is the Role used when creating the object. The owner role has all Privileges on the object and can grant or revoke privileges to other Roles. Ownership can be transferred to another Role.
Privilege
In DeltaStream, privileges determine which role can access and perform operations on a given object. Every object has a set of privileges that can be granted on it. Privileges are managed using the GRANT and REVOKE commands.
Use of these commands is restricted to the role that owns an object (i.e., the role has the OWNERSHIP
privilege on the object) or any roles that have the MANAGE_GRANTS
global privilege for the object (only the SECURITYADMIN
role by default).
Note that a role that holds the global MANAGE_GRANTS
privilege can grant additional privileges to the current (grantor) role.
Available privileges
Privilege | Applicable object | Description |
---|---|---|
| Allows databases to be created | |
| Allows stores to be created | |
| Allows schema registries to be created | |
| Allows descriptor sources to be created | |
| Allows function sources to be created | |
| Allows functions to be created | |
| Allows queries to be run | |
| Allows management of users and roles | |
| Allows management of privileges | |
| Allows viewing and basic usage of the object. Additional privileges may be required to some actions | |
| For databases, allows new schemas to be created with in the database. For schemas, allows defining new relations within the schema. | |
| Allows select queries to use to the relation | |
| Allows queries to inserting data into the relation |
Role
A role is an entity to which privileges can be granted. Roles are assigned to Users in order to allow them to perform actions against an Object. A user can be assigned multiple roles. This allows the user to switch roles in order to perform actions with a different set of privileges.
There are a set of built-in roles under every Organization. Built-in roles cannot be dropped and the Privileges assigned to these roles cannot be revoked.
Roles can be also granted to other roles. This creates a hierarchy of roles where the privileges associated with a role are inherited by any roles above that role in the hierarchy.
Built-in roles
The following are the built in roles in DeltaStream that are available to use without creating them.
ORGADMIN — Root of the the role hierarchy. This role manages operations at the organization level.
SYSADMIN — Role that has privileges to create, manage, and drop objects.
USERADMIN — Role that has privileges to manage users and roles within the Organization.
SECURITYADMIN — Role that manages any object grants globally. This role inherits privileges from the USERADMIN role.
PUBLIC — A pseudo role that is granted to all roles within the Organization. This role can be granted privileges on objects that will be inherited by all other roles.
Custom roles
Custom roles can be created using the USERADMIN
(or a higher) role as well as by any role to which the MANAGE_MEMBERS
privilege has been granted.
When a new role is created it is not assigned to any user, nor granted to any other role. For the roles that will be owners of objects, DeltaStream recommends to use a custom role hierarchy where the top-most custom role in the hierarchy is assigned to the system role SYSADMIN. With this strategy, system administrators can manage all the objects in the organization, while restricting management of users and roles to the USERADMIN
role.
On the other hand, not assigning SYSADMIN
through a role hierarchy to a custom role, prevents the system administrator from managing the objects owned by the custom role. This results in limiting the roles that can view the objects and modify their access grants to those roles that have been granted the MANAGE_GRANTS
privilege (only the SECURITYADMIN
role by default).
For instructions to create custom roles, see CREATE ROLE.
Best Practices
DeltaStream recommends the following best practices for access control:
Reserve the
ORGADMIN
role for administrative tasks only. It must not be used for day-to-day access.Ideally, administrators should have 2 separate logins, one with the
ORGADMIN
role for administrative tasks and a separate role for day-to-day access.ORGADMIN
must not own any objects and it must never be granted to any other roles.SECURITYADMIN
is also a very powerful role with theMANAGE_GRANTS
privilege and must only be used in limited cases.USERADMIN
should be the default role for managing users and role grants. This role should normally be the owner of all other custom roles.SYSADMIN
should be the default role for managing objects and should always be the eventual owner of all other objects. You can grant the custom roles toSYSADMIN
but must never grant ownership of other roles. This maintains the separation of responsibility betweenSYSADMIN
andUSERADMIN
.When building custom role hierarchy, define functional roles and access roles. Privileges on objects can be granted to access roles and access roles can be granted to functional roles.
Use SCIM based automation to manage grants of functional roles to users.
Last updated