LogoLogo
Start Trial
  • Overview
    • What is DeltaStream?
    • Core Concepts
      • Access Control
      • Region
      • SQL
      • Store
      • Database
      • Query
      • Visualizing Data Lineage
      • Function
  • Getting Started
    • Free Trial Quick Start
    • Starting with the Web App
    • Starting with the CLI
  • Tutorials
    • Managing Users and User Roles
      • Inviting Users to an Organization
      • Administering Users in your Organization
      • Using the CLI to Manage User Roles
      • Example: Setting Up Custom Roles for Production and Stage
    • Creating Stores for Streaming Data
    • Using Multiple Stores in Queries
    • Creating Relations to Structure Raw Data
    • Namespacing with Database and Schema
    • Creating and Querying Materialized Views
    • Creating a Function
    • Securing Your Connections to Data Stores
      • Introducing DeltaStream Private Links
      • Creating an AWS Private Link from DeltaStream to your Confluent Kafka Dedicated Cluster
      • Enabling Private Link Connectivity to Confluent Enterprise Cluster and Schema Registry
      • Creating a Private Link from DeltaStream to Amazon MSK
      • Creating a Private Link for RDS Databases
      • Deleting a Private Link
    • Integrations
      • Connecting to Confluent Cloud
      • Databricks
      • PostgreSQL
      • Snowflake
      • WarpStream
    • Serialization
      • Working with ProtoBuf Serialized Data and DeltaStream Descriptors
      • Working with Avro Serialized Data and Schema Registries
      • Configuring Deserialization Error Handling
  • Reference
    • Enterprise Security Integrations
      • Okta SAML Integration
      • Okta SCIM Integration
    • Metrics
      • Prometheus Integration
      • Built-In Metrics
      • Custom Metrics in Functions
    • SQL Syntax
      • Data Formats (Serialization)
        • Serializing with JSON
        • Serializing with Primitive Data Types
        • Serializing with Protobuf
      • Data Types
      • Identifiers and Keywords
      • Command
        • ACCEPT INVITATION
        • CAN I
        • COPY DESCRIPTOR_SOURCE
        • COPY FUNCTION_SOURCE
        • DESCRIBE ENTITY
        • DESCRIBE QUERY
        • DESCRIBE QUERY METRICS
        • DESCRIBE QUERY EVENTS
        • DESCRIBE QUERY STATE
        • DESCRIBE RELATION
        • DESCRIBE RELATION COLUMNS
        • DESCRIBE ROLE
        • DESCRIBE SECURITY INTEGRATION
        • DESCRIBE <statement>
        • DESCRIBE STORE
        • DESCRIBE USER
        • GENERATE COLUMNS
        • GENERATE TEMPLATE
        • GRANT OWNERSHIP
        • GRANT PRIVILEGES
        • GRANT ROLE
        • INVITE USER
        • LIST API_TOKENS
        • LIST DATABASES
        • LIST DESCRIPTORS
        • LIST DESCRIPTOR_SOURCES
        • LIST ENTITIES
        • LIST FUNCTIONS
        • LIST FUNCTION_SOURCES
        • LIST INVITATIONS
        • LIST METRICS INTEGRATIONS
        • LIST ORGANIZATIONS
        • LIST QUERIES
        • LIST REGIONS
        • LIST RELATIONS
        • LIST ROLES
        • LIST SCHEMAS
        • LIST SCHEMA_REGISTRIES
        • LIST SECRETS
        • LIST SECURITY INTEGRATIONS
        • LIST STORES
        • LIST USERS
        • PRINT ENTITY
        • REJECT INVITATION
        • REVOKE INVITATION
        • REVOKE PRIVILEGES
        • REVOKE ROLE
        • SET DEFAULT
        • USE
      • DDL
        • ALTER API_TOKEN
        • ALTER SECURITY INTEGRATION
        • CREATE API_TOKEN
        • CREATE CHANGELOG
        • CREATE DATABASE
        • CREATE DESCRIPTOR_SOURCE
        • CREATE ENTITY
        • CREATE FUNCTION_SOURCE
        • CREATE FUNCTION
        • CREATE INDEX
        • CREATE METRICS INTEGRATION
        • CREATE ORGANIZATION
        • CREATE ROLE
        • CREATE SCHEMA_REGISTRY
        • CREATE SCHEMA
        • CREATE SECRET
        • CREATE SECURITY INTEGRATION
        • CREATE STORE
        • CREATE STREAM
        • CREATE TABLE
        • DROP API_TOKEN
        • DROP CHANGELOG
        • DROP DATABASE
        • DROP DESCRIPTOR_SOURCE
        • DROP ENTITY
        • DROP FUNCTION_SOURCE
        • DROP FUNCTION
        • DROP METRICS INTEGRATION
        • DROP RELATION
        • DROP ROLE
        • DROP SCHEMA
        • DROP SCHEMA_REGISTRY
        • DROP SECRET
        • DROP SECURITY INTEGRATION
        • DROP STORE
        • DROP STREAM
        • DROP USER
        • UPDATE ENTITY
        • UPDATE SCHEMA_REGISTRY
        • UPDATE SECRET
        • UPDATE STORE
      • Query
        • APPLICATION
        • Change Data Capture (CDC)
        • CREATE CHANGELOG AS SELECT
        • CREATE STREAM AS SELECT
        • CREATE TABLE AS SELECT
        • Function
          • Built-in Functions
          • Row Metadata Functions
        • INSERT INTO
        • Materialized View
          • CREATE MATERIALIZED VIEW AS
          • SELECT (FROM MATERIALIZED VIEW)
        • Query Name and Version
        • Resume Query
        • RESTART QUERY
        • SELECT
          • FROM
          • JOIN
          • MATCH_RECOGNIZE
          • WITH (Common Table Expression)
        • TERMINATE QUERY
      • Sandbox
        • START SANDBOX
        • DESCRIBE SANDBOX
        • STOP SANDBOX
      • Row Key Definition
    • Rest API
Powered by GitBook
On this page
  • Logging in as Admin User
  • 1. Creating Databases
  • 2. Creating Custom Roles
  • 3. Granting the Appropriate Privileges for Each Role
  • 4. Inviting Users and Assigning them Custom Roles
  • Interacting with the Organization as Prod User
  • Interacting with the Organization as Stage User
  1. Tutorials
  2. Managing Users and User Roles

Example: Setting Up Custom Roles for Production and Stage

This tutorial takes you through the steps of setting up an organization with custom roles for production (prod) and stage. By the end of the tutorial you should have:

  • 2 databases – prod_db and stage_db

  • 2 custom roles – prod_manager and stage_manager

    • prod_manager should have have full access to the prod_db database

    • stage_manager should have have full access to the stage_db database

  • 1 admin user

    • the admin user is the first user, granted the ORGADMIN role and inheriting all other admin roles

  • 2 non-admin users

    • prod user is granted prod_manager and stage_manager

    • stage user is granted only stage_manager

Logging in as Admin User

When you're the first to log into an organization, by default you log in as the sysadmin built-in role. But you have access to all of the built-in admin roles, including orgadmin.

In this example, as the admin user, you have 4 small tasks:

  • Create databases

  • Create custom roles

  • Grant the appropriate privileges for these new roles

  • Invite non-admin users and assign them these custom roles

1. Creating Databases

When you create objects in an organization, use either the sysadmin role or a role that's lower in the hierarchy. Let's switch to the sysadmin role:

USE ROLE sysadmin;

Use the CREATE DATABASE to create the prod_db and stage_db databases:

CREATE DATABASE prod_db;
CREATE DATABASE stage_db;

Now list your databases to view them:

prod_db.public/<no-store># LIST DATABASES;
    Name   | Default |  Owner   |      Created at      |      Updated at
-----------+---------+----------+----------------------+-----------------------
  stage_db |         | sysadmin | 2023-12-13T22:28:04Z | 2023-12-13T22:28:04Z
  prod_db  | ✓       | sysadmin | 2023-12-13T22:27:57Z | 2023-12-13T22:27:57Z

2. Creating Custom Roles

Switch to the useradmin role. This role is responsible for creating roles and granting roles to other members of your organization:

USE ROLE USERADMIN;

Use the CREATE ROLE to create the prod_manager and stage_manager roles:

CREATE ROLE prod_manager;
CREATE ROLE stage_manager;

When you first create these roles, they are standalone roles detached from any other roles. However, you should grant these custom roles to the sysadmin role . When you do this they become lower members of the sysadmin role's hierarchy.

Use the GRANT ROLE command to grant these custom roles to the sysadmin:

GRANT ROLE prod_manager TO ROLE sysadmin;
GRANT ROLE stage_manager TO ROLE sysadmin;

Now use LIST ROLES to view the new roles you just created:

<no-db>/<no-store># LIST ROLES;
      Name      | Current |      Created at
----------------+---------+-----------------------
  public        |         | 2023-12-13T22:16:12Z
  securityadmin |         | 2023-12-13T22:16:12Z
  useradmin     | ✓       | 2023-12-13T22:16:12Z
  prod_manager  |         | 2023-12-13T22:32:41Z
  orgadmin      |         | 2023-12-13T22:16:12Z
  sysadmin      |         | 2023-12-13T22:16:12Z
  stage_manager |         | 2023-12-13T22:32:44Z

3. Granting the Appropriate Privileges for Each Role

With the new roles in place, it's time to grant these roles the usage privilege to work with their respective databases. As the sysadmin role is the owner of these databases, you must use that role to grant the usage privilege to the custom roles.

Start by switching to the sysadmin role:

USE ROLE sysadmin;

Now use the GRANT PRIVILEGES to grant privileges to your custom roles. For this example, grant the USAGE privilege for each database to the matching role:

GRANT USAGE ON DATABASE prod_db TO ROLE prod_manager;
GRANT USAGE ON DATABASE stage_db TO ROLE stage_manager;

To see details and make sure you're on the right track, useDESCRIBE ROLE to view the new granted privileges for your prod_manager role:

<no-db>/<no-store># DESCRIBE ROLE prod_manager;
      Name     |      Created at
---------------+-----------------------
  prod_manager | 2023-12-13T22:32:41Z

Granted Roles
   Name
----------
  public

Granted Privileges
  Type  |  Target  | ID/Name | Grant option
--------+----------+---------+---------------
  Usage | Database | prod_db |

4. Inviting Users and Assigning them Custom Roles

Great -- you've set up your databases and the custom roles to use them. Now it's time to invite users and assign them to a set of roles.

Inviting users is one of the useradmin responsibilities, so let's switch to that role:

USE ROLE useradmin;

Use INVITE USER to invite new users:

INVITE USER 'prod_user@demo.org' WITH ('roles'=(prod_manager, stage_manager), 'default'=stage_manager);
INVITE USER 'stage_user@demo.org' WITH ('roles'=(stage_manager), 'default'=stage_manager);

DeltaStream uses a person's email address as their unique identifier. For example, in the above code block you're inviting prod_user@demo.org to your organization and granting the prod_manager and stage_manager roles to them. For stage_user@demo.org, you're only granting the stage_manager role.

Note The useradmincan either grant additional roles to people (via the GRANT ROLE command) or or revoke roles from people (via the REVOKE ROLEcommand).

Now gain visibility into how interacting with the organization looks from each user's perspective.

Interacting with the Organization as Prod User

As the prod user, after accepting the invitation into this organization (see ACCEPT INVITATION), you see that your current role is the stage_manager role, as the useradmin set it as the default role for the prod user. Use LIST ROLES to verify which role you're using:

<no-db>/<no-store># LIST ROLES;
      Name      | Current |      Created at       
----------------+---------+-----------------------
  public        |         | 2023-12-13T22:16:12Z  
  securityadmin |         | 2023-12-13T22:16:12Z  
  useradmin     |         | 2023-12-13T22:16:12Z  
  prod_manager  |         | 2023-12-13T22:32:41Z  
  orgadmin      |         | 2023-12-13T22:16:12Z  
  sysadmin      |         | 2023-12-13T22:16:12Z  
  stage_manager | ✓       | 2023-12-13T22:32:44Z  

If you list the databases you only see stage_db. That's because stage_db is the only database available to the stage_manager role you are assuming:

<no-db>/<no-store># LIST DATABASES;
    Name   | Default |  Owner   |      Created at      |      Updated at       
-----------+---------+----------+----------------------+-----------------------
  stage_db |         | sysadmin | 2023-12-13T22:28:04Z | 2023-12-13T22:28:04Z  

Since the prod user has access to both the stage_manager and prod_manager roles, you can switch to the prod_manager role:

USE ROLE prod_manager;

Using the prod_manager role, if you list your databases again you can see that only the prod_db database displays:

<no-db>/<no-store># list DATABASES;
   Name   | Default |  Owner   |      Created at      |      Updated at       
----------+---------+----------+----------------------+-----------------------
  prod_db |         | sysadmin | 2023-12-13T22:27:57Z | 2023-12-13T22:27:57Z  

Interacting with the Organization as Stage User

As the stage user, after you accept the invitation into this organization (see ACCEPT INVITATION), you see that your current role is the stage_manager role, as the useradmin set it as the default role for the prod user. Use LIST ROLES to verify which role you're using:

<no-db>/<no-store># LIST ROLES;
      Name      | Current |      Created at       
----------------+---------+-----------------------
  public        |         | 2023-12-13T22:16:12Z  
  securityadmin |         | 2023-12-13T22:16:12Z  
  useradmin     |         | 2023-12-13T22:16:12Z  
  prod_manager  |         | 2023-12-13T22:32:41Z  
  orgadmin      |         | 2023-12-13T22:16:12Z  
  sysadmin      |         | 2023-12-13T22:16:12Z  
  stage_manager | ✓       | 2023-12-13T22:32:44Z  

If you list the databases you only see stage_db. That's because stage_db is the only database available to the stage_manager role you're assuming:

<no-db>/<no-store># LIST DATABASES;
    Name   | Default |  Owner   |      Created at      |      Updated at       
-----------+---------+----------+----------------------+-----------------------
  stage_db |         | sysadmin | 2023-12-13T22:28:04Z | 2023-12-13T22:28:04Z  

Notably, the stage_manager doesn't have access to the prod_manager role. The system displays an error it you try to use the prod_manager role:

<no-db>/<no-store># USE ROLE prod_manager;
ERROR: role prod_manager not granted to user
PreviousUsing the CLI to Manage User RolesNextCreating Stores for Streaming Data

Last updated 5 months ago

Note At any time you can.

view the full list of privileges