Data entitlements - BETA
Data entitlements ensure that the data within a deployed database is accessible exclusively to entitled users.
qsql
limitations
qsql
requests, made either through the Q
tab (query-environment DAPs) in the UI or over REST to /qsql
(query-environment and prod DAPs), do not work with entitlements. The qsql
API bypasses entitlements entirely and enables access to data from any DAP in any assembly regardless of entitlements. Therefore, if using entitlements, disable qsql
by following the below instructions:
- Query-environment DAPs: Disable query environments entirely by setting
spec.queryEnvironment.enabled
tofalse
in the assembly file (refer to Query environment). - Prod DAPs: By default,
qsql
is disabled on prod DAPs. Don't enable it via theKXI_ALLOWED_SBX_APIS
environment variable (refer to Environment variables). To disableqsql
but enableSQL
, set theKXI_ALLOWED_SBX_APIS
environment variable to.kxi.sql
.
kdb Insights Enterprise controls querying of data in databases using a combination of:
-
Role based permissions - this determines which users can create databases and ingest, analyze, and view data. For details on the available roles, refer to Roles.
-
Data entitlements - if enabled, this determines which groups of users are entitled to query specific databases.
Users are entitled to query a database if they are any of the following:
- A member of a group that is entitled to query the database
- An entity owner, which is a user who created the database
References to users and databases
When users are referenced on this page, these can be either standard users or service accounts. For more information, refer to Authentication.
When databases are referenced on this page, this refers to databases deployed as part of a package using the kdb Insights CLI, databases created from the kdb Insights Enterprise UI and assemblies deployed via the kdb Insights CLI.
When data entitlements are enabled, the following examples illustrate the outcomes for users with and without entitlements when querying data in kdb Insights Enterprise, assuming they have at least the Viewer (insights.role.viewer
) role assigned to them:
- If a query spans one or more databases for which the user is entitled, they receive data from all the databases they are entitled to.
- If a query scope selects a database for which the user is not entitled, they get a permission error.
- If a query spans multiple databases, they only receive data from the databases for which they are entitled.
Data entitlements do not use multiple permission levels. Users that are entitled to query a database can do so, and non-entitled users can't.
Using data entitlements
After you complete the prerequisites, you can begin providing entitlements to user groups. To do this, you can either follow the quickstart guide or use the configuration details.