Skip to content

Package entitlements - BETA

Package entitlements control the operations a user can perform in relation to a specific package.

All packages have their own set of entitlements and each user can have different entitlements for different packages.

Packages contain databases, pipelines, and views. Entitlements for a package apply to all entities inside that package.

Package entitlements include four access levels - Admin, Read, Write, Execute (ARWX):

  • Admin - No restrictions. Full access to read, write, execute, and delete the package.
  • Read - Users can view the package and download its configuration.
  • Write - Users can edit pipelines, databases, and views in this package.
  • Execute - Users can deploy and teardown this package.

If a user is granted either the Write or Execute access level, they also automatically receive Read access.

Only users with the insights.entitlements.admin role can change package entitlements for other users

When you create a package, you automatically have all entitlements on that package enabled. However, only a user with the insights.entitlements.admin role can edit the entitlements for other users for that package.

When you create and push a package, the corresponding entitlements records are created automatically if they didn't already exist.

Use package entitlements

After you complete the prerequisites, you can begin providing entitlements to user groups. To do this, either follow the quickstart guide or use the configuration details.

Create your package before creating entitlement records with the same name

If you create an entitlement record before you create a package with the same name, then after you create the package, you must use the CLI to manually edit the package to include the entitlement ID for that record in the package manifest.

This is because the entitlement record contains its own Universally Unique Identifier (UUID), which can conflict with the package's UUID. For example, creating an entitlement record named "myPackage" and then using the UI to create a package called "myPackage" leads to both having a different UUID. If this happens, kdb Insights Enterprise throws an error.

Package entitlements in the UI

When you look at the elements of a package in the UI, certain actions are only visible if you have specific entitlements:

  • The package itself is only visible in the UI if you have Read access to the package
  • The Save buttons only appear if you have Write access to the package
  • The Deploy/Teardown buttons only appear if you have Execute access to the package
  • The Delete button only appears if you have Admin access to the package

Implicit entitlements

When you use the UI to add a pipeline to a database, any user group with entitlements to access the package containing the database also receives access to the package containing the pipeline.

Execute code with entitlements

When you execute code through .kxi.packages.load, kdb Insights Enterprise checks entitlements. If the request is not made by someone with the correct entitlements on the package being loaded, the process fails.

Entitlements are applied to code loaded this way when you use the Scratchpad, an operator where you can execute UDFs, and when defining UDAs.