Skip to content

Data Entitlements - BETA

This page describes how data entitlements work and how to configure them.

Data entitlements restrict user access to data. When setting up user access, you must explicitly entitle a group of users to query a specific database.

kdb Insights Enterprise controls querying of data in databases deployed using the CLI and the web interface, using a combination of:

  • Role based access controls - this determines which users can create databases and ingest, analyze, and view data. For details on the available roles, refer to Roles.
  • Data entitlements - if enabled and the user has the required Role to query, the data entitlement determines which groups of users can query which databases.

Limitations

  • qsql bypasses entitlements. You must disable qsql to enforce database level entitlements. Refer to the disable qsql instructions.
  • Alternatively, manage access to qsql using the Role in Keycloak so only trusted users can access all data through qsql.
  • Entitlements are applied on the query path only. Streaming data from a stream processor or over a web socket does not currently apply entitlements. Read Streaming to Views.

Once enabled, you have the option to additionally enable Row Level Entitlements for a specific database. When enabled, access is restrictive by default. This means that only the Owner of the database and and users with the insights.entitlements.admin role can query any rows in any tables in the database. To grant access to rows for end users, you must add a row policy that allows a group of users to query a specific set of rows in a table, based on a filter you specify.

When data entitlements are enabled but row level entitlements are disabled, the following examples illustrate the outcomes for users with and without entitlements when querying data in kdb Insights Enterprise. These examples assume the users have at least the Viewer (insights.role.viewer) role assigned to them:

  • If a query scope selects a database for which the user is not entitled, a permission error is displayed.
  • If a query spans multiple databases, they only receive data from the databases for which they are entitled.

When row level entitlements is enabled, the data a user receives is a subset of the data based on the row policy associated with the group they are part of. A user does not receive any data if there are no row policies associated with the group they are part of.

Database owners and users with the insights.entitlements.admin role are entitled to query every row in a database, no matter what specific entitlements are set.

Disable qsql

The qsql API bypasses entitlements and enables access to data from any DAP in any database regardless of entitlements. Therefore, if you are using entitlements, you should disable qsql on the respective DAP:

  • Query-environment DAPs: Disable query environments by setting spec.queryEnvironment.enabled to false in the assembly file. Refer to Query environment.
  • Prod DAPs: By default, qsql is disabled on prod DAPs. Don't enable it using the KXI_ALLOWED_SBX_APIS environment variable; refer to Environment variables for details. To disable qsql but enable SQL, set the KXI_ALLOWED_SBX_APIS environment variable to .kxi.sql.

Next steps

After you complete the prerequisites and have enabled entitlements, you can begin providing entitlements to user groups. To do this, you can either follow the quickstart guide or use the configuration details.