Data Entitlements - BETA
This page describes how data entitlements work and how to configure them.
Data entitlements restrict user access to data. When setting up user access, you must explicitly entitle a group of users to query a specific database.
kdb Insights Enterprise controls querying of data in databases deployed using the CLI and the web interface, using a combination of:
- Role based access controls - this determines which users can create databases and ingest, analyze, and view data. For details on the available roles, refer to Roles.
- Data entitlements - if enabled and the user has the required Role to query, the data entitlement determines which groups of users can query which databases.
Limitations
qsql
bypasses entitlements. You must disable qsql to enforce database level entitlements. Refer to the disable qsql instructions.- Alternatively, manage access to qsql using the Role in Keycloak so only trusted users can access all data through
qsql
. - Entitlements are applied on the query path only. Streaming data from a stream processor or over a web socket does not currently apply entitlements. Read Streaming to Views.
Once enabled, you have the option to additionally enable Row Level Entitlements for a specific database. When enabled, access is restrictive by default. This means that only the Owner of the database and and users with the insights.entitlements.admin
role can query any rows in any tables in the database. To grant access to rows for end users, you must add a row policy that allows a group of users to query a specific set of rows in a table, based on a filter you specify.
When data entitlements are enabled but row level entitlements are disabled, the following examples illustrate the outcomes for users with and without entitlements when querying data in kdb Insights Enterprise. These examples assume the users have at least the Viewer (insights.role.viewer
) role assigned to them:
- If a query scope selects a database for which the user is not entitled, a permission error is displayed.
- If a query spans multiple databases, they only receive data from the databases for which they are entitled.
When row level entitlements is enabled, the data a user receives is a subset of the data based on the row policy associated with the group they are part of. A user does not receive any data if there are no row policies associated with the group they are part of.
Database owners and users with the insights.entitlements.admin
role are entitled to query every row in a database, no matter what specific entitlements are set.
Disable qsql
The qsql
API bypasses entitlements and enables access to data from any DAP in any database regardless of entitlements. Therefore, if you are using entitlements, you should disable qsql
on the respective DAP:
- Query-environment DAPs: Disable query environments by setting
spec.queryEnvironment.enabled
tofalse
in the assembly file. Refer to Query environment. - Prod DAPs: By default,
qsql
is disabled on prod DAPs. Don't enable it using theKXI_ALLOWED_SBX_APIS
environment variable; refer to Environment variables for details. To disableqsql
but enableSQL
, set theKXI_ALLOWED_SBX_APIS
environment variable to.kxi.sql
.
Next steps
After you complete the prerequisites and have enabled entitlements, you can begin providing entitlements to user groups. To do this, you can either follow the quickstart guide or use the configuration details.