Skip to content

Package Entitlements - BETA

This page describes how package entitlements work and how to configure them.

Package entitlements control the operations a user can perform in relation to a specific package.

All packages have their own set of entitlements and each user can have different entitlements for different packages.

Packages contain databases, pipelines, and views. Entitlements for a package apply to all entities inside that package.

Package entitlements include four access levels - Admin, Read, Write, Execute (ARWX):

  • Admin - No restrictions. Full access to read, write, execute, and delete the package.
  • Read - Users can view the package and download its configuration.
  • Write - Users can edit pipelines, databases, and views in this package.
  • Execute - Users can deploy and teardown this package.

If a user is granted either the Write or Execute access level, they also automatically receive Read access.

Only users with the insights.entitlements.admin role can change package entitlements for other users

When you create a package, you automatically have all entitlements on that package enabled. However, only a user with the insights.entitlements.admin role can edit the entitlements for other users for that package.

When you create and push a package, the corresponding entitlements records are created automatically if they didn't already exist.

Use package entitlements

After you complete the prerequisites, you can begin providing entitlements to user groups. To do this, either follow the quickstart guide or use the configuration details.

Create your package before creating entitlement records with the same name

If you create an entitlement record before you create a package with the same name, then after you create the package, you must use the CLI to manually edit the package to include the entitlement ID for that record in the package manifest.

This is because the entitlement record contains its own Universally Unique Identifier (UUID) that can conflict with the package's UUID. For example, if you create an entitlement record named "myPackage" and then use the web interface to create a package called "myPackage", each have a different UUID. This causes kdb Insights Enterprise to display an error.

Package entitlements in the web interface

Certain actions are only visible on packages in the web interface if you have specific entitlements:

  • The package itself is only visible in the web interface if you have Read access to the package
  • The Save buttons only appear if you have Write access to the package
  • The Deploy/Teardown buttons only appear if you have Execute access to the package
  • The Delete button only appears if you have Admin access to the package

Implicit entitlements

When you use the web interface to add a pipeline to a database, any user group with entitlements to access the package containing the database also receives access to the package containing the pipeline.

Execute code with entitlements

When you execute code through .kxi.packages.load, kdb Insights Enterprise checks entitlements. If the request is made by someone who does not have the correct entitlements on the package being loaded, the process fails.

Entitlements are applied to code loaded this way when you use the Scratchpad, an operator where you can execute UDFs, and when defining UDAs.

Logs for package entitlements

You can view logs for deployed databases and pipelines in packages that you are entitled to. Where pipelines are deployed from the pipeline editor page, those logs are visible to all users.