Data Entitlements Quickstart
This page shows you how to create a group of users named dataScience
, add users to that group, and entitle that group to query data from the database in the kxi-db
package.
If necessary, follow the instructions referred to in the Downloading packages guide for details on how to download the kxi-db
package.
Ensure you have met the prerequisites before using this quickstart.
Assuming you already have the kxi-db
package deployed, do the following to configure entitlements
-
Use the following command to create the
dataScience
group:kxi group create dataScience
-
Assign groups to users:
-
For a new user you can add a group as part of the
kxi user create
command:Replace the following variables with the appropriate values for your use case:kxi user create $USERNAME --password $PASSWORD --groups dataScience
$USERNAME
: Username to the assign group to.$PASSWORD
: Password for the new user.
-
For an existing user, you can use the
kxi user assign-group
command to assign a group:kxi user assign-groups $USERNAME --groups dataScience
$USERNAME
: Username to the assign group to.
Note
Ensure the users you add to this group also have Viewer role because a user needs both role-based permissions and data entitlements for the
kxi-db
package to view data -
-
Entitle the
dataScience
group to query the data in the database:-
Start an interactive session for entitlement management by calling the
kxi entitlement manage
command:kxi entitlement manage
-
The session lists entities that can be entitled. Use the tab or the up and down arrows to select the record with EntityType of
assembly
and Entity ofkxi-db
and press Enter. -
The session lists groups that can be entitled. Use the tab or the up and down arrows to select the dataScience group and press Enter.
-
The session lists access levels that you can assign to groups. Use the up and down arrows to select Read and press the spacebar to select Read access and press Enter to save the changes.
Note
Package entitlements are the only entitlements type that enforces the different access levels. For data entitlements, you must ensure at least one of them is selected.
-
The session displays a list of groups. The Access column is now set to
R
for the "dataScience" group. -
Press Ctrl+B to go back to the list of entities.
-
Press Q to exit the interactive session.
-
Find the Group ID provided by Keycloak for the new "dataScience" group.
To do this, call the
kxi entitlement actors
command:kxi entitlement actors
[ { "id": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXX", "name": "dataScience", "path": "/dataScience" }, ]
-
Store the group ID defined in the id field to a variable called
$GROUPID
. -
Find the entitlement for the
kxi-db
package usingkxi entitlement list
.kxi entitlement list
[ { "id": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXX", "internalId": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXX", "entity": "kxi-db", "entityType": "assembly", "owner": { "id": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXX", "username": "ownername" }, "groups": [], "users": [] }, ]
-
Store the entitlement ID defined in the "id" field to a variable called
$ID
. -
Choose an access level and store it in a variable called
$ACCESS
. The access levels available are defined here.Note
The package entitlements is the only entitlements type that enforces the different access levels. For data entitlements you just need to make sure at least one of them is selected.
-
Add the group to the query entitlements for the
kxi-db
package.kxi entitlement assign-groups $ID assembly $GROUPID:$ACCESS
-
Refer to Change synchronization for details about the time kdb Insights Enterprise takes to action any updates
Refer to the kdb Insights CLI documentation for full details on the kxi entitlement
command and Entitlements fields for an explanation of the fields returned by the commands executed above.
Next steps
- Learn how to modify an entitlement in the configuration guide.
- Add Row level entitlements to further fine tune the data access.