Data Entitlements Quickstart - BETA

This page shows you how to create a group of users named demo-users, add users to that group, and entitle that group to query all the data from the database in the insights-demo package.

If necessary, follow the instructions referred to in the Guided walkthrough for details on how to create and populate the insights-demo package.

Ensure you have met the prerequisites before using this quickstart.

To configure entitlements you need to either:

• have the Administrator role, or
• have the Maintainer role and own the package that contains the database.

Assuming you already have the insights-demo package deployed, do the following to configure entitlements.

Create a group and assign users

Note

To call the kxi user and kxi group CLI commands to manage users and groups, you need to provide credentials for a keycloak admin user as described here.

1. Use the following command to create the insights-demo group:

   kxi group create demo-users
   

2. Assign groups to users:

   • For a new user you can add a group as part of the kxi user create command:

     kxi user create $USERNAME --password $PASSWORD --groups demo-users
     

     Replace the following variables with the appropriate values for your use case:
     • $USERNAME: Username to the assign group to.
     • $PASSWORD: Password for the new user.

   • For an existing user, you can use the kxi user assign-group command to assign a group:

     kxi user assign-groups $USERNAME --groups demo-users
     

     • $USERNAME: Username to the assign group to.

   Note

   Ensure the users you add to this group also have Viewer role because a user needs both role-based permissions and data entitlements for the insights-demo package to view data

3. Ensure that each user has the Viewer role, at a minimum, as a user needs both role-based permissions and database entitlements to insights-demo to view the data. Follow the guide here to modify the roles.

Configure the entitlements

1. Entitle the demo-users group to query the data in the database:

   Using an Interactive Session in the CLI CLI

   1. Start an interactive session for entitlement management by calling the kxi entitlement manage command:

      kxi entitlement manage
      

   2. The session lists entities that can be entitled. Use the tab or the up and down arrows to select the record with EntityType of database and Entity of insights-demo and press Enter.

   3. The session lists groups that can be entitled. Use the tab or the up and down arrows to select the demo-users group and press Enter.

   4. The session lists access levels that you can assign to groups. Use the up and down arrows to select Read and press the spacebar to select Read access and press Enter to save the changes.

      Note

      Package entitlements are the only entitlements type that enforces the different access levels. For data entitlements, you must ensure at least one of them is selected.

   5. The session displays a list of groups. The Access column is now set to R for the "demo-users" group.

   6. Press Ctrl+B to go back to the list of entities.

   7. Press Q to exit the interactive session.

   1. Find the Group ID provided by Keycloak for the new "demo-users" group.

      To do this, call the kxi entitlement actors command:

      kxi entitlement actors
      

      [
          {
              "id": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXX",
              "name": "demo-users",
              "path": "/demo-users"
          },
      ]
      

   2. Store the group ID defined in the id field to a variable called $GROUPID.

   3. Find the entitlement for the insights-demo package using kxi entitlement list.

      kxi entitlement list
      

      [
      {
          "id": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXX",
          "internalId": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXX",
          "entity": "insights-demo",
          "entityType": "database",
          "owner": {
              "id": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXX",
              "username": "ownername"
          },
          "groups": [],
          "users": []
      },
      ]
      

   4. Store the entitlement ID defined in the "id" field to a variable called $ID.

   5. Choose an access level and store it in a variable called $ACCESS. The access levels available are defined here.

      Note

      The package entitlements is the only entitlements type that enforces the different access levels. For data entitlements you just need to make sure at least one of them is selected.

   6. Add the group to the query entitlements for the insights-demo package.

      kxi entitlement assign-groups $ID database $GROUPID:$ACCESS
      

Once these steps have been completed and a short period of time has been allowed for the synchronization of the change across the system, any user that is part of the demo-users group can now query data in the insights-demo database using REST, the Query window and Views.

Refer to the kdb Insights CLI documentation for full details on the kxi entitlement command and Entitlements fields for an explanation of the fields returned by the commands executed above.

Next steps

• Learn how to modify an entitlement in the configuration guide.
• Add Row level entitlements to further fine tune the data access.