Skip to content

Data entitlements Beta

Use the data entitlements facility to make sure that data contained within a deployed assembly can be accessed only by users who are entitled to do so.

The data entitlements facility is currently in beta and disabled by default

During deployment, the data entitlements facility is disabled by default, meaning no restrictions are applied and all users can query all data in a kdb Insights Enterprise deployment.

When you enable the facility, users do not have access to assemblies unless they are listed in the entitlements database as being entitled to query the assembly in question.

Query Environment issues

With entitlements enabled, the Query tab in the UI will not return data as there are issues with resolving the correct database name when checking entitlements. In order to workaround this issue, you should create a second entitlement for each database / assembly.

For example if you create and entitle an assembly called dfx-assembly, you should also create an identical entitlement called dfx-assembly-qe. This -qe entitlement should be kept in-sync when updating the main one.

qsql limitations

Note that qsql requests, made either through the Q tab (query-environment DAPs) in the UI or via REST to /qsql (query-environment and prod DAPs), do not work with entitlements. The qsql API bypasses entitlements entirely, and allows access to data from any DAP in any assembly regardless of entitlements. Therefore, if using entitlements, qsql should be disabled. To disable qsql, do both of the following:

  • Query-environment DAPs: Disable query environments entirely by setting spec.queryEnvironment.enabled to false in the assembly file (see here).
  • Prod DAPs: By default, qsql is disabled on prod DAPs. Simply do not enable it via the KXI_ALLOWED_SBX_APIS environment variable (see here). Note that in order to disable qsql but enable SQL, the KXI_ALLOWED_SBX_APIS environment variable should be set to .kxi.sql.

kdb Insights Enterprise controls querying of data in assemblies using a combination of:

  • Role based permissions - this determines which users can create assemblies and ingest, analyze, and view data. See here for details on the roles available.
  • Data entitlements - if enabled, this determines which groups of users are entitled to query specific assemblies. Users are entitled to query an assembly if they are any of the following:
    • A member of a group that is entitled to query the assembly
    • An entity owner, which is a user who is assigned as the owner of the assembly
    • An entitlement administrator, which is a user with the insights.entitlements.admin role

References to users and assemblies

When users are referenced here these can be either standard users or service accounts. Please see here for more information.

When assemblies are referenced here, this refers to both assemblies deployed via the kdb Insights CLI and databases created from the kdb Insights Enterprise UI.

When entitlements are enabled, the list below gives examples of the outcomes for users with and without entitlements when they query data in kdb Insights Enterprise, assuming they have at least the Viewer (insights.role.viewer) role assigned to them:

  • If a query spans one or more assemblies for which the user is entitled, they receive data from that assembly.
  • If a query scope selects an assembly for which the user is not entitled, they get a permission error.
  • If a query spans multiple assemblies, they only receive data from the assemblies for which they are entitled.

Using entitlements

To use entitlements in kdb Insights Enterprise you need to:

  1. Complete the prerequisites

    This includes:

    • Enabling the data entitlement facility
    • Using Keycloak to create groups of users

      An entitlement is awarded to a group rather than to an individual user, thus the need to create groups of users.

  2. Give entitlements to user groups. To do this you can either follow the quickstart guide or use the configuration details.