Data entitlements Beta
Use the data entitlements facility to make sure that data contained within a deployed assembly can be accessed only by users who are entitled to do so.
The data entitlements facility is currently in beta and disabled by default
During deployment, the data entitlements facility is disabled by default, meaning no restrictions are applied and all users can query all data in a kdb Insights Enterprise deployment.
When you enable the facility, users do not have access to assemblies unless they are listed in the entitlements database as being entitled to query the assembly in question.
Query Environment issues
With entitlements enabled, the Query tab in the UI will not return data as there are issues with resolving the correct database name when checking entitlements. In order to workaround this issue, you should create a second entitlement for each database / assembly.
For example if you create and entitle an assembly called
dfx-assembly, you should also create an identical entitlement called
-qe entitlement should be kept in-sync when updating the main one.
qsql requests, made either through the
Q tab (query-environment DAPs) in the UI or via REST to
/qsql (query-environment and prod DAPs), do not work with entitlements. The
qsql API bypasses entitlements entirely, and allows access to data from any DAP in any assembly regardless of entitlements. Therefore, if using entitlements,
qsql should be disabled. To disable
qsql, do both of the following:
- Query-environment DAPs: Disable query environments entirely by setting
falsein the assembly file (see here).
- Prod DAPs: By default,
qsqlis disabled on prod DAPs. Simply do not enable it via the
KXI_ALLOWED_SBX_APISenvironment variable (see here). Note that in order to disable
KXI_ALLOWED_SBX_APISenvironment variable should be set to
kdb Insights Enterprise controls querying of data in assemblies using a combination of:
- Role based permissions - this determines which users can create assemblies and ingest, analyze, and view data. See here for details on the roles available.
- Data entitlements - if enabled, this determines which groups of users are entitled to query specific assemblies. Users are entitled to query an assembly if they are any of the following:
- A member of a group that is entitled to query the assembly
- An entity owner, which is a user who is assigned as the owner of the assembly
- An entitlement administrator, which is a user with the
References to users and assemblies
When entitlements are enabled, the list below gives examples of the outcomes for users with and without entitlements when they query data in kdb Insights Enterprise, assuming they have at least the Viewer (
insights.role.viewer) role assigned to them:
- If a query spans one or more assemblies for which the user is entitled, they receive data from that assembly.
- If a query scope selects an assembly for which the user is not entitled, they get a permission error.
- If a query spans multiple assemblies, they only receive data from the assemblies for which they are entitled.
To use entitlements in kdb Insights Enterprise you need to:
Complete the prerequisites
- Enabling the data entitlement facility
Using Keycloak to create groups of users
An entitlement is awarded to a group rather than to an individual user, thus the need to create groups of users.