Entitlement type definitions for kdb Insights Enterprise.

Defines the data models and enumerations used by the Entitlement Service: access levels, entity types, policy mappings, and the core entitlement record structures.

Classes:

• Access – Access level flags for an entitlement.
• Actor – A Keycloak group actor with membership information.
• Entitlement – Full entitlement record for an entity.
• EntitlementElem – Entitlement record as returned by list and get operations.
• EntityType – Types of entities that can be entitled.
• Group – A Keycloak group with an assigned access level.
• Owner – Owner identification for an entitlement.
• PodOwner – Mapping from a pod IP address to its Keycloak owner UUID.
• PolicyMappingElem – A mapping of policy types to lists of policy values.
• PolicyTypes – Types of data access policies.
• User – A Keycloak user with an assigned access level.

Access

Bases: Flag

Access level flags for an entitlement.

Flags can be combined. ADMIN implies READ, WRITE, and EXECUTE. EXECUTE and WRITE each imply READ.

Attributes:

• NONE – No access.
• READ (R) – Read-only access.
• WRITE (W) – Write access (implies READ).
• EXECUTE (X) – Execute access (implies READ).
• ADMIN (A) – Full administrative access (implies READ, WRITE, EXECUTE).
• ALL – All flags combined.

Example

from kxi.authorization.entitlement_types import Access

level = Access.from_str("RW")
print(level)         # "RW"
has_read = bool(level & Access.READ)  # True

Functions:

• from_str – Convert string representation to enum.

from_str

from_str(data)

Convert string representation to enum.

Actor

Bases: BaseModel

A Keycloak group actor with membership information.

Attributes:

• id (UUID) – Keycloak group UUID.
• name (str) – Group name.
• path (str) – Full group path, e.g. /viewers/emea.
• AdminGroup (bool) – Whether this group has admin privileges.
• Members (list[User]) – Users that are members of this group.

Entitlement

Bases: BaseModel

Full entitlement record for an entity.

Attributes:

• id (UUID) – Entity UUID.
• internalId (Optional[UUID]) – Internal UUID for the entity record.
• entity (Optional[str]) – Human-readable entity name.
• entityType (Optional[EntityType]) – Entity category (see EntityType).
• owner (Optional[UUID]) – Keycloak user UUID of the entity owner.
• groups (Optional[List[Group]]) – Groups entitled to access this entity.
• users (Optional[List[User]]) – Individual users entitled to access this entity.
• policiesEnabled (Optional[bool]) – Whether row/column policies are active.
• policyTypes (Optional[Dict[str, bool]]) – Map of policy type names to enabled flags.

EntitlementElem

Bases: Entitlement

Entitlement record as returned by list and get operations.

Extends Entitlement with a richer owner field that may be either an Owner object or a raw UUID.

Attributes:

• owner (Optional[Owner | UUID]) – Entity owner as an Owner object or UUID.

EntityType

Bases: AutoNameEnum

Types of entities that can be entitled.

Attributes:

• database – A kdb+ database or YAML assembly.
• assembly – Assembly entity (alias for database).
• package – A kdb Insights package.
• view – A dashboard view.
• query – A named query.
• all – Wildcard — matches all entity types.

Functions:

• valid_members – List all valid members.

valid_members

valid_members()

List all valid members.

Group

Bases: BaseModel

A Keycloak group with an assigned access level.

Attributes:

• id (UUID) – Keycloak group UUID.
• name (Optional[str]) – Group name (optional, informational).
• access (Access) – Access level granted to this group. Default: Access.R.
• policyMapping (Optional[Dict[str, PolicyMappingElem]]) – Optional per-group row/column policy mappings.

Owner

Bases: BaseModel

Owner identification for an entitlement.

Attributes:

• id (Optional[UUID]) – Keycloak user UUID of the owner.
• username (Optional[str]) – Keycloak username of the owner.

PodOwner

Bases: BaseModel

Mapping from a pod IP address to its Keycloak owner UUID.

Attributes:

• ip (str) – Pod IP address.
• owner (UUID) – Keycloak user UUID of the pod owner.
• podName (str) – Kubernetes pod name.

PolicyMappingElem

Bases: RootModel

A mapping of policy types to lists of policy values.

Maps PolicyTypes keys to lists of policy strings. Used in per-group row/column policy configuration.

Example

from kxi.authorization.entitlement_types import PolicyMappingElem

mapping = PolicyMappingElem()
mapping.row = ["region=EMEA", "desk=rates"]

PolicyTypes

Bases: AutoNameEnum

Types of data access policies.

Attributes:

• row – Row-level access policy.
• column – Column-level access policy.

User

Bases: BaseModel

A Keycloak user with an assigned access level.

Attributes:

• id (UUID) – Keycloak user UUID.
• username (str) – Keycloak username.
• access (Access) – Access level granted to this user. Default: Access.R.