Security & Access Control
Commands for security management. Administer user and service accounts, assign roles and permissions, define row-level access policies and configure credentials for external systems.
hdxcli v1.0.83
User
This command handles the administration of user accounts. Provides functionality to list, show, delete, and manage roles for existing users, and to manage their invitations.
Usage
hdxcli user [OPTIONS] COMMAND [ARGS]...
Options
| Option | Description |
|---|---|
--user TEXT | Perform operation on the passed user. |
Assign Role
Assign one or more roles to a user. This command adds roles to an existing user.
Usage
hdxcli user assign-role [OPTIONS] USER_EMAIL
Options
| Option | Description |
|---|---|
-r, --role TEXT | Role to assign. Can be used multiple times. [required] |
Examples
# Assign the 'operator' and 'read_only' roles to a user
hdxcli user assign-role [email protected] --role operator --role read_only
Delete
Permanently deletes the specified user. This action is irreversible.
Usage
hdxcli user delete [OPTIONS] USER_NAME
Options
| Option | Description |
|---|---|
--disable-confirmation-prompt | Suppress confirmation to delete the user. |
Examples
# Delete the specified user and bypass the confirmation prompt
hdxcli user delete [email protected] --disable-confirmation-prompt
List
List all users.
Displays a list of all users, excluding service accounts. The output includes the user's email and their assigned roles.
Usage
hdxcli user list [OPTIONS]
Examples
# List all users in the organization
hdxcli user list
Remove Role
Remove one or more roles from a user. This command removes existing roles from a user.
Usage
hdxcli user remove-role [OPTIONS] USER_EMAIL
Options
| Option | Description |
|---|---|
-r, --role TEXT | Role to remove. Can be used multiple times. [required] |
Examples
# Remove the 'super_admin' role from a user
hdxcli user remove-role [email protected] --role super_admin
Show
Show details for a specific user.
Displays the full configuration of a specific user. It will use the invite specified with the --user option.
Usage
hdxcli user show [OPTIONS] USER_EMAIL
Options
| Option | Description |
|---|---|
-i, --indent | Output in indented JSON format. |
Examples
# Show details for a specific user
hdxcli user show my_user
Invite
Provides commands for managing user invitations. Includes commands to send, resend, list, show, and delete user invitations.
Usage
hdxcli user invite [OPTIONS] COMMAND [ARGS]...
Options
| Option | Description |
|---|---|
--invite USER_EMAIL | Perform operation on the passed user. |
Delete
Permanently deletes the specified invite. This action is irreversible.
Usage
hdxcli user invite delete [OPTIONS] INVITE_NAME
Options
| Option | Description |
|---|---|
--disable-confirmation-prompt | Suppress confirmation to delete the invite. |
Examples
# Delete the specified invite and bypass the confirmation prompt
hdxcli user invite delete [email protected] --disable-confirmation-prompt
List
List all invites.
Displays a list of all user invitations, showing their email and status. The list can be filtered for only pending invitations with the --pending flag.
Usage
hdxcli user invite list [OPTIONS]
Options
| Option | Description |
|---|---|
-p, --pending | List only pending invitations. |
Examples
# List all invitations, including claimed and pending
hdxcli user invite list
# List only the invitations with a 'pending' status
hdxcli user invite list --pending
Resend
Resend an existing invite. Resends an invitation to a user, typically when the original invitation has expired or was not received.
Usage
hdxcli user invite resend [OPTIONS] INVITE_EMAIL
Examples
# Resend an invitation to a user
hdxcli user invite resend [email protected]
Send
Create and send a new invite. Sends an email invitation to a new user with a specific set of roles.
Usage
hdxcli user invite send [OPTIONS] INVITE_EMAIL
Options
| Option | Description |
|---|---|
-r, --role TEXT | Role to assign to the new user. Can be used multiple times. [required] |
Examples
# Invite a new user with the 'operator' role
hdxcli user invite send [email protected] --role operator
Show
Show details for a specific invite.
Displays the full configuration of a specific invite. It will use the invite specified with the --invite option.
Usage
hdxcli user invite show [OPTIONS] USER_EMAIL
Options
| Option | Description |
|---|---|
-i, --indent | Output in indented JSON format. |
Examples
# Show details for a specific invite
hdxcli user invite show my_invite
Service-Account
Service accounts are non-human users designed for programmatic API access. This includes creating, listing, deleting, and managing roles and tokens for them.
Usage
hdxcli service-account [OPTIONS] COMMAND [ARGS]...
Options
| Option | Description |
|---|---|
--service-account, --sa TEXT | Perform an operation on the specified service account. |
Assign Role
Assign one or more roles to a service account.
Usage
hdxcli service-account assign-role [OPTIONS] SERVICE_ACCOUNT_NAME
Options
| Option | Description |
|---|---|
-r, --role ROLE | Role(s) to assign. Can be used multiple times. [required] |
Examples
# Assign the 'operator' role to the 'my_service_account' service account
hdxcli service-account assign-role my_service_account --role operator
Create
This command creates a new service account and assigns one or more roles to it. An access token can be generated immediately by using the --generate-token flag.
Usage
hdxcli service-account create [OPTIONS] SERVICE_ACCOUNT_NAME
Options
| Option | Description |
|---|---|
-r, --role ROLE | Role to assign. Can be specified multiple times. [required] |
--generate-token [DURATION] | Generate a token after creation. Optionally, provide a duration (e.g., '30d', '1y'). |
--set-as-auth | Set the generated token as the authentication method for the current profile. This will overwrite any existing credentials. |
Examples
# Create a service account with the 'super_admin' role
hdxcli service-account create my_service_account --role super_admin
# Create a service account and generate a token valid for 90 days
hdxcli service-account create grafana_connector --role reporting_viewer --generate-token 90d
# Create a service account, generate a token, and set it as the auth method
hdxcli service-account create user_connector --role automation_admin --generate-token 90d --set-as-auth
Delete
Delete a specific service account.
This is a permanent action and cannot be undone. You will be prompted for confirmation unless --disable-confirmation-prompt is used.
Usage
hdxcli service-account delete [OPTIONS] SERVICE_ACCOUNT_NAME
Options
| Option | Description |
|---|---|
--disable-confirmation-prompt | Suppress confirmation to delete service account. |
Examples
# Delete the service account named 'my_service_account'
hdxcli service-account delete my_service_account
Generate Token
Generate a new access token for a service account. The service account name can be specified via argument or the global --sa option.
Usage
hdxcli service-account generate-token [OPTIONS] SERVICE_ACCOUNT_NAME
Options
| Option | Description |
|---|---|
--duration DURATION | Set token lifetime (e.g., '30d', '12h', '1y'). If not set, the API default is used. |
--json | Display the full token response in JSON format. |
--set-as-auth | Set the generated token as the authentication method for the current profile. This will overwrite any existing credentials. |
Examples
# Generate a token for 'grafana_connector' that expires in 30 days and set it as the auth method
hdxcli service-account generate-token grafana_connector --duration 30d --set-as-auth
List
List all available service accounts. Displays a table with the names of all service accounts and the roles assigned to them.
Usage
hdxcli service-account list [OPTIONS]
Examples
# List all service accounts in the organization
hdxcli service-account list
Remove Role
Remove one or more roles from a service account.
Usage
hdxcli service-account remove-role [OPTIONS] SERVICE_ACCOUNT_NAME
Options
| Option | Description |
|---|---|
-r, --role ROLE | Role(s) to remove. Can be used multiple times. [required] |
Examples
# Remove the 'super_admin' role from the 'my_service_account' service account
hdxcli service-account remove-role my_service_account --role super_admin
Revoke Tokens
Revoke all active tokens for a service account.
This is a security-sensitive operation that invalidates all existing tokens for the specified service account, forcing any application using them to re-authenticate with a new token.
Usage
hdxcli service-account revoke-tokens [OPTIONS] SERVICE_ACCOUNT_NAME
Options
| Option | Description |
|---|---|
--yes | Bypass the confirmation prompt. |
Examples
# Revoke all tokens for 'my_service_account' after a confirmation prompt
hdxcli service-account revoke-tokens my_service_account
Show
Show details for a specific service account.
Retrieves and displays the settings of a single service account. If no name is provided, the default service account will be used if exists.
Usage
hdxcli service-account show [OPTIONS] SERVICE_ACCOUNT_NAME
Options
| Option | Description |
|---|---|
-i, --indent | Indent the output. |
Examples
# Show details for the service account named 'my_service_account'
hdxcli service-account show my_service_account
Role
Commands to create, edit, and manage user roles and their permissions.
Usage
hdxcli role [OPTIONS] COMMAND [ARGS]...
Options
| Option | Description |
|---|---|
--role ROLE_NAME | Perform operation on the passed role. |
Add User
Add one or more users to a role.
Usage
hdxcli role add-user [OPTIONS] ROLE_NAME
Options
| Option | Description |
|---|---|
-u, --user TEXT | Specify users to add to a role (can be used multiple times). [required] |
Examples
# Add '[email protected]' to the 'my_role' role
hdxcli role add-user my_role --user [email protected]
Create
Create a new role. This command supports two modes for creating a role:
- Command-Line: Define a single policy by providing its details as options.
- Interactive: Use the
--interactiveflag for a guided setup.
Usage
hdxcli role create [OPTIONS] ROLE_NAME
Options
| Option | Description |
|---|---|
-t, --scope-type TEXT | Type of scope for the role. |
-i, --scope-id TEXT | Identifier for the scope (UUID). |
-p, --permission TEXT | Specify permissions for the new role (can be used multiple times). |
--interactive | Enter interactive mode to be guided through role creation. |
Examples
# Create a role with a single global permission
hdxcli role create my_read_role --permission read_table
# Create a role with project-scoped permissions
hdxcli role create my_project_role --scope-type project --scope-id <uuid> --permission add_table
# Start the interactive guide to create a role
hdxcli role create my_interactive_role --interactive
Delete
Delete a specific role.
This is a permanent action and cannot be undone. You will be prompted for confirmation unless --disable-confirmation-prompt is used.
Usage
hdxcli role delete [OPTIONS] ROLE_NAME
Options
| Option | Description |
|---|---|
--disable-confirmation-prompt | Suppress confirmation to delete role. |
Examples
# Delete the role named 'my_role'
hdxcli role delete my_role
Edit
Modify an existing role interactively.
This command starts an interactive session to guide you through modifying a role, including its name and policies.
Usage
hdxcli role edit [OPTIONS] ROLE_NAME
Examples
# Start the interactive editor for 'my_role'
hdxcli role edit my_role
List
List all available roles.
Retrieves a list of all roles you have access to. Pagination options (--page, --page-size) are available if supported by the API.
Usage
hdxcli role list [OPTIONS]
Options
| Option | Description |
|---|---|
-p, --page INTEGER | Page number. |
-s, --page-size INTEGER | Number of items per page. |
Examples
# List the first page of roles
hdxcli role list
List Permissions
Lists all available permissions that can be assigned to a role, optionally filtered by a scope type.
Usage
hdxcli role list-permissions [OPTIONS]
Options
| Option | Description |
|---|---|
-t, --scope-type SCOPE_TYPE | Filter the permissions by a specific scope type. |
Examples
# List all permissions available for the 'project' scope
hdxcli role list-permissions --scope-type project
Remove User
Remove one or more users from a role.
Usage
hdxcli role remove-user [OPTIONS] ROLE_NAME
Options
| Option | Description |
|---|---|
-u, --user TEXT | Specify users to remove from a role (can be used multiple times). [required] |
Examples
# Remove '[email protected]' from the 'my_role' role
hdxcli role remove-user my_role --user [email protected]
Show
Show details for a specific role.
Retrieves and displays the settings of a single role. If no name is provided, the default role will be used if exists.
Usage
hdxcli role show [OPTIONS] ROLE_NAME
Options
| Option | Description |
|---|---|
-i, --indent | Indent the output. |
Examples
# Show details for the role named 'my_role'
hdxcli role show my_role
Row-Policy
Manages Row-Level security policies for tables.
This command group provides functionality to create, list, show, delete, and manage roles for row policies, allowing for fine-grained access control over the data within a table.
Usage
hdxcli row-policy [OPTIONS] COMMAND [ARGS]...
Options
| Option | Description |
|---|---|
--project PROJECT_NAME | Use or override project set in the profile. |
--table TABLE_NAME | Use or override table set in the profile. |
--row-policy ROW_POLICY_NAME | Explicitly pass the row policy name. |
Add Role
Adds one or more roles to an existing row policy. This command associates roles with a row policy, granting the permissions defined by that row policy to users who have those roles.
Usage
hdxcli row-policy add-role [OPTIONS] ROW_POLICY_NAME
Options
| Option | Description |
|---|---|
--role ROLE_NAME | Role to add. Can be specified multiple times. [required] |
Examples
# Add the 'viewer' role to the 'europe_logs' row policy
hdxcli row-policy --project hydro --table logs add-role europe_logs --role viewer
# Add multiple roles at once
hdxcli row-policy --project hydro --table logs add-role europe_logs --role viewer --role editor
Create
Creates a new row policy for the specified table. A row policy filters the data that users can see based on a filter expression. It must be associated with at least one role to take effect.
Usage
hdxcli row-policy create [OPTIONS] ROW_POLICY_NAME
Options
| Option | Description |
|---|---|
--filter FILTER_EXPRESSION | The filter expression for the policy (e.g., '"claimed"=false'). [required] |
--restrictive | Set the policy as restrictive. Default is permissive. |
--role ROLE_NAME | Role to associate with this policy. Can be specified multiple times. |
Examples
# Create a PERMISSIVE row policy to show logs from Europe to 'analyst' users
hdxcli row-policy --project hydro --table logs create europe_logs --filter "region = 'EU'" --role analyst
# Create a RESTRICTIVE row policy to ensure only non-draft documents are ever shown
hdxcli row-policy --project docs --table articles create ensure_published --filter "status != 'draft'" --restrictive
Delete
Delete a specific row policy.
This is a permanent action and cannot be undone. You will be prompted for confirmation unless --disable-confirmation-prompt is used.
Usage
hdxcli row-policy delete [OPTIONS] ROW_POLICY_NAME
Options
| Option | Description |
|---|---|
--disable-confirmation-prompt | Suppress confirmation to delete row policy. |
Examples
# Delete the row policy named 'my_row_policy'
hdxcli row-policy --project my_project --table my_table delete my_row_policy
List
Lists all row policies for a given table. Displays a summary of all row policies, including their name, filter expression, whether they are restrictive, and their associated roles.
Usage
hdxcli row-policy list [OPTIONS]
Examples
# List all row policies
hdxcli row-policy --project my_project --table my_table list
Remove Role
Removes one or more roles from an existing row policy. This command disassociates roles from a row policy, revoking the permissions defined by that row policy from users who have those roles.
Usage
hdxcli row-policy remove-role [OPTIONS] ROW_POLICY_NAME
Options
| Option | Description |
|---|---|
--role ROLE_NAME | Role to remove. Can be specified multiple times. [required] |
Examples
# Remove the 'editor' role from the 'europe_logs' policy
hdxcli row-policy --project hydro --table logs remove-role europe_logs --role editor
Settings
List, get, or set key-value settings for a specific row policy.
This command operates in three modes:
- LIST: Invoked with no arguments, it lists all settings.
- GET: Invoked with only a KEY, it retrieves the value of that setting.
- SET: Invoked with a KEY and a VALUE, it sets the value for that setting.
The VALUE can be a string, a number, or a JSON-formatted string for lists/objects. When setting a value, the --force-operation option may be required for certain resource.
Usage
hdxcli row-policy settings [OPTIONS] [KEY] [VALUE]
Options
| Option | Description |
|---|---|
-F, --force | This flag allows adding the force_operation parameter to the request. |
Examples
# List all settings for the row policy 'my_row_policy'
hdxcli row-policy --project my_project --table my_table --row policy my_row_policy settings
# Get the 'name' setting for the row policy 'my_row_policy'
hdxcli row-policy --project my_project --table my_table --row policy my_row_policy settings name
# Set a new 'name' setting for the row policy 'my_row_policy'
hdxcli row-policy --project my_project --table my_table --row policy my_row_policy settings name new_name
Show
Show details for a specific row policy.
Retrieves and displays the settings of a single row policy. If no name is provided, the default row policy will be used if exists.
Usage
hdxcli row-policy show [OPTIONS] ROW_POLICY_NAME
Options
| Option | Description |
|---|---|
-i, --indent | Indent the output. |
Examples
# Show details for the row policy named 'my_row_policy'
hdxcli row-policy --project my_project --table my_table show my_row_policy
Credential
Provides commands to create, list, show, and delete credentials. It also includes a command to list all available credential types which is useful before creating a new one.
Usage
hdxcli credential [OPTIONS] COMMAND [ARGS]...
Options
| Option | Description |
|---|---|
--credential CREDENTIAL_NAME | Perform operation on the passed credential. |
Create
Create a new credential. The command prompts for any required details not provided as options. For fully non-interactive use, all details must be specified using the --detail option.
Usage
hdxcli credential create [OPTIONS] CREDENTIAL_NAME CREDENTIAL_TYPE
Options
| Option | Description |
|---|---|
--description TEXT | Credential description. |
--detail TEXT... | A key-value pair for a credential detail. Use multiple times for multiple details. |
Examples
# Create a credential interactively
hdxcli credential create my_credential gcp-service-account
# Create a credential non-interactively with key-value details
hdxcli credential create aws-prod-keys aws_access_keys --detail access_key_id "your-id" --detail secret_access_key "your-secret"
Delete
Delete a specific credential.
This is a permanent action and cannot be undone. You will be prompted for confirmation unless --disable-confirmation-prompt is used.
Usage
hdxcli credential delete [OPTIONS] CREDENTIAL_NAME
Options
| Option | Description |
|---|---|
--disable-confirmation-prompt | Suppress confirmation to delete credential. |
Examples
# Delete the credential named 'my_credential'
hdxcli credential delete my_credential
List
List all available credentials.
Retrieves a list of all credentials you have access to. Pagination options (--page, --page-size) are available if supported by the API.
Usage
hdxcli credential list [OPTIONS]
Options
| Option | Description |
|---|---|
-p, --page INTEGER | Page number. |
-s, --page-size INTEGER | Number of items per page. |
Examples
# List the first page of credentials
hdxcli credential list
List Types
List available credential types.
Usage
hdxcli credential list-types [OPTIONS]
Options
| Option | Description |
|---|---|
-c, --cloud CLOUD | Filter the credential types by a specific cloud. |
Examples
# List all available credential types, filtering by 'azure' cloud
hdxcli credential list-types --cloud azure
Settings
List, get, or set key-value settings for a specific credential.
This command operates in three modes:
- LIST: Invoked with no arguments, it lists all settings.
- GET: Invoked with only a KEY, it retrieves the value of that setting.
- SET: Invoked with a KEY and a VALUE, it sets the value for that setting.
The VALUE can be a string, a number, or a JSON-formatted string for lists/objects. When setting a value, the --force-operation option may be required for certain resource.
Usage
hdxcli credential settings [OPTIONS] [KEY] [VALUE]
Options
| Option | Description |
|---|---|
-F, --force | This flag allows adding the force_operation parameter to the request. |
Examples
# List all settings for the credential 'my_credential'
hdxcli credential --credential my_credential settings
# Get the 'name' setting for the credential 'my_credential'
hdxcli credential --credential my_credential settings name
# Set a new 'name' setting for the credential 'my_credential'
hdxcli credential --credential my_credential settings name new_name
Show
Show details for a specific credential.
Retrieves and displays the settings of a single credential. If no name is provided, the default credential will be used if exists.
Usage
hdxcli credential show [OPTIONS] CREDENTIAL_NAME
Options
| Option | Description |
|---|---|
-i, --indent | Indent the output. |
Examples
# Show details for the credential named 'my_credential'
hdxcli credential show my_credential
Updated about 10 hours ago