Account Permissions

Role Based Access Control (RBAC) definitively grants permissions to accounts in a positive, additive way.

Use RBAC to control which users and service accounts can perform which actions on resources in a cluster.

Hydrolix defines a resource hierarchy, most notably, global, organization, projects, and tables for each cluster. The RBAC system allows granular permissions over resources at any of these nested scopes.

Use this hierarchy to define exactly the permissions required for each role.

• RBAC Concepts defines terms and describes positive expression of permissions
• RBAC Structure depicts permissions applied to scopes, collected in policies and grouped into roles
• RBAC How-to: Assign Role to User demonstrates using the API and UI to define a role and assign to a user account
• Permissions Reference lists available permissions on resources at highest granularity
• Row-level Access Control describes per-table data access controls available in roles

RBAC enforces access for authenticated users to only the API endpoints and operations authorized by their roles.

RBAC is used by Hydrolix UI, Config API, and SQL queries. It's further used by Ingest and Traefik-routed service endpoints when the enable_traefik_authorization tunable is set to true (default: false).