• Administration

Identity & Access Management

This page covers how access and privilege management in your Rockset organization.

Rockset grants access to data and actions through role-based authorization and provides built-in roles that provide the different levels of access commonly needed in a database system. You can additionally create custom roles.

A role grants privileges to perform sets of actions on defined resources. A role can grant access down to a workspace level of granularity.

Users, API Keys and Roles

A user can be assigned several roles. The only time a user authenticates as a "user" (instead of through an API key) is when they use the Rockset Console. When logged into the Console, the user will assume the union of privileges from all roles assigned to that user.

API keys can be granted an explicit single role at creation time, or 'All User Assigned Roles' to use the union of the API key owner's roles (present and future) instead during access checking (essentially authorizing this key to act as a direct agent of the user).

Any action initiated from an API key checks both the API key's associated privileges and the API key owner's associated privileges. You may not perform an action with an API key that the owner is not also authorized to perform.

API keys cannot be edited after creation - they are immutable. You can add scope to an existing API key by updating the privileges associated with its role, but you cannot change it to a different role.

Privileges and Built-In Roles

A privilege grants a specific action on a specific resource.

Rockset supports three types of privileges:

  • Global: these privileges allow an action globally across your account.
  • Integration: these privileges allow an action scoped to a single integration or a set of integrations. You may alternately specify 'All Integrations' (or *ALL* if using the API) to allow an action on all integrations (both current integrations and those created in the future).
  • Workspace: these privileges allow an action scoped to a single workspace or a set of workspaces. You may alternately specify 'All Workspaces' (or *ALL* if using the API) to allow an action on all workspaces (both current workspaces and those created in the future). You may also specify a cluster ID (e.g. rs2 for the public us-west-2 cluster or use1a1 for the public us-east-1 cluster) when specifying workspaces.

Rockset supports three built-in roles with preset privileges:

  • Admin role grants full access to all resources as well as full access to all global actions.
  • Member role grants full data read-write access but does not grant sensitive privileges relating to user management, role management and billing.
  • Read-only role grants full data read access but does not grant create / write access of any kind.

You can find the privileges associated with each of these roles in the Rockset Console. Although each built-in role differs in terms of actions allowed, all built-in roles are global - e.g. grant access to all resources across all resources. To limit data access to specific integrations and resources, you must create a custom role.

Supported Privileges

The following privileges are currently supported:

Resource TypeActionAction IDUsage
GlobalAll Global ActionsALL_GLOBAL_ACTIONSGrants all global-scoped privileges.
GlobalGet OrgGET_ORG_GLOBALGrants the ability to fetch metadata about current org. Without this, Console may not be functional.
GlobalGet Current UserGET_CURRENT_USER_GLOBALGrants the ability to return metadata about current user. Without this, Console may not be functional.
GlobalInvite UserINVITE_USER_GLOBALGrants the ability to invite user with any subset of user's current roles (e.g. members can invite other members). If you also have the Grant and Revoke Role Privilege, you can invite users with any roles in the org.
GlobalDelete UserDELETE_USER_GLOBALGrants the ability to delete a user and disable / delete their API keys.
GlobalList UsersLIST_USERS_GLOBALGrants the ability list all user and metadata.
GlobalGet MetricsGET_METRICS_GLOBALGrants the ability view time series usage metrics for your organization.
GlobalGet BillingGET_BILLING_GLOBALGrants the ability to view detailed billing information and payment settings.
GlobalUpdate BillingUPDATE_BILLING_GLOBALGrants the ability to update billing information and payment settings.
GlobalUpdate SettingsUPDATE_SETTINGS_GLOBALGrants the ability to update network and security settings.
GlobalUpdate Virtual InstanceUPDATE_VI_GLOBALGrants the ability to update Virtual Instance type.
GlobalList Virtual InstanceLIST_VI_GLOBALGrants the ability to list Virtual Instances and metadata.
GlobalCreate WorkspaceCREATE_WS_GLOBALGrants the ability to create workspaces.
GlobalList WorkspacesLIST_WS_GLOBALGrants the ability to list workspaces and metadata.
GlobalCreate IntegrationCREATE_INTEGRATION_GLOBALGrants the ability to create integrations.
GlobalDelete IntegrationDELETE_INTEGRATION_GLOBALGrants the ability to delete integrations.
GlobalList IntegrationsLIST_INTEGRATIONS_GLOBALGrants the ability to list integrations & metadata.
GlobalUpdate Resource OwnerUPDATE_RESOURCE_OWNER_GLOBALGrants the ability to transfer any resource's owner from one user to another.
GlobalCreate API KeyCREATE_API_KEY_GLOBALGrants the ability to create API keys, with any singular role from creator or ALL wildcard for full user permissions (API key role associations are immutable).
GlobalCreate RoleCREATE_ROLE_GLOBALGrants the ability to create roles from any privileges.
GlobalList RolesLIST_ROLES_GLOBALGrants the ability to list all roles in the org.
GlobalGrant and Revoke RoleGRANT_REVOKE_ROLE_GLOBALGrants the ability to grant roles to and revoke roles from other users.
GlobalUpdate RoleUPDATE_ROLE_GLOBALGrants the ability to edit or delete existing roles, removing any privilege or adding any privelege.
GlobalDelete RoleDELETE_ROLE_GLOBALGrants the ability to delete existing roles.
IntegrationAll Integration ActionsALL_INTEGRATION_ACTIONSGrants all integration-scoped privileges.
IntegrationCreate CollectionCREATE_COLLECTION_INTEGRATIONGrants the ability to create a new collection from an existing integration.
WorkspaceAll Workspace ActionsALL_WORKSPACE_ACTIONSGrants all workspace-level privileges.
WorkspaceDeleteDELETE_WSGrants the ability to delete the workspace when its empty.
WorkspaceList AllLIST_RESOURCES_WSGrants the ability to view all resources within the workspace.
WorkspaceCreate CollectionCREATE_COLLECTION_WSGrants ability to create new collections (includes creating field mappings for new collections) and delete collections.
WorkspaceDelete CollectionDELETE_COLLECTION_WSGrants ability to create new collections (includes creating field mappings for new collections) and delete collections.
WorkspaceRead via SQLQUERY_DATA_WSGrant the ability to query any collection / alias / view in the workspace along with their documents / data through any arbitary SQL (or QL).
WorkspaceWrite to CollectionWRITE_DATA_WSGrants the ability to add / edit data to all collections within the workspace.
WorkspaceCreate QLCREATE_QUERY_LAMBDA_WSGrants ability to create and update QLs / QL tags in the workspace.
WorkspaceDelete QLDELETE_QUERY_LAMBDA_WSGrants ability to delete QLs / QL tags in the workspace.
WorkspaceExecute QLEXECUTE_QUERY_LAMBDA_WSGrants the ability to execute a QL with any tag/version in this workspace.
WorkspaceCreate AliasCREATE_ALIAS_WSGrants ability to create and update aliases in the workspace.
WorkspaceDelete AliasDELETE_ALIAS_WSGrants ability to delete aliases in the workspace.
WorkspaceCreate ViewCREATE_VIEW_WSGrants ability to create and update views in the workspace.
WorkspaceDelete ViewDELETE_VIEW_WSGrants ability to delete views in the workspace.

Queryable Entities: Collections, Query Lambdas and Views

Collections, Query Lambdas and views all act as queryable entities unto themselves — only the root workspace of a collection, Query Lambda or view is checked at execution time. For example, SELECT * FROM myWorkspace.myView will be allowed by the system if you have query access to myWorkspace, regardless of any other workspaces that myView might reference in its SQL definition.

You can use this mechanism to create fairly granular access control to slices of data. For example, you might create a view in workspace not-secret on certain fields from collections in workspace top-secret. Users with access to not-secret will be able to access the fields exposed by this view without access to the core data in top-secret.

You cannot create a view unless you have query access to all collections contained in SQL definition of that view. Likewise, while you can technically create a Query Lambda with unauthorized SQL, it will remain permanently in the 'Invalid SQL' state and will not ever be executable programmatically.

Creating Custom Roles

If you have the Admin role or a custom role that grants the 'Create Role' privilege you many create custom roles.

From the Rockset Console, you can create a custom role with no initial privileges or you may create a custom role using an existing role (including built-in roles) as a preset. Once the role is created, you can add or remove privileges as needed. Note that without some privileges, the Console will not be usable.

You can also create and manage roles through the REST API.