• Administration
  • Security Settings

Security Settings

This page covers security settings available for your Rockset account.

Single Sign-On

Google for Work (G Suite) single-sign on is enabled for all accounts. Additional SSO connections, such as Okta or OneLogin, are also available to enterprise customers. To create your Okta connection, follow these instructions. Within the Rockset console, you will have two additional settings available:

  • SSO-only: This setting allows users to connect to Rockset only from your SSO provider. Other forms of authentication, such as username-password, are disabled. If off, all connections will be allowed. We recommend turning this setting on for maximum security.
  • Autoprovision: This setting tells Rockset to automatically create accounts for new users coming to Rockset from your SSO provider. Most SSO providers provide their own form of access control, so we recommend turning this setting on. If off, you will have to add users in the Rockset UI before they are able to access Rockset.

Note that this feature only applies to authentication for logging into the Rockset Console, and does not apply to calls made to the Rockset API or Query Lambdas using API Keys.

To enable single-sign on or OAuth support for accessing the Rockset Console, please contact

Multi-Factor Authentication

Enabling MFA for accessing the Rockset Console using password-based authentication without a third-party SSO connection is generally available. If you have Multi-Factor Authentication (MFA) enabled through a third-party SSO connection (such as G Suite or Okta), you will be able to enforce MFA for accessing the Rockset Console by configuring that SSO connection with Rockset following the instructions above.

IP Allowlisting

You may enable IP Allowlisting for your organization to restrict access to only a specified list of IP addresses.

If IP Allowlisting is enabled, only calls made to the Rockset service originating from an IP address specified in the IP Allowlist of your organization will be accepted. All requests originating from unrecognized IP address will be rejected with a HTTP 403 Forbidden error code. This includes access to the Rockset Console, all API operations, and SQL query endpoints.

Administrators of organizations with IP Allowlisting enabled can configure network policies in the form of an IP access list. IP addresses may be specified as individual IPs at the account level, or as a range of IPs in CIDR notation.

By default, all organizations are set to the No IP Allowlist setting, meaning that accesses originating from any IP address are allowed. You can enable IP Allowlisting and configure your network policies in the Settings tab of the Rockset Console. This is only available to users with the Administrator role.

You can restrict access to your organization by only allowing connections to Rockset over AWS PrivateLink. AWS PrivateLink enables you to connect to Rockset without exposing your traffic to the public internet.

If AWS PrivateLink is enabled for an organization in a region, only calls over AWS PrivateLink or from hosts in your IP Allowlist will be accepted for that region. All other requests will be rejected with a HTTP 403 Forbidden status code. This applies to accessing the Rockset Console and all API endpoints, including query endpoints.

This feature is not enabled by default. To request AWS PrivateLink connectivity, please contact