Sign inTry Free

RBAC Best Practices and Use Cases

On this page

SingleStore Helios RBAC Use Cases

  1. You have a user A who needs to use a workspace group to load new datasets by running multiple pipelines. User B needs to run analytical queries. User C is responsible only for monitoring the workspace groups.

    • Invite users A, B, and C to be members of the organization.

    • Next, navigate to Deployments, select the workspace group from the workspace group list, under the User Management tab, select Add Members, and add user A to the workspace group Writer role. This gives the privilege to both read and write to the user A.

    • Add user B by assigning the Reader role using the same User Management tab.

    • Add user C by assigning the Observer role using the same User Management tab.

  2. As an Organization owner for Org1, you want to invite user A to the organization to be able to use Notebooks and run analytics on a specific workspace group's workspace. Your organization is using either the Standard or Enterprise edition.

    • From the organization menu, select Users & Permissions tab, and invite user A as a User i.e. without any other privilege or team. Select Add User button, add User Email, and select Add User.

    • Next, navigate to Deployments, and select the workspace group from the workspace group list you want to allow this user to connect to. Under the User Management tab, select Add Members, and add user A with the Writer role. This gives that user the privilege to do both read and write operations.

    • Now the user can only use the Notebooks and run both read and write queries only for that workspace group. All other workspace groups are not accessible to user A.

SingleStore Helios RBAC Best Practices

Roles and predefined groups (teams) are used for authorizing access to objects, such as organization, workspace groups etc., and the types of action that a user can do. Teams can inherit other roles based on the hierarchy. Therefore, it is essential to have a proper role hierarchy model planned and implemented.

Only pre-defined roles are supported for users in the Shared edition. Both pre-defined and custom roles are supported for users in the Standard and Enterprise editions.

For optimal flexibility in controlling access to cloud resources, follow the principles of least privilege access to begin with and add privileges to different predefined teams as required.

  • Invite the minimum number of key users for the Organization Owner and Organization Billing Admin teams.

  • All other users should be invited as just members (i.e. without being part of any key teams).

  • For individual users, assign them to specific workspace groups based on the privileges defined above for the workspace group-level teams.

  • Build key ownership at the Organization and then also at the Workspace group level so that delegation is easy and scalable.

Last modified: December 4, 2024

Was this article helpful?

On this page

Was this article helpful?

Verification instructions

Note: You must install cosign to verify the authenticity of the SingleStore file.

Use the following steps to verify the authenticity of singlestoredb-server, singlestoredb-toolbox, singlestoredb-studio, and singlestore-client SingleStore files that have been downloaded.

You may perform the following steps on any computer that can run cosign, such as the main deployment host of the cluster.

  1. (Optional) Run the following command to view the associated signature files.

    curl undefined

  2. Download the signature file from the SingleStore release server.

    • Option 1: Click the Download Signature button next to the SingleStore file.

    • Option 2: Copy and paste the following URL into the address bar of your browser and save the signature file.

    • Option 3: Run the following command to download the signature file.

      curl -O undefined

  3. After the signature file has been downloaded, run the following command to verify the authenticity of the SingleStore file.

    echo -n undefined |
        cosign verify-blob --certificate-oidc-issuer https://oidc.eks.us-east-1.amazonaws.com/id/CCDCDBA1379A5596AB5B2E46DCA385BC \
          --certificate-identity https://kubernetes.io/namespaces/freya-production/serviceaccounts/job-worker \
          --bundle undefined \
          --new-bundle-format -
    Verified OK