# RBAC Best Practices and Use Cases ## SingleStore Helios RBAC Use Cases 1. You have a user A who needs to use a workspace group to load new datasets by running multiple pipelines. User B needs to run analytical queries. User C is responsible only for monitoring the workspace groups. * Invite users A, B, and C to be members of the organization. * Next, navigate to **Workspaces**, select **Access & Security** from the **Actions** list for the workspace. Under **User Management**, select **Grant Access**, and add user A to the workspace **Writer** role. This gives the privilege to both read and write to the user A. * Add user B by assigning the **Reader** role using the same **User Management** tab. * Add user C by assigning the **Observer** role using the same **User Management** tab. 2. As an Organization owner for Org1, you want to invite user A to the organization so they can use SingleStore Notebooks and run analytics on a specific workspace group's workspace. Your organization is using either the Standard or Enterprise edition. * From the organization menu, select **Users & Permissions** tab, and invite user A as a **User** i.e. without any other privilege or team. Select **Add User** button, add **User Email**, and select **Add User**. * Next, navigate to **Workspaces**, and select **Access & Security** from the **Actions** list for the workspace you want to allow this user to connect to. Under **User Management**, select **Grant Access**, and add user A with the **Writer** role. This gives that user the privilege to do both read and write operations. * Now the user can only use the notebooks and run both read and write queries only for that workspace group. All other workspace groups are not accessible to user A. ## SingleStore Helios RBAC Best Practices Roles and predefined groups (teams) are used for authorizing access to objects, such as organization, workspace groups etc., and the types of action that a user can do. Teams can inherit other roles based on the hierarchy. Therefore, it is essential to have a proper role hierarchy model planned and implemented. Only pre-defined roles are supported for users in the Shared edition. Both pre-defined and custom roles are supported for users in the Standard and Enterprise editions. For optimal flexibility in controlling access to cloud resources, follow the principles of least privilege access to begin with and add privileges to different predefined teams as required. * Invite the minimum number of key users for the **Organization Owner** and **Organization Billing Admin** teams. * All other users should be invited as just members (i.e. without being part of any key teams). * For individual users, assign them to specific workspace groups based on the privileges defined above for the workspace group-level teams. * Build key ownership at the Organization and then also at the Workspace group level so that delegation is easy and scalable. *** Modified at: May 12, 2026 Source: [/cloud/security/administration/role-based-access-control-rbac-for-singlestore-helios/rbac-best-practices-and-use-cases/](https://docs.singlestore.com/cloud/security/administration/role-based-access-control-rbac-for-singlestore-helios/rbac-best-practices-and-use-cases/) (An index of the documentation is available at /llms.txt)