RBAC Best Practices and Use Cases

SingleStore Helios RBAC Use Cases

1. You have a user A who needs to use a workspace group to load new datasets by running multiple pipelines. User B needs to run analytical queries. User C is responsible only for monitoring the workspace groups.

   • Invite users A, B, and C to be members of the organization.

   • Next, navigate to Deployments, select the workspace group from the workspace group list, under the User Management tab, select Add Members, and add user A to the workspace group Writer role. This gives the privilege to both read and write to the user A.

   • Add user B by assigning the Reader role using the same User Management tab.

   • Add user C by assigning the Observer role using the same User Management tab.

2. As an Organization owner for Org1, you want to invite user A to the organization to be able to use Notebooks and run analytics on a specific workspace group's workspace.

   • From the organization menu, select Users &Teams tab, and invite user A as a User i.e. without any other privilege or team. Select Add Member button, add User Email, and select Add User.

   • Next, navigate to Deployments, and select the workspace group from the workspace group list you want to allow this user to connect to. Under the User Management tab, select Add Members, and add user A with the Writer role. This gives that user the privilege to do both read and write operations.

   • Now the user can only use the Notebooks and run both read and write queries only for that workspace group. All other workspace groups are not accessible to user A.

SingleStore Helios RBAC Best Practices

Roles and predefined groups (teams) are used for authorizing access to objects, such as organization, workspace groups etc., and the types of action that a user can do. Teams can inherit other roles based on the hierarchy. Therefore, it is essential to have a proper role hierarchy model planned and implemented.

Currently, SingleStore Helios supports only predefined roles.

For optimal flexibility in controlling access to cloud resources, follow the principles of least privilege access to begin with and add privileges to different predefined teams as required.

• Invite the minimum number of key users for the Organization Owner and Organization Billing Admin teams.

• All other users should be invited as just members (i.e. without being part of any key teams).

• For individual users, assign them to specific workspace groups based on the privileges defined above for the workspace group-level teams.

• Build key ownership at the Organization and then also at the Workspace group level so that delegation is easy and scalable.