Role-Based Access Control (RBAC)
Actyze implements a three-tier role-based access control system to secure your data and manage user permissions effectively.
Overview
RBAC in Actyze provides:
- Three distinct roles with different permission levels
- Granular data access control at catalog, schema, and table levels
- Group-based permissions for team management
- Audit logging of all access attempts
User Roles
ADMIN
Full system access and management capabilities
Permissions:
- All USER permissions (below)
- User management (create, update, delete users)
- Role assignment (assign ADMIN, USER, READONLY roles)
- Data access configuration (grant/revoke table access)
- Schema visibility management (show/hide databases)
- System configuration
- View all uploaded files (all users)
Use Cases:
- System administrators
- Data governance teams
- Security officers
- Platform managers
Example Query Access:
-- ADMINs have unrestricted access to all data
SELECT * FROM any_catalog.any_schema.any_table
USER
Regular user with full analytical capabilities
Permissions:
- Query data (based on assigned data access)
- Create, edit, and delete own dashboards
- Upload CSV and Excel files
- Set schema preferences (boosting)
- Add metadata descriptions
- View own query history
- Save and share queries
Restrictions:
- Cannot access data without explicit permission
- Cannot manage other users
- Cannot configure system settings
- Cannot view other users' uploaded files
Use Cases:
- Data analysts
- Business analysts
- Data scientists
- Report builders
Example Query Access:
-- USERs can only query tables they have access to
SELECT * FROM sales.public.orders -- Yes If granted access
SELECT * FROM hr.payroll.salaries -- No Access denied
READONLY
View-only access for data consumers
Permissions:
- Query data (based on assigned data access)
- View existing dashboards
- View query results
- Export query results
Restrictions:
- Cannot create, edit, or delete dashboards
- Cannot upload CSV/Excel files
- Cannot set schema preferences
- Cannot add metadata descriptions
- Cannot modify any data or configuration
Use Cases:
- Business stakeholders
- Executives
- External auditors
- Read-only analysts
Example Query Access:
-- READONLY users can query assigned data but cannot modify anything
SELECT * FROM sales.public.orders -- Yes If granted access
-- Cannot upload files, create dashboards, or modify preferences
Role Comparison
| Capability | ADMIN | USER | READONLY |
|---|---|---|---|
| Data Access | |||
| Query assigned data | Yes | Yes | Yes |
| Query all data | Yes | No | No |
| Content Creation | |||
| Create dashboards | Yes | Yes | No |
| Edit own dashboards | Yes | Yes | No |
| Delete own dashboards | Yes | Yes | No |
| Upload files (CSV/Excel) | Yes | Yes | No |
| Preferences | |||
| Set schema boosting | Yes | Yes | No |
| Add metadata descriptions | Yes | Yes | No |
| Administration | |||
| Manage users | Yes | No | No |
| Assign roles | Yes | No | No |
| Configure data access | Yes | No | No |
| Manage schema visibility | Yes | No | No |
| View all uploaded files | Yes | No | No |
Data Access Control
Access Levels
Data access is configured at multiple levels:
Catalog Level:
Grant access to: postgres
User can access: postgres.*.*
Schema Level:
Grant access to: postgres.public
User can access: postgres.public.*
Table Level:
Grant access to: postgres.public.customers
User can access: postgres.public.customers only
Access Rule Priority
More specific rules take precedence:
- Table-level rules (most specific)
- Schema-level rules
- Catalog-level rules (least specific)
Example:
User has access to: postgres.public (schema level)
User is denied: postgres.public.salaries (table level)
Result: Can access all postgres.public tables EXCEPT salaries
User Management
Creating Users
Admin Interface:
- Navigate to Admin → Users Management
- Click Create User
- Enter user details:
- Username
- Password
- Role (ADMIN, USER, or READONLY)
- Click Create
API:
curl -X POST https://your-actyze.com/api/admin/users \
-H "Authorization: Bearer ADMIN_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"username": "john.doe",
"email": "john.doe@company.com",
"password": "secure-password",
"role": "USER"
}'
Changing User Roles
Admin Interface:
- Go to Admin → Users Management
- Find user in list
- Click role dropdown
- Select new role
- Click Update
API:
curl -X PUT https://your-actyze.com/api/admin/users/{user_id}/role \
-H "Authorization: Bearer ADMIN_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"role": "READONLY"
}'
Deactivating Users
Users can be deactivated without deletion to preserve audit history:
curl -X PUT https://your-actyze.com/api/admin/users/{user_id}/deactivate \
-H "Authorization: Bearer ADMIN_TOKEN"
Configuring Data Access
Grant Access to Users
Admin Interface:
- Navigate to Admin → Data Access
- Click Add Access Rule
- Select:
- User
- Catalog (database)
- Schema (optional - for schema-level)
- Table (optional - for table-level)
- Click Grant Access
API - Catalog Level:
curl -X POST https://your-actyze.com/api/admin/data-access \
-H "Authorization: Bearer ADMIN_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"user_id": "user-uuid",
"catalog": "postgres"
}'
API - Table Level:
curl -X POST https://your-actyze.com/api/admin/data-access \
-H "Authorization: Bearer ADMIN_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"user_id": "user-uuid",
"catalog": "postgres",
"schema": "public",
"table": "customers"
}'
Revoke Access
Admin Interface:
- Go to Admin → Data Access
- Find access rule
- Click Revoke
- Confirm revocation
API:
curl -X DELETE https://your-actyze.com/api/admin/data-access/{rule_id} \
-H "Authorization: Bearer ADMIN_TOKEN"
Check User Access
Verify what data a user can access:
API:
curl -X GET "https://your-actyze.com/api/admin/check-access?user_id={user_id}&catalog=postgres&schema=public&table=customers" \
-H "Authorization: Bearer ADMIN_TOKEN"
Response:
{
"has_access": true,
"reason": "User has schema-level access to postgres.public"
}
Group-Based Permissions
Creating Groups
Groups allow managing permissions for multiple users at once:
curl -X POST https://your-actyze.com/api/admin/groups \
-H "Authorization: Bearer ADMIN_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"name": "Sales Team",
"description": "Access to sales data"
}'
Adding Users to Groups
curl -X POST https://your-actyze.com/api/admin/groups/{group_id}/members \
-H "Authorization: Bearer ADMIN_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"user_id": "user-uuid"
}'
Grant Access to Groups
curl -X POST https://your-actyze.com/api/admin/group-data-access \
-H "Authorization: Bearer ADMIN_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"group_id": "group-uuid",
"catalog": "postgres",
"schema": "sales"
}'
All group members automatically inherit the group's data access permissions.
Access Enforcement
Query-Time Enforcement
Access control is enforced at query time:
- User submits natural language query
- System generates SQL
- Access check verifies user has permission for all referenced tables
- If permitted → query executes
- If denied → error returned
Access Denied Example:
User Query: "Show all employee salaries"
Generated SQL: SELECT * FROM hr.payroll.salaries
Access Check: No User does not have access to hr.payroll.salaries
Result: Error: "Access denied to table hr.payroll.salaries"
Trino Integration
Access rules are enforced through Trino's built-in access control:
# Trino access control configuration
accessControl:
enabled: true
type: "file"
refreshPeriod: "1s"
Schema Visibility
Admins can hide entire databases/schemas from non-admin users:
curl -X POST https://your-actyze.com/api/admin/schema-exclusions \
-H "Authorization: Bearer ADMIN_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"catalog": "postgres",
"schema": "internal_analytics",
"reason": "Internal use only"
}'
Hidden schemas:
- Do not appear in schema browser
- Cannot be queried by non-admins
- Admins can still access them
Audit and Compliance
Query History
All queries are logged with:
- User ID
- Timestamp
- Query text
- Execution time
- Result status
- Tables accessed
View Query History:
curl -X GET "https://your-actyze.com/api/query-history?user_id={user_id}" \
-H "Authorization: Bearer ADMIN_TOKEN"
Access Logs
Track access attempts:
SELECT
user_id,
catalog,
schema_name,
table_name,
access_granted,
timestamp
FROM nexus.access_logs
WHERE timestamp > NOW() - INTERVAL '7 days'
ORDER BY timestamp DESC
User Activity
Monitor user actions:
- Logins
- Role changes
- Data access grants/revokes
- Dashboard creation/deletion
- File uploads
Best Practices
Role Assignment
Start restrictive:
- Assign READONLY by default
- Upgrade to USER when analytical work is needed
- Reserve ADMIN for platform administrators
Principle of least privilege:
- Grant minimum necessary permissions
- Use group-based access for teams
- Regularly audit user permissions
Data Access
Organized hierarchy:
Team: Sales Analysts
Access: postgres.sales.* (all sales schema tables)
Team: Finance
Access: postgres.finance.* (all finance schema tables)
Team: Executives
Access: postgres.public.revenue_summary (specific table only)
Sensitive data:
- Use table-level restrictions for PII
- Exclude sensitive schemas entirely
- Configure data masking if needed
Security
Password policies:
- Enforce strong passwords
- Regular password rotation
- Multi-factor authentication (if available)
Session management:
- Automatic session timeout
- Force logout on role change
- Monitor concurrent sessions
Regular audits:
- Review user list quarterly
- Remove inactive users
- Audit data access permissions
- Check query logs for anomalies
Troubleshooting
Access Denied Errors
"Access denied to table X"
Check:
- User's assigned data access rules
- Group memberships and group access
- Schema exclusions (hidden schemas)
- Trino access control configuration
Debug:
# Check user's access
curl -X GET "https://your-actyze.com/api/admin/users/{user_id}/data-access" \
-H "Authorization: Bearer ADMIN_TOKEN"
READONLY User Cannot Upload
Expected behavior - READONLY users cannot upload files.
Solution: Upgrade user to USER role:
curl -X PUT https://your-actyze.com/api/admin/users/{user_id}/role \
-H "Authorization: Bearer ADMIN_TOKEN" \
-H "Content-Type: application/json" \
-d '{"role": "USER"}'
Permission Changes Not Reflecting
Cause: Cache or session issue
Solution:
- User should log out and log back in
- Clear application cache
- Verify change was saved in database
Additional Resources
- User Management API - Complete API reference
- Schema Boosting - User preferences
- Metadata - Data descriptions
- Quick Start - Using Actyze
Support
For RBAC configuration:
- Review user roles and permissions
- Check data access rules
- Verify Trino access control
- Review audit logs for access attempts
- Contact support with specific access errors