Role-Based Access Control (RBAC) for SingleStore Helios Cloud

Now generally available.

In the dynamic landscape of cloud-based data management, security is paramount. SingleStore recognizes the significance of safeguarding your data and infrastructure, offering a robust security solution through Role-Based Access Control (RBAC). In this blog, we will delve into the intricacies of RBAC for SingleStore Helios Cloud, exploring its features, implementation and how it enhances the overall security of your database.

RBAC simplifies fine-grained access control

RBAC holds particular significance in the context of cloud databases, due to the dynamic and multi-tenant nature of these platforms. In a SaaS environment, where multiple users from different organizations share a common software application, RBAC is instrumental in providing a structured and secure access management framework.

RBAC ensures that users within the SaaS ecosystem are assigned roles with specific permissions tailored to their responsibilities, adhering to the principle of least privilege. Not only does this enhance security by restricting unauthorized access, but it also simplifies the overall access control process, making it more manageable and scalable as the user base expands.

Additionally, RBAC reduces the risk of human error in the administration of access rights, contributing to the overall reliability and trustworthiness of SaaS services. In essence, RBAC is a foundational component for SaaS security, promoting efficiency, scalability and robust access control in the complex, shared environments characteristic of SaaS platforms.

Key features of RBAC in SingleStore Helios cloud

• Fine-grained control. SingleStore Helios Cloud RBAC allows administrators to define and manage access at a granular level. This ensures users have precisely the permissions they need to perform their tasks, preventing unnecessary access to sensitive data.

• Predefined roles. To simplify the management process, SingleStore Helios cloud offers a set of predefined roles like owner, user administrator, operator, writer or reader. These roles come with specific permissions tailored to common use cases, reducing the complexity of role assignment.
• Teams. Users with shared roles can be grouped into teams, simplifying the administration of RBAC. Roles can be granted or revoked for teams instead of for each user. Standard teams are created automatically for common roles.
• Integration with database RBAC. Users defined in SingleStore Helios cloud are automatically synchronized to workspaces with default database access appropriate for their roles.

Key concepts

• Resources. RBAC controls access to resources in SingleStore Helios Cloud. The most commonly accessed resources are workspace groups and the organization. For example, access to a workspace group is found under the User Management tab. Users or teams can be granted roles to allow access to the workspace group

• Roles. Granted to a user or team for a resource, roles define the actions that a user can perform on resources. For example, a user is allowed to configure an identity provider if they are granted the User Administrator role for the organization. A user is allowed to suspend a workspace if they are granted the Operator role on the workspace group.
• Role inheritance. Inheritance simplifies the administration of roles across multiple resources. A role granted to the organization is typically inherited by all the resources in the organization —for example, an organization Writer is granted the Writer role on all workspace groups in the organization.
• Teams. Teams are groups of users. A team may be granted roles on any resource, with standard teams created for the most common use cases. For example, the Organization Operators team is granted the Operator role on the organization, which then grants the Operator role on each workspace group in the organization through inheritance. Adding a user to this team grants that user the Operator role, while removing the user from the team immediately revokes any roles granted through the team.
• Owners.  The Owner role always gives full access to the resource, including the ability to grant or revoke access for any user or team. In addition, the Owner role is inherited so that an Owner of the organization is also an Owner of all resources in the organization. This means members of the Organization Owners team have full access to all resources.
• User synchronization. Users granted roles on a workspace group (either directly or through inheritance) are synchronized into all workspaces in the workspace group. Any user added or removed by an identity provider in SingleStore Helios cloud will also be added or removed from the workspaces. In addition, the users are given database access matching their SingleStore Helios cloud roles.
  
  Users with the Reader role will be given read access to all databases attached to any workspace, for example. Users can be granted additional access to databases in the workspace using the SQL interface. If you plan to manage all database access using SQL, users can be granted the Limited Access role, causing them to be synchronized to the workspaces without granting any default data access.

Conclusion

RBAC is a powerful tool for securing your data and infrastructure. Our goal is to implement fine-grained access control so organizations can ensure users have the right level of access and minimize the risk of security breaches. Start securing your SingleStore Helios cloud deployments by using the new RBAC permissions today.

If you have any feedback, reach out to us at pm@singlestore.com or through public Forums.  Activate your free SingleStore trial today to get started.