Role-based access control (RBAC)
This page introduces role-based access management (RBAC) in Materialize. RBAC allows you to apply granular privileges to your Materialize objects and clusters. Organizations using RBAC can manage user roles and privileges to ensure there is not unauthorized or improper access to sensitive objects.
In Materialize, RBAC allows organization administrators to:
-
Determine which users have read or write privileges for specific objects
-
Control how users interact with clusters by giving them different levels of access to resources
-
Prevent accidental operations from unauthorized users
-
Isolate access to user-facing data from internal organization data
Materialize object access is also dependent on cluster privileges. Roles that need access to an object that use compute resources must also have the same level of access to the cluster. Materialize objects that use compute resources are:
- Replicas
- Sources
- Sinks
- Indexes
- Materialized views
The next sections go over the concepts of authorization and authentication and the objects within Materialize.
RBAC structure
RBAC in practice is a group of roles with assigned privileges. You can assign specific users to roles or assign privileges to users to inherit from other roles.
Roles
A role is a collection of privileges you can apply to users. Roles make it easier to assign or revoke privileges on Materialize objects. You can group users into specified roles with different levels of privileges and adjust those privileges to ensure they have the correct level of access to objects.
Role attributes
Role attributes are actions available to any role you create. Attributes are independent of any other object in Materialize and apply to the entire organization. You can edit these actions when you create the role:
| Name | Description |
|---|---|
INHERIT |
Read-only. Can inherit privileges of other roles. |
PostgreSQL uses role attributes to determine if a role is allowed to execute certain statements. In Materialize these have all been replaced by system privileges.
Privileges
Privileges are the actions or operations a role is allowed to perform on a specific object. After you create a role, you can grant it the following object-specific privileges in Materialize:
| Privilege | Description | psql |
|---|---|---|
SELECT |
Allows selecting rows from an object. | r |
INSERT |
Allows inserting into an object. | a |
UPDATE |
Allows updating an object (requires SELECT). |
w |
DELETE |
Allows deleting from an object (requires SELECT). |
d |
CREATE |
Allows creating a new object within another object. | C |
USAGE |
Allows using an object or looking up members of an object. | U |
CREATEROLE |
Allows creating, altering, deleting roles and the ability to grant and revoke role membership. | R |
CREATEDB |
Allows creating databases. | B |
CREATECLUSTER |
Allows creating clusters. | N |
Note that the system catalog uses the abbreviation of the privilege name.
Objects in Materialize have different levels of privileges available to them. Materialize supports the following object type privileges:
| Object Type | Privileges |
|---|---|
SYSTEM |
CREATEROLE, CREATEDB, CREATECLUSTER |
DATABASE |
USAGE, CREATE |
SCHEMA |
USAGE, CREATE |
TABLE |
INSERT, SELECT, UPDATE, DELETE |
VIEW |
SELECT |
MATERIALIZED VIEW |
SELECT |
TYPE |
USAGE |
SOURCE |
SELECT |
CONNECTION |
USAGE |
SECRET |
USAGE |
CLUSTER |
USAGE, CREATE |
Inheritance
Inheritance in RBAC allows you to create roles that inherit privileges from other roles. Inheritance only applies to role privileges; role attributes and parameters are not inherited. Inheriting privileges allows you to minimize the number of roles you have to manage.