Lenses permissions

Lenses implements a data namespace security approach to support multi-tenant setups with fine-grained access control on data, apps and admin features. In this guide you'll get an overview of Lenses security system. Some security features subject to your subscription plan.


Lenses provides a rich and flexible fine-grained security model to protect resources and shape teams and projects. To implement it, you need to create Groups and assign User or Service accounts to each group. Groups maintain the authorisation rules in Namespaces, scoped and admin functions. Authentication may be supported via Basic Authentication or and external authentication provider such as LDAP, SSO provider, and Kerberos.

The process to add users:

  1. Select your authentication method
  2. Create groups with namespaces and permissions and map with your provider if required
  3. Follow the instructions for your auth provider to create user accounts and add to the group

There are three categories of permissions in Groups:

  • Namespaces, related to data sources
  • Application, related to apps and are scoped to the namespaces
  • Administration, related to administration functions of Lenses and are not scoped by namespaces

Data centric Namespaces 

Namespace is a collection of datasets, described by naming conventions and the associated permissions. If a User belongs to multiple Groups, his permissions are set according to the aggregated namespaces. There is wildcard support for prefix/suffix or dataset names ie: transactionTopic, *transactions, transactions*, *transactions*

The Namespaces are defined by the combination of:

  • the data source connection name (ie. Kafka, elasticDev),
  • the dataset naming rules using wildcards or names (ie. topicName, topicName*, *topicName) and
  • the related permissions to the connection (ie. Configure Topic, View Data etc.)

Multiple data sources 

Kafka is a primary data source in Lenses. It provides granular permissions on different elements of Topics and administration.

Additionally, Lenses recently introduced Elasticsearch and coming soon PostgresSQL and other sources in order to expand the real-time data catalog and provide a holistic view of the data pipelines for Kafka developers.

Datasets from additional sources are also supported by Lenses security system.

Connection Permission

Role based access control 

Lenses administrator can set up multiple Namespaces for each group with fine permissions for the data topics.

By doing so, you are able to describe your projects & teams but also achieve better sharing of data among them.


Users in groupA can manage TopicA (insert/delete/configure etc) but have read only view to TopicB.

Users in groupA can View, Insert or Delete data for topics starting from payments but only the users in groupB have the topics admin actions (Create/Delete/Configure), but not be able to view the data.

Scope resources via Namespaces 

Namespaces affect which part of the world Users can interact with. Data is also used by Applications, ie. connectors and processors, are protected by the namespaces scope.

Scoped permissions

Application resources are scoped 

An Application reads, writes or processes data from datasets. Applications in Lenses can be Kafka Connectors, SQL processors, External Apps or Kafka Consumers.

In a multi tenant environment, users are enabled to manage applications in the scope of their projects

This type of scoped application permissions are affected by the summary of the Namespaces to offer a better control over your pipelines. We enhance the capabilities of the Groups to selectively have View or Manage control for different features.


Users in groupA can view the Connectors related to their topics, but won’t be able to control them (create, delete, restart etc)

Uses in groupA can manage Consumers (ie reset or skip offsets) for the topics they have in their Namespace.

Application Permissions

Administration permissions 

Admin permissions refer to activities that are in the global scope of a Lenses setup and affects all the related entities.

Admin permissions allow critical actions to be finer grouped for administrators, but also control which features of Lenses will be available to the end users of each group.


Users with Kafka Settings permission can add or remove Kafka ACLs and Quotas.

Users with Data Policies can add protection masking policies to fields of topics

View and Manage permissions 

View and Manage permissions are available for the Scoped and Admin categories of the group.

  • View permission enables the feature in a “read only” mode. If not selected, the feature is not available to the user.
  • Manage permission enables create, update and delete functions. It’s relevant to the specific function so refer to the the Permission matrix for the detailed permission supported by function.