Permissions matrix

Permissions

This page provides the list of the available permissions by type.

Namespace permissions 

Namespace permissions are applicable to the namespace. A namespace consists of:

  • Data source connection
  • Datasets (defined explicitly or using wildcards)
  • Permissions available for the selected connection

Kafka 

PermissionDescription
Show TopicAllows viewing the topic name and basic info
Create TopicAllows creating topics
Create Topic RequestAllows create topic requests
Drop TopicAllows deleting topics
Configure TopicAllows changing a topic configuration
View DataAllows viewing the data in a topic
Insert DataAllows inserting data into the topic
Delete DataAllows deleting data from the topic
View SchemaAllows viewing schema information
Update SchemaAllows configuring the topic storage format and schema
Update MetadataAllows adding tags and description to kafka topics

Elasticsearch 

PermissionDescription
Show IndexAllows viewing indices and basic info
Query IndexAllows querying indices and view data
View SchemaAllows viewing the schema of the indices data
Update MetadataAllows adding tags and descriptions to indices

PostgreSQL 

PermissionDescription
Show TableAllows viewing tables and basic info
Query TableAllows querying tables and view data
View SchemaAllows viewing the schema of the tables data
Update MetadataAllows adding tags and descriptions to tables

Application permissions 

Application permissions are scoped by the namespaces in terms of what resources each group can view and manage. For example, if a user needs to create a SQL processor for a topic, he can only do so if the topic is available to his namespace with the “view data” permission.

On top of that, you can control “view” or “manage” access to those resources. “Manage” permission allows write operations which may vary based on the resource type but typically includes create, edit and deletes. When “view” permissions are not added to the group, the reflected feature won’t be available to the end user (also hidden from the UI).

The application permissions

PermissionDescription
Kafka Consumers / ViewAllows viewing the Kafka Consumers details
Kafka Consumers / ManageAllows changing the Kafka Consumers offset
Kafka Connectors / ViewAllows viewing running Kafka Connectors
Kafka Connectors / ManageAllows to add/update/delete/stop Kafka Connectors
SQL Processors / ViewAllows viewing the SQL processors
SQL Processors / ManageAllows to add/remove/stop/delete SQL processors
Schema Registry / ViewAllows viewing your Schema Registry entries
Schema Registry / ManageAllows to add/remove/update/delete your Schema Registry entries
Topology / ViewAllows viewing the data pipeline topology
Topology / ManageAllows removing external applications from Lenses

Application execution

When using Kafka Connect clusters you can authorise clusters per group. The group will list the available configured clusters and you can select by the alias name you’ve given. This will affect both Kafka Connectors and SQL Processors running in connect execution mode.

PermissionDescription
Connect Clusters AccessDetermines which Kafka Connect clusters each group will use

Kafka Consumers 

View

It allows the user to view Kafka consumer groups. A consumer group is visible if the data namespace rules allow the current user to see all the topics involved. If one of the topics a consumer group uses is not visible given the namespace permissions, then the entire consumer group is not visible.

Manage

It allows the user to update the topic-partition offsets for a given consumer group.

SQL Processors 

View

The permission controls the user access to the SQL processors. A SQL processor is displayed to the user only if the appropriate permissions are in place for the data involved. To view a processor data namespace rules need to be present, and they need to identify the input and output topics involved.

Manage

To create, delete or scale a SQL processor, the user needs to have Manage permission, and:

  • for all the input topics the user needs to have View Data permissions, and
  • for all the output topics the user needs to have Insert Data permission for each

Kafka Connectors 

View

It allows the user to view running Kafka Connect sinks or sources. Similar to SQL processors, only those sinks and sources are visible where the data namespaces rules grants permission to see the topics involved.

Manage

Grants the user the action to create a new Kafka Connect sink or source. Namespace rules also restrict the action. In the case of a Connect source, it requires the user to have Insert Data permission for the target topics. For a Connect sink, it requires the user to have View Data permissions for the source topics.

Updating an existing connector follows the same permission restrictions as seen earlier. To delete an existing connector, all that is required is for it to be visible.

Connect Clusters Access 

It allows the user to see and use Kafka Connect Clusters (eg in Connectors, SQL Processors and Topology).

Schema Registry 

View

Grants permission to view the entries present in Schema Registry. A schema entry is visible only if for the corresponding topic the user has, via data namespace rules, View Schema permission.

Manage

Controls the permission to manage your Schema Registry entries. The namespace rules constrain the actions. The user can make amendments to a schema only if for the corresponding topic, Update Schema permission.

Topology 

View

It allows the user, to View both the Landscape of the Data Flow and Apps Listing:

  • Topology Page (SQL Processors, Kafka Connect Source/Sink Connectors, Topics, Apps)
  • Apps in the App Listing Page

Data namespace permissions determines which nodes are rendered for the user.

Manage

It allows the user to “Remove from Lenses” Apps from the app listing page. You need the proper namespace permission in order to be able to view the topology node/listing entry.

Administration permissions 

Admin permissions are not scoped to the namespace. They resources under this category are managed with global governance.

Similarly to the application permissions, you can control “view” or “manage” access to those resources. “Manage” permission allows write operations which may vary based on the resource type but typically includes create, edit and deletes. When “view” permissions are not added to the group, the reflected feature won’t be available to the end user (also hidden from the UI).

PermissionDescription
Data Policies / ViewAllows viewing the data policies
Data Policies / ManageAllows to add/remove/update data policies
Audit Log / ViewAllows viewing the audit log records
Audit Log / ManageAllows create, edit, delete, switch on/off audit channels
User Management / ViewAllows viewing the users, groups and service accounts
User Management / ManageAllows to add/remove/update/delete users,groups and service accounts
Alert Rules / ViewAllows viewing the alert rules, events and channels
Alert Rules / ManageAllows adding/deleting/updating alert rules and channels
Kafka Settings / ViewAllows viewing Kafka ACLs, Quotas
Kafka Settings / ManageAllows managing Kafka ACLs, Quotas, Broker decommission from Lenses
Connections / ManageAllows to add/remove/update connections
Lenses Logs / ViewAllows viewing Lenses logs
Kubernetes Logs / ViewAllows viewing Kubernetes logs for SQL processors running in Kubernetes
Approvals / ViewAllows viewing raised approval requests
Approvals / ManageAllows to accept/reject requests
License / ManageAllows to update Lenses license at runtime via the Lenses API

Data Policies 

Data policies are rules protecting sensitive information your data might contain. They are available across all topics and therefore are not subject to data namespace permissions.

User management 

Groups, Users and Service Accounts are governed by the User Management permission. If you are authorized with User Management manage permission you can create or amend groups but also add users to this group.

Connections 

Connections are resources that contain information to communicate/connect to other systems. They are treated as sensitive information, so you need Manage permissions to see them.

Alert & Audit channels 

To create audit channels the connection to the relevant system must exists. Connections are governed by the Connections permission and can be reused to multiple channels.

Kafka Settings 

Kafka settings refers to Kafka ACLs and Quotas but also the Broker decommission. If you want to remove a known broker from Lenses you need this permission.

Approvals 

Approval requests permission is only to view and approve/reject the requests. To create requests for new Topics you need to authorize the relevant namespace permission.

--
Last modified: April 24, 2024