Data Entitlements Quickstart - BETA

This page shows you how to create a group of users named demo-users, add users to that group, and entitle that group to query all the data from the database in the insights-demo package.

If necessary, follow the instructions referred to in the Guided walkthrough for details on how to create and populate the insights-demo package.

Tip

Ensure you have met the prerequisites before using this quickstart.

To configure entitlements you need to either:

Assuming you already have the insights-demo package deployed, do the following to configure entitlements.

Create a group and assign users

Note

To manage groups and users you need to provide credentials for a keycloak admin user as described here.

Using an interactive session in the CLI

CLI

  1. Start an interactive session for entitlement management by calling the kxi entitlement manage command:

    bash

    Copy 
    kxi entitlement manage

  2. The session lists entities that can be entitled. Use the tab or the up and down arrows to select the record with EntityType of database and Entity of insights-demo and press Enter.

  3. The session lists groups that can be entitled.

    1. If demo-users group does not already exist:

      1. Press Ctrl+E to create a new group.

      2. If you have not set the keycloak admin password in your cli-config you are asked for the password.

      3. Type in demo-users and press Enter.

    2. To add existing users to the demo-users group:

      1. Select demo-users and press Enter

      2. Use the tab or the up and down arrows to select Users with Group [admin only] and press Enter.

      3. The session lists users that can be added or removed from the group.

      4. Use the tab or the up and down arrows to select the users and press TAB to add or remove that user from a group.

      5. Press Enter to save the changes.

  1. Use the following command to create the demo-users group:

    bash

    Copy 
    kxi group create demo-users

  2. Assign groups to users:

    1. For a new user you can add a group as part of the kxi user create command and ensure the user has the Viewer role, at a minimum:

      bash

      Copy 
      kxi user create $USERNAME --password $PASSWORD --groups demo-users
                                                  kxi user assign-roles $USERNAME --roles insights.role.viewer

      Replace the following variables with the appropriate values for your use case:

      1. $USERNAME: Username to the assign group to.

      2. $PASSWORD: Password for the new user.

    2. For an existing user, you can use the kxi user assign-group command:

      bash

      Copy 
      kxi user assign-groups $USERNAME --groups demo-users

      1. $USERNAME: Username to the assign group to.

Note

Each user requires the Viewer role, at a minimum, as a user needs both role-based permissions and database entitlements to insights-demo to view the data. Follow the guide here to modify the roles.

Configure the entitlements

Entitle the demo-users group to query the data in the database:

Using an Interactive Session in the CLI

CLI

  1. Start an interactive session for entitlement management by calling the kxi entitlement manage command

    bash

    Copy 
    kxi entitlement manage

  2. The session lists entities that can be entitled. Use the tab or the up and down arrows to select the record with EntityType of database and Entity of insights-demo and press Enter.

  3. The session lists groups that can be entitled. Use the tab or the up and down arrows to select the demo-users group and press Enter.

  4. The session lists access levels that you can assign to groups. Use the up and down arrows to select Read and press the spacebar to select Read access and press Enter to save the changes.

    Note

    Package entitlements are the only entitlements type that enforces the different access levels. For data entitlements, you must ensure at least one of them is selected.

  5. The session displays a list of groups. The Access column is now set to R for the "demo-users" group.

  6. Press Ctrl+B to go back to the list of entities.

  7. Press Q to exit the interactive session.

  1. Find the Group ID provided by Keycloak for the new "demo-users" group.

    To do this, call the kxi entitlement actors command:

    bash

    Copy 
    kxi entitlement actors
                                            

    bash

    Copy 
    ╭─────────────────────────────────┬─────────────┬──────────────────────┬────────────╮
    │ actor                           │ path        │ members              │ admingroup │
    ├─────────────────────────────────┼─────────────┼──────────────────────┼────────────┤
    │ demo-users                      │ /demo-users │ name         access  │ False      │
    │ ------------------------------- │             │ -----------  ------- │            │
    │ XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXX │             │ demo-user-1  R       │            │
    │                                 │             │ demo-user-2  R       │            │
    ╰─────────────────────────────────┴─────────────┴──────────────────────┴────────────╯

  2. Store the group ID defined in the actor column, below the name of the group to a variable called $GROUPID.

  3. Choose an access level and store it in a variable called $ACCESS. The access levels available are defined here.

    Note

    The package entitlements is the only entitlements type that enforces the different access levels. For data entitlements you just need to make sure at least one of them is selected.

  4. Add the group to the query entitlements for the insights-demo package.

    bash

    Copy 
    kxi entitlement add-groups insights-demo database $GROUPID:$ACCESS

  5. Call kxi entitlement get to see your changes:

    bash

    Copy 
    kxi entitlement get insights-demo database

    JSON

    Copy 
    ╭──────────────────────────────────┬──────────┬────────┬─────────────────────────────────────────────────────┬─────────────────┬──────────┬─────────────────╮
    │ entity                           │ entity   │ owner  │ groups                                              │ users           │ policies │ policy types    │
    │  n                               │ type     │        │                                                     │                 │ enabled  │ policy types    │
    ├──────────────────────────────────┼──────────┼────────┼─────────────────────────────────────────────────────┼─────────────────┼──────────┼─────────────────┤
    │ insights-demo                    │ database │ owner  │ id                                access  policies  │ name    access  │ False    │ name   enabled  │
    │ -------------------------------- │          │        │ --------------------------------  -----   -------   │ ------  ------- │          │ -----  -------- │
    │ XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXX │          │        │ XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXX   R                │ owner   ARWX    │          │ row    False    │
    │                                  │          │        │                                                     │ user1   R       │          │ row    False    │
    ╰──────────────────────────────────┴──────────┴────────┴─────────────────────────────────────────────────────┴─────────────────┴──────────┴─────────────────╯

    In this example user1 is in the demo-users group and therefore has Read access to the database.

Once these steps have been completed and a short period of time has been allowed for the synchronization of the change across the system, any user that is part of the demo-users group can now query data in the insights-demo database using REST, the Query window and Views.

Refer to the kdb Insights CLI documentation for full details on the kxi entitlement command and Entitlements fields for an explanation of the fields returned by the commands executed above.

Next steps