Role Based Access and Security Tiers
Access to ClickHouse data hosted in Altinity.Cloud is controlled through a combination of security tiers and account roles. This allows companies to tailor access to data in a way that maximizes security while still allowing ease of access.
Altinity.Cloud groups sets of clusters together in ways that allows companies to provide Accounts access only to the clusters or groups of clusters that they need to.
Altinity.Cloud groups clusters into the following security related tiers:
- Nodes: The most basic level - an individual ClickHouse database and tables.
- Clusters: These contain one or more nodes provide ClickHouse database access.
- Environments: Environments contain one or more clusters.
- Organizations: Organizations contain one or more environments.
Account access is controlled by assigning an account a single role and a security tier depending on their role. A single account can be assigned to multiple organizations, environments, multiple clusters in an environment, or a single cluster depending on their account role.
The actions that can be taken by Altinity.Cloud accounts is based on the role they are assigned. The following roles and their actions based on the security tier is detailed in the table below:
|orgadmin||Create, Edit, and Delete environments that they create, or are assigned to, within the assigned organizations.
Administrate Accounts associated with environments they are assign to.
|Create, Edit, and Delete clusters within environments they create or assigned to in the organization.|
|envadmin||Access assigned environments.||Create, Edit, and Delete clusters within environments they are assigned to in the organization.|
|envuser||Access assigned environments.||Access one or more clusters the account is specifically assigned to.|
The account roles are tied into the security tiers, and allow an account to access multiple environment and clusters depending on what type of tier they are assigned to.
For example, we may have the following situation:
jessicaare all members of the organization
HappyDragonhas the following environments:
HappyDragon_Prod, each with the clusters
The accounts are assigned the following roles and security tiers:
In this scenario,
mary has the ability to access the environment
HappyDragon_Prod, or can create new environments and manage them and any clusters within them. However, she is not able to edit or access
HappyDragon_Dev or any of its clusters.
jessicahave the ability to create and remove clusters within their assigned environments.
peteris able to modify the clusters in the environment
jessicacan modify clusters in both environments.
paulcan only access the cluster
marketingin the environment