Controlling who can do what in your application is crucial, and in many cases not everyone should have the same permissions or capabilities in the application, as this can lead to security risks and operational inefficiencies.
In this blog, we show a couple of techniques for restricting access to application functionality based on the user using the app.
There are two primary types of restrictions in Capella Columnar:
Restricting Access to the Columnar UI: Access to the user interface (UI) is controlled by assigning specific roles to users. This ensures that only authorized personnel can interact with the UI.
Defined Roles and Access for External Tools: In addition to UI access, Capella Columnar allows for the definition of roles and access permissions for various external tools, such as BI tools and REST APIs. This fine-grained control helps secure your data and ensures that each user has the necessary permissions to perform their tasks without overstepping boundaries.
Let us understand the Columnar RBAC with an example. Penny, the startup founder of ClientEase is a Capella Columnar customer.
ClientEase acts as an intermediary between companies and their customers, handling support and inquiries using data provided by the parent company. They provide efficient assistance in training and development services as well.
One of the projects in ClientEase is Retail Chain Management. Penny has an Organization Owner role in Capella.
Penny being the startup founder has many other responsibilities. She gave Rob, who is a manager, responsibility for this project and made him the Project Owner.
Rob took full responsibility for the project and divided it in a structured way. He created two clusters in Columnar named Retail Sales Analysis and Product Performance.
He appointed Jack and Kim. Jack is assigned a Columnar role Database Reader/Writer. Rob wanted Kim to look after cluster management and monitoring but did not want Kim to have access to the data and was assigned Project Manager.
Jack did a great job and created databases and scopes and collections in both the cluster according to the use case. He created links and ingested data from AWS S3 to the columnar clusters. He created the following structure of the project which made Rob really happy.
ClientEase uses Power BI for support analysis. Rosa and Denis manage customer support for this project. Rob wants to keep things clean and distinguished.
Rob has created access accounts for Rosa and Denis and assigned them appropriate roles and privileges, allowing Rosa to read from both clusters and Denis to create Tabular Views.
The following tables shows users and their roles/privileges:
| User | Capella Columnar Role/privilege |
| Penny | Organization Owner |
| Rob | Project Owner |
| Kim | Project Manager |
| Jack | Database Data Reader/Write |
| Rosa | sys_data_reader for Retail Sales Analysis and Product Performance. |
| Denis | Create View, Select Collection globally for Retail Sales Analysis and Product Performance. |
Everything was going smoothly with this:
-
- Any modifications in the data was managed by Jack
- Kim was looking after cluster management.
- Rosa and Denis were providing support.
One day, ClientEase was offered with a new opportunity: the parent company asked them to devise strategies to improve sales. Although the startup primarily focuses on support services, this task is a service outside their usual scope. Penny, the founder, saw the potential in this opportunity and decided to seize it. With the deadline fast approaching, to meet the challenge, she opted to hire a third-party vendor specializing in BI analysis, ensuring that ClientEase could deliver the insights needed to boost sales effectively.
The concern arose that granting access to the entire data to an external third party might not be safe. To address this issue, Rob leveraged Columnar’s Role-Based Access Control (RBAC) to securely manage data access.
Hasan and Mary, the third-party vendor team, required access to create Tabular Analytical Views (TAVs) in the columnar cluster for use in Tableau, their chosen BI tool.
Rob doesn’t want to give any access to Retail Sales data. With Columnar RBAC it was very easy to do that. He created a custom role named analysts in Product Performance.
He assigned this custom role the CREATE VIEW privilege at the global level, and SELECT privilege on the necessary collection allowing the team to generate the necessary TAVs.
Rob assigned the built-in role sys_data_reader to the analyst’s role. This combination of permissions enabled Hasan and Mary to access and visualize the created TAVs securely in Power BI, ensuring that they could perform the required analysis without compromising the security of the entire dataset.
| User | Capella Columnar Role/privilege |
| Hasan and Mary | Custom role -> analysts (CREATE VIEW privilege) and sys_data_reader for Product Performance only. |
By using Columnar RBAC to manage data access, ClientEase ensured that only necessary data was accessible, maintaining security and delivering results on time. This approach safeguarded sensitive information throughout the project.
Summary
Couchbase Capella Columnar’s RBAC provides granular, secure access to data, ensuring that users and teams can access only what they need while maintaining data integrity and security.
