User Management and Access Controls
Tecton access controls enable organizations to configure fine-grained governance over who and what can modify the Feature Platform and access feature data.
Access controls are configured by granting roles to principals. Most roles apply to actions that a principal can perform in a specific workspace.
Tecton Access Controls govern access to Tecton metadata and online features, but not access to offline data. See limitations.
Tecton Principals
In Tecton, access controls are used to specify what actions a principal is able to perform. A principal is a User, Service Account, or Principal Group.
Users
The User principal represents an individual who accesses an organization's Tecton Account by logging in with their own credentials to the Tecton UI or CLI. Users need to be configured with the appropriate Tecton access controls in order to develop with Tecton, or administer the account.
Service Accounts
The Service Account principal represents machine access to the Tecton Account, such as a training pipeline or an ML application accessing features. Service Accounts authenticate access using API keys.
Principal Groups
Tecton Principal Groups simplify the process of granting your Tecton users access to the appropriate resources. By organizing Tecton Users and Services Accounts into Groups, Administrators can simply make role changes at the Group level to govern their organization.
When a User or Service Account is added to a Principal Group, then they will inherit any roles that have been granted to said Principal Group. Principals that are members of multiple groups will inherit the union of roles across those groups.
Additionally, Administrators can automate Group membership configuration by using Identity Provider Attributes. Identity Provider Attributes automatically assign Users to Groups at sign-in time, based on attributes passed in from your Identity Provider during the Single Sign-On process.
Summary of roles and permissions
Workspace-level roles
The following roles can be granted in a workspace.
- Owner: Can perform any action in an existing workspace. The Owner role is automatically granted to the creator of a workspace.
- Editor: Can modify the workspace itself, but not other users' access. Also includes Operator's and Consumer's permissions.
- Consumer: Can access online data. Also includes Viewer's permissions.
- Operator: Can manage materialization jobs. Also includes Viewer's permissions.
- Viewer: Can view definitions and metadata.
Instance-level roles
The Admin role
Principals with the admin
account type have the Admin role. The Admin role can
add/remove users, grant/revoke workspace-level roles to principals and create
live workspaces.
The Principal role
Principals with the default
account type have the Principal role. This role
grants basic permissions, such as the permission to create development
workspaces and Service Accounts.
All-Workspace roles
Any of the workspace-level roles can optionally be granted across all workspaces, to a user, a group, or a Service Account. Doing so allows the user or Service Account to perform the actions allowed by that role, across all workspaces. The principal will automatically assume that role on all new workspaces created thereafter.
Only admins can assign an all-workspace role to a user or Service Account.
Configure Access Controls
Access controls can be configured via the access-control
CLI command, or via
Permissions or Accounts & Access in your Tecton cluster's Web UI,
located at https://<your Tecton instance prefix>.tecton.ai
.
The Permissions view contains a subset of the access control settings that are available on the Accounts & Access view. See the next two sections for details.
The Permissions view
The Permissions view allows you to configure access controls for a specific workspace. To access this screen, select Permissions under the Workspaces section on the left side of the Web UI. After selecting Permissions, you will see a list of all users that have access to the workspace and the workspace roles each user has been granted. You can also view a list of Service Accounts or Groups and their corresponding names and roles.
On the Permissions view, you can perform the following tasks by following the steps specified in the second column.
Task | How to perform the task |
---|---|
Add a user to the workspace | Under the Users tab, click Add User to workspace. |
Remove a user from the workspace | For the user who you want to remove, click the Edit icon on the right, then select None and click Change access. |
Modify a user’s workspace roles | For the user for whose workspace roles want to modify, click the Edit icon on the right, then select the appropriate role and click Change access. |
Add a Service Account to the workspace | Select the Service Accounts tab, then click Add Service Account to workspace. |
Remove a Service Account from the workspace | For the Service Account you want to remove, click the Edit icon on the right, then select None and click Change access. |
Modify a Service Accounts’s workspace roles | For the Service Account for whose workspace roles want to modify, click the Edit icon on the right, then select the appropriate role and click Change access. |
The Accounts & Access view
This view is accessible only to users with the Admin role.
The Accounts & Access view allows you to configure access controls for any workspace. Additionally, you can configure user access to your Tecton instance and create Service Accounts.
To access this screen, select Accounts & Access under the Workspaces section on the left side of the Web UI. After selecting Accounts & Access, you will see a list of all users who have access to your Tecton cluster. You can also view a list of Service Accounts or Groups and their corresponding information.
On the Accounts & Access view, you can perform the following tasks by following the steps specified in the second column.