Role Based Access and Security Tiers

Altinity.Cloud hierarchy and role based access.

Access to ClickHouse data hosted in Altinity.Cloud is controlled through a combination of security tiers and account roles. This allows companies to tailor access to data in a way that maximizes security while still allowing ease of access.

Security Tiers

Altinity.Cloud groups sets of clusters together in ways that allows companies to provide Accounts access only to the clusters or groups of clusters that they need to.

Altinity.Cloud groups clusters into the following security related tiers:

Security Tiers
  • Nodes: The most basic level - an individual ClickHouse database and tables.
  • Clusters: These contain one or more nodes provide ClickHouse database access.
  • Environments: Environments contain one or more clusters.
  • Organizations: Organizations contain one or more environments.

Account access is controlled by assigning an account a single role and a security tier depending on their role. A single account can be assigned to multiple organizations, environments, multiple clusters in an environment, or a single cluster depending on their account role.

Account Roles

The actions that can be taken by Altinity.Cloud accounts is based on the role they are assigned. The following roles and their actions based on the security tier is detailed in the table below:

Role Environment Cluster
orgadmin Create, Edit, and Delete environments that they create, or are assigned to, within the assigned organizations.
Administrate Accounts associated with environments they are assign to.
Create, Edit, and Delete clusters within environments they create or assigned to in the organization.
envadmin Access assigned environments. Create, Edit, and Delete clusters within environments they are assigned to in the organization.
envuser Access assigned environments. Access one or more clusters the account is specifically assigned to.

The account roles are tied into the security tiers, and allow an account to access multiple environment and clusters depending on what type of tier they are assigned to.

For example, we may have the following situation:

  • Accounts peter, paul, and mary and jessica are all members of the organization HappyDragon.
  • HappyDragon has the following environments: HappyDragon_Dev and HappyDragon_Prod, each with the clusters marketing, sales, and ops.

The accounts are assigned the following roles and security tiers:

Account Role Organization Environments Clusters
mary orgadmin HappyDragon HappyDragon_Prod *
peter envadmin HappyDragon HappyDragon_Dev *
jessica envadmin HappyDragon HappyDragon_Prod, HappyDragon_Dev *
paul envuser HappyDragon HappyDragon_Prod marketing

In this scenario, mary has the ability to access the environment HappyDragon_Prod, or can create new environments and manage them and any clusters within them. However, she is not able to edit or access HappyDragon_Dev or any of its clusters.

  • Both peter and jessica have the ability to create and remove clusters within their assigned environments.
    • peter is able to modify the clusters in the environment HappyDragon_Dev.
    • jessica can modify clusters in both environments.
  • paul can only access the cluster marketing in the environment HappyDragon_Prod.

Last modified 2021.09.25: Altinity.Cloud updates and Connectivity added.