--- title: Permissions overview sidebar_label: Overview sidebar_position: 1 --- Deephaven enables fine-grained access control to data, queries, and reports. This is accomplished through the individual authorization of users and groups, access control lists (ACLs), and account information. ## Authentication vs. authorization There are two aspects to access control in Deephaven: | Aspect | Description | Managed by | | ------------------ | --------------------------------------------- | --------------------------------------------------- | | **Authentication** | Verification of a user's identity | Internal (passwords) or external (LDAP, SAML, keys) | | **Authorization** | Verification of what permissions the user has | Always internal to Deephaven | ### Authentication Authentication can be handled: - **Internally**: Storing a password validation hash in the [ACL store](./acl-storage.md) - **Externally**: Integrating with an external identity provider: - [LDAP](../configuration/ldap.md) for Active Directory or OpenLDAP - [SAML](../configuration/saml-auth.md) for identity providers such as Okta - [Key-based authentication](./authentication-keys.md) using key pairs If external authentication is in use, a new user must be configured both in the external system and in Deephaven before they can log in. ### Authorization Authorization is handled entirely within Deephaven. Data access rights and system privileges can be granted to individual users or groups. Groups in Deephaven are internal to the product. External group memberships (e.g., from Active Directory) are not automatically used. When using group-based permissions, add users to appropriate Deephaven groups manually, or configure [SAML group synchronization](../configuration/saml-auth.md#group-synchronization) for automatic group membership. ## What can be controlled | Resource | Control level | Documentation | | ---------------------- | ------------------------------ | ------------------------------------------------------------- | | **Table data** | Row and column filtering | [Table ACLs](./table-acls.md) | | **Persistent Queries** | View, edit, start/stop access | [Persistent Query ACLs](./persistent-query-acls.md) | | **System features** | Console access, query creation | [Special groups](./web-acl-editor.md#special-groups) | | **ACL management** | Who can edit permissions | [`iris-acleditors`](./web-acl-editor.md#special-groups) group | ## Common tasks | Task | Documentation | | ---------------------- | ------------------------------------------------------------------------------ | | Create a new user | [Web ACL editor](./web-acl-editor.md#add-a-user) or [CLI](./cli-acl-editor.md) | | Create an admin user | [Admin user](./admin-user.md) | | Grant table access | [Table ACLs](./table-acls.md) | | Share query results | [Persistent Query ACLs](./persistent-query-acls.md) | | Set up key-based login | [Authentication keys](./authentication-keys.md) | > [!NOTE] > If you are using a Legacy worker, please refer to the [Legacy ACLs](../../legacy/sys-admin/legacy-acls.md) documentation. ## This section covers - [ACL storage](./acl-storage.md) - Storage options for ACL data - [Admin user](./admin-user.md) - Creating administrative users - [Authentication keys](./authentication-keys.md) - Key-based authentication setup - [CLI ACL editor](./cli-acl-editor.md) - Command-line ACL management - [Web ACL editor](./web-acl-editor.md) - Web-based ACL management interface - [Table ACLs](./table-acls.md) - Row and column level access control - [Persistent Query ACLs](./persistent-query-acls.md) - Access control for query results - [Auth server ACL plugins](./auth-server-acl-plugins.md) - Custom authentication hooks - [DACS integration](./dacs-integration.md) - Thomson Reuters DACS entitlements