Permissions overview
Deephaven enables fine-grained access control to data, queries, and reports. This is accomplished through the individual authorization of users and groups, access control lists (ACLs), and account information.
Authentication vs. authorization
There are two aspects to access control in Deephaven:
| Aspect | Description | Managed by |
|---|---|---|
| Authentication | Verification of a user's identity | Internal (passwords) or external (LDAP, SAML, keys) |
| Authorization | Verification of what permissions the user has | Always internal to Deephaven |
Authentication
Authentication can be handled:
- Internally: Storing a password validation hash in the ACL store
- Externally: Integrating with an external identity provider:
- LDAP for Active Directory or OpenLDAP
- SAML for identity providers such as Okta
- Key-based authentication using key pairs
If external authentication is in use, a new user must be configured both in the external system and in Deephaven before they can log in.
Authorization
Authorization is handled entirely within Deephaven. Data access rights and system privileges can be granted to individual users or groups.
Groups in Deephaven are internal to the product. External group memberships (e.g., from Active Directory) are not automatically used. When using group-based permissions, add users to appropriate Deephaven groups manually, or configure SAML group synchronization for automatic group membership.
What can be controlled
| Resource | Control level | Documentation |
|---|---|---|
| Table data | Row and column filtering | Table ACLs |
| Persistent Queries | View, edit, start/stop access | Persistent Query ACLs |
| System features | Console access, query creation | Special groups |
| ACL management | Who can edit permissions | iris-acleditors group |
Common tasks
| Task | Documentation |
|---|---|
| Create a new user | Web ACL editor or CLI |
| Create an admin user | Admin user |
| Grant table access | Table ACLs |
| Share query results | Persistent Query ACLs |
| Set up key-based login | Authentication keys |
Note
If you are using a Legacy worker, please refer to the Legacy ACLs documentation.
This section covers
- ACL storage - Storage options for ACL data
- Admin user - Creating administrative users
- Authentication keys - Key-based authentication setup
- CLI ACL editor - Command-line ACL management
- Web ACL editor - Web-based ACL management interface
- Table ACLs - Row and column level access control
- Persistent Query ACLs - Access control for query results
- Auth server ACL plugins - Custom authentication hooks
- DACS integration - Thomson Reuters DACS entitlements