- Identity & Access Management
Identity & Access Management
This page covers how to manage authentication and authorization in your Rockset organization.
Once the first API key is created using the Rockset Console, you can use that API key to access the Rockset API and create, list, or delete additional API keys programmatically.
All API keys will have the same permissions as the user who created them, which are determined by the user's role.
You can invite new users to your organization using their email address (or remove existing users from your organization) in the Users tab of the Rockset Console. When a new user is invited, Rockset will send them an invite to create a new Rockset account. On the user's first login, a prompt asking the user to accept your organization invite will appear.
Each user in your organization must be assigned exactly one of three pre-defined roles (designated at invitation):
- Administrators have full permissions over all Rockset resources belonging to this organization. An administrator can also manage organization settings, users, and billing information.
- Members can manage most Rockset resources including collections, integrations, workspaces, and Query Lambdas. However, members cannot make changes to the organization, billing or other users.
- Read-Only users can only query existing collections, including managing Query Lambdas to do so. Read-only users cannot create, delete or modify collections or integrations. which correspond to the following permissions:
|Self's API Keys||read+write||read+write||read+write|
|Others' API Keys||-||-||read+write|
The user who initially creates an organization will automatically be assigned the Administrator role, and may then choose to create additional users with the Administrator role.
Google for Work (G Suite) single-sign on is enabled for all accounts. Additional SSO connections, such as Okta or OneLogin, are also available to enterprise customers. Once you've created your connection, you'll have two additional settings available:
- SSO-only: This setting allows users to connect to Rockset only from your SSO provider. Other forms of authentication, such as username-password, are disabled. If off, all connections will be allowed. We recommend turning this setting on for maximum security.
- Autoprovision: This setting tells Rockset to automatically create accounts for new users coming to Rockset from your SSO provider. Most SSO providers provide their own form of access control, so we recommend turning this setting on. If off, you will have to add users in the Rockset UI before they are able to access Rockset.
To enable single-sign on or OAuth support for accessing the Rockset Console, please contact email@example.com.
You may enable IP Allowlisting for your organization to restrict access to only a specified list of IP addresses.
If IP Allowlisting is enabled, only calls made to the Rockset service originating from an IP address specified in the IP Allowlist of your organization will be accepted. All requests originating from unrecognized IP address will be rejected with a HTTP 403 Forbidden error code. This includes access to the Rockset Console, all API operations, and SQL query endpoints.
Administrators of organizations with IP Allowlisting enabled can configure network policies in the form of an IP access list. IP addresses may be specified as individual IPs at the account level, or as a range of IPs in CIDR notation.
By default, all organizations are set to the No IP Allowlist setting, meaning that accesses originating from any IP address are allowed. You can enable IP Allowlisting and configure your network policies in the Settings tab of the Rockset Console. This is only available to users with the Administrator role.