Skip to main content

RBAC

Role-based access control in Qry operates at four nested levels. A user (or group) can be granted access at any level, and the grant cascades downward. The four levels:

Datasource → Catalog → Schema → Table

For SAP HANA, an extra Module level sits between schema and table — see SAP module integration.

How grants compose

  • A grant at datasource level gives access to every catalog / schema / table inside that datasource.
  • A grant at schema level gives access only to tables in that schema.
  • A grant at table level is per-table.

Effective access for a user is the union of:

  1. Direct grants on the user.
  2. Grants on every group the user is a member of.
  3. Inherited grants from any of the above at a higher level.

If any of those three paths grants access, the user has access. There's no "deny" — RBAC is purely additive.

Where to configure

Admin > Access Control > RBAC. The page lists every grant in the tenant. Filter by:

  • User — every grant for one user, including inherited from groups.
  • Group — every grant on a group.
  • Datasource — who has access to a specific datasource.

Granting access

Per-user grant

Click + New Grant. Pick:

  • Subject — user or group.
  • Resource — datasource, then optionally drill into catalog / schema / table.
  • Capabilityread, query, admin (typical levels; tenants can define more).

Click Save. The user (or every group member) sees the resource on their next page load.

Group grant

Same flow, with a group as the subject. All current and future group members inherit the grant.

Common patterns

Tenant-wide read access to one datasource

Grant read + query on the datasource to a "all-employees" group with everyone in it.

Department-segregated data

Two datasources (sales DB, finance DB), two groups (sales, finance), one grant per group on the matching datasource. Cross-department access requires explicit individual grants.

Sensitive table inside a permitted schema

Grant the schema, then don't grant the sensitive table. Wait — that doesn't work, because the schema grant cascades. To block, use table-level revocation (some tenants don't enable revocation; the alternative is ABAC at the row level, see ABAC).

The pragmatic pattern: don't grant the parent schema if you only want a subset of its tables — grant the specific tables instead.

External consultant with limited time

Create a user, add to a group with the right grants, set an expiry on the user account. The user disappears from the tenant when the expiry passes.

Effective permissions

For any user, Admin > Users > {user} > Effective permissions shows every grant that applies to them, with the path (direct vs. group, and which group). Use this as the source of truth when debugging "why can / can't this user see X?".

Performance

RBAC is checked at every query — get_secure_service() enforces it on every run_query() call. The check is cached briefly per request, but for batch / concurrent operations use use_cache=False to avoid shared state — see the Security Architecture reference.

The PermissionEngine and SecureQueryProxy are the centralised enforcement points. Always use get_secure_service() for user-initiated SQL; get_service() is for system operations only (migrations, user-less background jobs).

Common issues

A user can see the datasource in the Catalog but every query fails. RBAC at datasource level alone isn't enough — the user also needs query capability, not just read. Check the grant.

A teammate I added to a group still can't see what other group members see. Group membership cache. Either wait a few seconds or click Refresh effective permissions in the user's profile.

A grant is in place but the user still gets Permission denied. ABAC tag policies or DAC grants on top of RBAC may apply. Check both layers.

Removing a user's group membership left some access in place. The user has a direct grant on the resource that the group also had. Both grants coexist; removing one doesn't remove the other.

Two groups with conflicting capabilities (one grants read, another grants admin). Highest capability wins (additive composition). The user has admin.

See also