Skip to main content
Version: 4.0.4

Project And Table Level ACL

Project Level ACL

Whether a user can access a project and use some functionalities within the project is determined by project-level access control, there are four types of access permission role set at the project-level in Apache Kylin. They are ADMIN, MANAGEMENT, OPERATION and QUERY. Each role defines a list of functionality user may perform in Apache Kylin.

  • QUERY: designed to be used by analysts who only need access permission to query tables/cubes in the project.
  • OPERATION: designed to be used by operation team in a corporate/organization who need permission to maintain the Cube. OPERATION access permission includes QUERY.
  • MANAGEMENT: designed to be used by Modeler who is fully knowledgeable of business meaning of the data/model, Modeler will be in charge of Model and Cube design. MANAGEMENT access permission includes OPERATION, and QUERY.
  • ADMIN: Designed to fully manage the project. ADMIN access permission includes MANAGEMENT, OPERATION and QUERY.

Access permissions are independent between different projects.

How Access Permission is Determined

Once project-level access permission has been set for a user, access permission on data source, model and Cube will be inherited based on the access permission role defined on project-level. For detailed functionalities, each access permission role can have access to, see table below.

System AdminProject AdminManagementOperationQuery
Create/delete projectYesNoNoNoNo
Edit projectYesYesNoNoNo
Add/edit/delete project access permissionYesYesNoNoNo
Check model pageYesYesYesYesYes
Check data source pageYesYesYesNoNo
Load, unload table, reload tableYesYesNoNoNo
View model in read only modeYesYesYesYesYes
Add, edit, clone, drop modelYesYesYesNoNo
Check cube detail definitionYesYesYesYesYes
Add, disable/enable, clone cube, edit, drop cube, purge cubeYesYesYesNoNo
Build, refresh, merge cubeYesYesYesYesNo
Edit, view cube jsonYesYesYesNoNo
Check insight pageYesYesYesYesYes
View table in insight pageYesYesYesYesYes
Check monitor pageYesYesYesYesNo
Check system pageYesNoNoNoNo
Reload metadata, disable cache, set config, diagnosisYesNoNoNoNo

Additionally, when Query Pushdown is enabled, QUERY access permission on a project allows users to issue push down queries on all tables in the project even though no cube could serve them. It's impossible if a user is not yet granted QUERY permission at project-level.

Manage Access Permission at Project-level

  1. Click the small gear shape icon on the top-left corner of Model page. You will be redirected to project page

  2. In project page, expand a project and choose Access.

  3. Click Grantto grant permission to user.

  4. Fill in name of the user or role, choose permission and then click Grant to grant permission.

  5. You can also revoke and update permission on this page.

    Please note that in order to grant permission to default user (MODELER and ANALYST), these users need to login as least once. ​

Table Level ACL

Whether a user can access a table is determined by table-level access control, this function is on by default. Set kylin.query.security.table-acl-enabled to false to disable the table-level access control. Access permissions are independent between different projects. Once table-level access permission has been set for a user, you can see it on the page.

Manage Access Permission at Table-level

  1. Click the Data Source tab of Model page.

  2. Expand a database, choose the table and click Access tab.

  3. Click Grantto grant permission to user.

  4. Choose the type (user or role), choose User / Role name and then click Submit to grant permission.

  5. You can also delete permission on this page.