How to Manage Data Access for Developers

Oct 09, 2024

Estimated: 15 mins

When you have a team of developers, it is critical to restrict their access to data to only what they need to do their job. This ensures to protect sensitive data and prevent unauthorized access.

This tutorial will walk you through how to control data access.

Prerequisites#

Bytebase Enterprise plan. You can request a free trial.

Preparation#

Make sure you have Docker installed, and if you don’t have important existing Bytebase data locally, you can start over from scratch by rm -rf ~/.bytebase/data.

You’ll need two Bytebase accounts – one Admin and one Developer.

Admin is the one who configures the settings.
Developer is the one who should only see information based on the configuration.

Step 1 - Run Bytebase via Docker#

Make sure your docker daemon is running, and then start the Bytebase docker container by typing the following command in the terminal.

docker run --rm --init \
  --name bytebase \
  --publish 8080:8080 --pull always \
  --volume ~/.bytebase/data:/var/opt/bytebase \
  bytebase/bytebase:2.23.1

Step 2 - Register Admin and Developer#

Visit localhost:8080 in the browser. Register an admin account, we’ll refer to it as Admin. This account will be granted Workspace Admin role.
Log out and register another account.
Switch back to Admin, enter Projects section on the left, where you can see a Sample Project with two embedded databases mapping to Test and Prod environments respectively.
Click Members and Grant Access to assign Project Developer to the other account. Only after this can he see the project.

Step 3 - Start Enterprise Plan trial and assign license to instances#

Click your avatar on the upper-right. Click Start free trial and Request 14 days trial (no credit card required).
You have to click the Sample Project selection bar on the upper-left and go Back to workspace first.
Enter Instances section on the left. Assign License for both intances here. You may check Manage License for more details.

Control query data access#

Log in as Developer, and you can see Sample Project. Enter SQL Editor on the upper-right. You ought to Connect to a database to get started, yet there's no database data. It's because you don't have any database access permission yet.

connect-to-a-database-no-data

Admin grants data query access directly#

Log in as Admin, and go to Sample Project. Click Members and then Grant Access. Choose Developer and assign the role Project Querier, All for Databases. Click Confirm.
Log in as Developer, and go to SQL Editor. You can see all databases under Test and Prod environment. Select hr_prod, input SELECT * FROM employee; and run, you can see the result. Change employee to any other tables and run, you can see data as well.

Developer requests to query data#

Log in as Admin, and go to CI/CD > Custom Approval. Scroll down to Request Querier Role, and choose Workspace Admin as Approval flow.
Go to CI/CD > Risk Center. Click Add Rule. Choose Request Querier Role as Type. Choose High as Risk. Click Load for the first template on the right. Click Add.
Log in as Developer, and go to Sample Project. Enter Database > Databases on the left and click Request Querier Role. Choose Manual select and then salary table under Prod environment. Click OK.
A request issue is created with the approval flow Workspace Admin we just defined.
Log in as Admin, go to this issue and click Approve.
Log in as Developer, and go to SQL Editor. You can see salary table under Prod environment. Select hr_prod, input SELECT * FROM salary; and run, you'll see the result.
Input SELECT * FROM employee; and run, it'll show permission denied because Developer has not been granted permission to query employee table. You can click Request Query to request permission.