How to Manage Data Access for Developers
When you have a team of developers, it is critical to restrict their access to data to only what they need to do their job. This ensures to protect sensitive data and prevent unauthorized access.
This tutorial will walk you through how to control data access.
Prerequisites
- Bytebase Enterprise plan. You can request a free trial.
Preparation
Make sure you have Docker installed, and if you don’t have important existing Bytebase data locally, you can start over from scratch by rm -rf ~/.bytebase/data
.
You’ll need two Bytebase accounts – one Admin
and one Developer
.
Admin
is the one who configures the settings.Developer
is the one who should only see information based on the configuration.
Step 1 - Run Bytebase via Docker
-
Make sure your docker daemon is running, and then start the Bytebase docker container by typing the following command in the terminal.
Step 2 - Register Admin and Developer
-
Visit
localhost:8080
in the browser. Register an admin account, we’ll refer to it asAdmin
. This account will be grantedWorkspace Admin
role. -
Log out and register another account.
-
Switch back to
Admin
, enter Projects section on the left, where you can see aSample Project
with two embedded databases mapping toTest
andProd
environments respectively. -
Click Members and Grant Access to assign
Project Developer
to the other account. Only after this can he see the project.
Step 3 - Start Enterprise Plan trial and assign license to instances
-
Click your avatar on the upper-right. Click Start free trial and Request 14 days trial (no credit card required).
-
You have to click the
Sample Project
selection bar on the upper-left and go Back to workspace first. -
Enter Instances section on the left. Assign License for both intances here. You may check Manage License for more details.
Control query data access
Log in as Developer
, and you can see Sample Project
. Enter SQL Editor on the upper-right. You ought to Connect to a database to get started, yet there's no database data. It's because you don't have any database access permission yet.
Admin grants data query access directly
-
Log in as
Admin
, and go toSample Project
. Click Members and then Grant Access. ChooseDeveloper
and assign the roleProject Querier
,All
for Databases. Click Confirm. -
Log in as
Developer
, and go to SQL Editor. You can see all databases underTest
andProd
environment. Selecthr_prod
, inputSELECT * FROM employee;
and run, you can see the result. Changeemployee
to any other tables and run, you can see data as well.
Developer requests to query data
-
Log in as
Admin
, and go to CI/CD > Custom Approval. Scroll down to Request Querier Role, and chooseWorkspace Admin
as Approval flow. -
Go to CI/CD > Risk Center. Click Add Rule. Choose
Request Querier Role
as Type. ChooseHigh
as Risk. Click Load for the first template on the right. Click Add. -
Log in as
Developer
, and go toSample Project
. Enter Database > Databases on the left and click Request Querier Role. Choose Manual select and thensalary
table underProd
environment. Click OK. -
A request issue is created with the approval flow
Workspace Admin
we just defined. -
Log in as
Admin
, go to this issue and click Approve. -
Log in as
Developer
, and go to SQL Editor. You can seesalary
table underProd
environment. Selecthr_prod
, inputSELECT * FROM salary;
and run, you'll see the result. -
Input
SELECT * FROM employee;
and run, it'll show permission denied becauseDeveloper
has not been granted permission to queryemployee
table. You can click Request Query to request permission.