Role-Based Access Control (RBAC) is a pivotal security model shaping system access management based on user roles and responsibilities within an organization. Last July, we unveiled a start at some RBAC functionality within Zilliz Cloud, simplifying team access management with three key roles: organization owner, organization member, and project owner.
Responding to customer demands, our latest release of Zilliz Cloud elevates this feature, presenting more nuanced RBAC capabilities for improved access management, data isolation, and protection. This post explores the upgraded roles and capabilities and illustrates their practical usage through use cases. Let’s dive in.
Understanding organizations and projects
To understand RBAC within Zilliz Cloud, let's delve into fundamental concepts related to organizations and projects.
Zilliz Cloud provides a robust framework for access control across three distinct scopes: Account user, Organization, and Project.
Account user refers to your Zilliz Cloud account.
Organizations serve as entities that group together projects with shared objectives. You can create unique projects that handle specific resources for billing, API key management, members, activities, settings, and the recycle bin at the organization level.
Projects function as logical containers nested within an organization, grouping clusters and other associated resources with a shared purpose. Users can create multiple clusters and manage cluster-level resources within a project, including clusters, project collaborators, pipelines, security, and project alerts.
How does Zilliz Cloud RBAC work?
In Zilliz Cloud, user access to the database system is controlled by assigned roles. Users can be assigned one or multiple roles, and each role determines the extent of user access. These roles include privileges related to specific resources like databases, collections, clusters, and permitted actions. Users have no access beyond their designated roles. You can assign roles during user account creation or update roles for existing users, ensuring ongoing flexibility in access management.
Zilliz Cloud offers two primary categories of roles tailored to diverse developer requirements: Operation and Data Layer Roles.
Operation Layer Roles
Within the operational layer, Zilliz Cloud features four Organization and Project Roles, each serving distinct purposes.
Organization Owner: This role controls the organization, managing settings, payment methods, bills, API keys, all projects, and associated resources.
Organization Member: This role has limited access, allowing users to view organization settings and invite new members to the organization.
Project Owner: This role fully controls a specific project, including project settings, API Key, all clusters under the project, and associated resources.
Project Member: This role provides limited access to the project, allowing users to read and write data to all project clusters, view cluster details, and manage collections and indexes.
Data Layer Roles
Zilliz Cloud introduces Cluster Roles in the data layer, featuring three predefined roles and the flexibility to create custom roles for more nuanced access control. The predefined roles include:
Admin: This role holds the highest control over the Cluster, capable of executing all operations.
Read-Write: This role can read and write data within the Cluster.
Read-Only: This role can read all data within the Cluster.
Note: The creator of a cluster will be automatically assigned the Admin role.
Apart from the three predefined roles, Zilliz Cloud enables the creation of custom roles, allowing developers to fine-tune permissions for specific collections, partitions, or operations. This customization ensures minimal data access privileges, allowing the developers to craft roles precisely aligned with their operational needs for a more tailored and secure approach.
For more detailed information, see our RBAC documentation.
How Zilliz Cloud RBAC works in real-world use cases
Now that we've explored the capabilities of Zilliz Cloud roles let's delve into the practical aspects of creating and utilizing these roles effectively. This section will provide two examples illustrating how you can leverage Zilliz Cloud's RBAC capabilities to enhance your data management and security strategies.
Cross-team collaboration in a medium-sized company
Let's say you lead an infra team in a mid-sized company, collaborating with multiple business units, including the finance, customer service, and e-commerce teams. As the infra leader, you must efficiently manage a vector database for various AI applications. Other business teams may need access to read and write data in the database collections and require data isolation. On the other hand, the finance team only requires the ability to manage the database payment methods and handle billing.
In this case, consider the following role assignments.
Assign yourself and the finance team the Organization Owner role in Zilliz Cloud. This approach grants you control over the database, allowing you to create clusters, perform scale operations, monitor cluster resource usage, and manage the database more efficiently. The finance team, in turn, can effectively manage payment methods and billing.
Set your team members as Project Members, enabling them to monitor the cluster resource occupation, create tables, and modify data across all clusters.
Create one shared cluster for the customer service and e-commerce teams and grant them Custom Roles with nuanced access to cluster resources. This approach reduces costs and efficiently isolates the data of both teams.
Managing a RAG-based knowledge base
Imagine you are a SaaS company providing an intelligent RAG-based knowledge base. This application empowers users to effortlessly upload documents and respond to questions using the knowledge stored in Zilliz Cloud. You have around 20,000 small-sized customers, each managing less than 100,000 vector points of documents and approximately 50 major customers with substantial data volumes ranging from tens of millions to billions of vectors. These big clients require strict data isolation and anticipate seamless external integration for their knowledge base data.
In this use case, your customers don’t have to log into Zilliz Cloud; instead, you and your team members should be assigned the Organization and Project Roles for streamlined access management.
Create a shared cluster for all your small customers to save money. Their files with similar structures can be stored under a shared collection, utilizing Partition Key for effective data isolation. Only data from their partition is returned when clients make queries, optimizing efficiency.
For big customers, create independent clusters tailored to their specific data scale. Generate Customized API Keys for each major client with built-in Read-Write roles, connecting to their dedicated cluster. This approach ensures data security and facilitates smooth integration with external applications.
This strategy enables efficient data management for both small and large clients, balancing cost-effectiveness, data isolation, and scalability. Moreover, it provides the flexibility needed for seamless integration with external applications, particularly crucial for the larger clients in your user base.
In conclusion, Zilliz Cloud's enhanced RBAC features represent a significant leap in data protection, offering more nuanced access management, improved data isolation, and heightened security. This post has explored the intricacies of the upgraded RBAC capabilities, highlighting their practical applications through real-world use cases such as cross-team collaboration in a medium-sized company and managing a RAG-based knowledge base.
- Understanding organizations and projects
- How does Zilliz Cloud RBAC work?
- How Zilliz Cloud RBAC works in real-world use cases
Take Zilliz for a Spin for FreeGet Started Free
Share this article