User Management and Access Controls
Info
The access controls feature is in public preview and will soon be available on all Tecton instances. When this feature is available on your instance, you will see the Accounts & Access item in your Web UI. Find this item under Settings on the left navigation bar. When you configure access controls, you can also manage users, such as adding or removing them.
If the Accounts & Access does not yet appear in your Web UI, you can manage users by clicking on your avatar at the top right of the screen, and then clicking Admin Console. Access controls cannot be configured through the Admin Console.
The content below only applies to access controls.
Access control concepts
In Tecton, access controls are used to specify what actions a user is able to perform. Most access controls apply to actions that a user can perform in a specific workspace.
Access controls are configured by granting roles to users.
A role contains a set of permissions. A permission allows a user to perform a specific action in Tecton.
Summary of roles and permissions
Workspace-level roles
The following roles can be granted in a workspace.
- Viewer: In the Web UI, can view a workspace and its objects, such as feature views and data sources.
- Editor: Can modify the state of a workspace, including applying a new definition of the feature repository.
- Owner: Can perform any action in an existing workspace and grant roles to other users in the workspace. The Owner role is automatically granted to the creator of a workspace.
The Admin role
The Admin role can add/remove users, grant/revoke workspace-level roles to users and create live workspaces.
The User role
The User role is automatically granted to all users. This role grants basic permissions, such as the permission to create development workspaces.
Configure Access Controls
Access controls can be configured on the Permissions screen and Accounts & Access screen in your Tecton cluster’s Web UI, located at https://<your Tecton instance prefix>.tecton.ai.
The Permissions screen contains a subset of the access control settings that are available on the Accounts & Access screen. See the next two sections for details.
The Permissions screen
The Permissions screen allows you to configure access controls for a specific workspace. To access this screen, select Permissions under the Workspaces section on the left side of the Web UI. After selecting Permissions, you will see a list of all users that have access to the workspace and the workspace roles each user has been granted.
On the Permissions screen, you can perform the following tasks by following the steps specified in the second column.
| Task | How to perform the task |
|---|---|
| Add a user to the workspace | At the bottom, click Add User to workspace. |
| Remove a user from the workspace | For the user who you want to remove, click Revoke Access on the right. |
| Modify a user’s workspace roles | For the user for whose workspace roles want to modify, click Edit Access on the right. |
The Accounts & Access screen
Info
This screen is accessible only to users with the Admin role.
The Accounts & Access screen allows you to configure access controls for any workspace. Additionally, you can configure user access to your Tecton instance.
To access this screen, select Accounts & Access under the Workspaces section on the left side of the Web UI. After selecting Accounts & Access, you will see a list of all users who have access to your Tecton cluster.
On this screen, you can perform the following tasks by following the steps specified in the second column.
| Task | How to perform the task |
|---|---|
| Add a user to the Tecton cluster. | Click Invite User. |
| Remove a user from the Tecton instance. | In the Deactivate column, click Remove User. |
| Show all workspaces a user has access to, along with the roles they have been granted in each workspace. | Click on the user’s name. This information is shown on the right side. |
| Add a user to a workspace. | Click on the user’s name. At the bottom, click Add Workspace. |
| Modify a user’s workspace roles. | Click on the user’s name. On the right side, click on the name of the workspace for which you want to modify the roles. |
User management using an identity provider
If you use an identity provider with Tecton, Just-in-Time Provisioning occurs; the first time a user logs in to Tecton, a user account is created and the account appears on the Accounts & Access screen.
If a user is removed from your identity provider, the user account will still exist in Tecton. You will need to manually remove the user from the Accounts & Access screen.
Best practices for configuring access controls
Use caution when granting Editor role to live workspaces
A user with the Editor role can take actions in a workspace that can impact a production system. For example, running tecton apply on a workspace causes the workspace objects that were modified or removed to be deleted and replaced with the objects that are being applied. For this reason, we recommend limiting the users who have the Editor role in a live workspace.
Use development workspaces for feature development
Feature development should be done in development workspaces. The developer should verify the transformation logic works as intended before promoting the feature to a production workspace.
Limitations
API keys are not yet governed by access controls
Tecton plans to introduce Service Accounts for managing API keys. For now, API key behavior remains unchanged.
- Any user can create non-admin API keys. These keys can perform the following actions.
- Inspect any workspace, such as commands to list objects or view status
- Request online features with the SDK or HTTP API
- Ingest data to Feature Tables
- Admins can create admin API keys. These keys can perform the following actions, in addition to the actions allowed by non-admin API keys.
- Run
tecton applyon any workspace - Create new admin API keys
- Run
Offline Store access is governed by S3 or Snowflake roles
Tecton Access Controls do not govern the ability to read offline materialized feature data, such as with FeatureService.get_historical_features().
For Tecton on Databricks or EMR, access to offline feature data depends on the instance profile for the notebook cluster having access to the Tecton S3 bucket created during deployment.
For Tecton on Snowflake, access to offline feature data depends on the user’s access to the Tecton database created during deployment.
Workspace objects, such as data sources and feature views, cannot be shared between workspaces
If you set up separate workspaces for different teams, they will not be able to share objects in these workspaces. You can however use the same object definitions in multiple workspaces.
Complete list of permissions for each role
Workspace permissions
| Permission | Admin role | User role | Owner role | Viewer role | Editor role |
|---|---|---|---|---|---|
| View workspace objects (such as data sources and feature views) and health status of the workspace | x* | x* | x* | ||
| Create live workspace | x | ||||
| Create dev workspace | x | x | |||
| Delete workspace | x* | ||||
| Run tecton plan | x* | x* | x* | ||
| Run tecton apply | x* | x* | |||
| Run tecton restore | x* | x* | x* | ||
| Create and delete datasets | x* | x* | |||
| FeatureTable.ingest() | x* | x* | |||
| FeatureView.delete_keys() | x* | x* |
- The role applies to a specific workspace.
User permissions
| Permission | Admin role | User role |
|---|---|---|
| Invite users (create, delete, resend) | x | |
| View all users | x | x |
| Remove user from account | x |
Access control permissions
| Admin role | User role | Owner role | Viewer role | Editor role | |
|---|---|---|---|---|---|
| View your assignments for user-facing roles | x | x | |||
| View “Admin” assignments | x | ||||
| Assign/unassign “Admin” assignments | x | ||||
| View assignments of workspace-level roles (Manage, View, Apply, Read Data) | x | x* | x* | x* | |
| Assign/unassign workspace-level roles (Manage, View, Apply, Read Data) | x | x* |
- The role applies to a specific workspace.