User Management and Access Controls
Tecton access controls enable organizations to configure fine-grained governance over who and what can modify the Feature Platform and access feature data.
Access controls are configured by granting roles to principals. Most roles apply to actions that a principal can perform in a specific workspace.
Tecton Access Controls govern access to Tecton metadata and online features, but not access to offline data. See limitations.
Tecton Principals​
In Tecton, access controls are used to specify what actions a principal is able to perform. A principal is a User, Service Account, or Principal Group.
Users​
The User principal represents an individual who accesses an organization's Tecton Account by logging in with their own credentials to the Tecton UI or CLI. Users need to be configured with the appropriate Tecton access controls in order to develop with Tecton, or administer the account.
Service Accounts​
The Service Account principal represents machine access to the Tecton Account, such as a training pipeline or an ML application accessing features. Service Accounts authenticate access using API keys.
Principal Groups​
Tecton Principal Groups simplify the process of granting your Tecton users access to the appropriate resources. By organizing Tecton Users and Services Accounts into Groups, Administrators can simply make role changes at the Group level to govern their organization.
When a User or Service Account is added to a Principal Group, then they will inherit any roles that have been granted to said Principal Group. Principals that are members of multiple groups will inherit the union of roles across those groups.
Additionally, Administrators can automate Group membership configuration by using Identity Provider Attributes. Identity Provider Attributes automatically assign Users to Groups at sign-in time, based on attributes passed in from your Identity Provider during the Single Sign-On process.
Summary of roles and permissions​
Workspace-level roles​
The following roles can be granted in a workspace.
- Owner: Can perform any action in an existing workspace. The Owner role is automatically granted to the creator of a workspace.
- Editor: Can modify the workspace itself, but not other users' access. Also includes Operator's and Consumer's permissions.
- Consumer: Can access online data. Also includes Viewer's permissions.
- Operator: Can manage materialization jobs. Also includes Viewer's permissions.
- Viewer: Can view definitions and metadata.
Instance-level roles​
The Admin role​
Principals with the admin account type have the Admin role. The Admin role can
add/remove users, grant/revoke workspace-level roles to principals and create
live workspaces.
The Principal role​
Principals with the default account type have the Principal role. This role
grants basic permissions, such as the permission to create development
workspaces and Service Accounts.
All-Workspace roles​
Any of the workspace-level roles can optionally be granted across all workspaces, to a user or a Service Account. Doing so allows the user or Service Account to perform the actions allowed by that role, across all workspaces. The principal will automatically assume that role on all new workspaces created thereafter.
Only admins can assign an all-workspace role to a user or Service Account.
Configure Access Controls​
Access controls can be configured on the Permissions screen and Accounts &
Access screen in your Tecton cluster’s Web UI, located at
https://<your Tecton instance prefix>.tecton.ai.
The Permissions screen contains a subset of the access control settings that are available on the Accounts & Access screen. See the next two sections for details.
The Permissions screen​
The Permissions screen allows you to configure access controls for a specific workspace. To access this screen, select Permissions under the Workspaces section on the left side of the Web UI. After selecting Permissions, you will see a list of all users that have access to the workspace and the workspace roles each user has been granted. Selecting the Service Accounts tab will show you the same information for Service Accounts.
On the Permissions screen, you can perform the following tasks by following the steps specified in the second column.
| Task | How to perform the task |
|---|---|
| Add a user to the workspace | Under the User's tab, click Add User to workspace. |
| Remove a user from the workspace | For the user who you want to remove, click the Edit icon on the right, then select None and click Change access. |
| Modify a user’s workspace roles | For the user for whose workspace roles want to modify, click the Edit icon on the right, then select the appropriate role and click Change access. |
| Add a Service Account to the workspace | Select the Service Accounts tab, then click Add Service Account to workspace. |
| Remove a Service Account from the workspace | For the Service Account you want to remove, click the Edit icon on the right, then select None and click Change access. |
| Modify a Service Accounts’s workspace roles | For the Service Account for whose workspace roles want to modify, click the Edit icon on the right, then select the appropriate role and click Change access. |
The Accounts & Access screen​
This screen is accessible only to users with the Admin role.
The Accounts & Access screen allows you to configure access controls for any workspace. Additionally, you can configure user access to your Tecton instance and create Service Accounts.
To access this screen, select Accounts & Access under the Workspaces section on the left side of the Web UI. After selecting Accounts & Access, you will see a list of all users who have access to your Tecton cluster. Selecting the Service Accounts tab will show you the same information for Service Accounts.
On this screen, you can perform the following tasks by following the steps specified in the second column.
User management​
| Task | How to perform the task |
|---|---|
| Add a user to the Tecton cluster. | Click Invite User. |
| Remove a user from the Tecton instance. | In the Actions column, click the Delete icon. |
| Unlock a user. | On the Users tab, click on the user’s name. On the left side, in the Admin Actions section, click Unlock User. |
Service Account management​
| Task | How to perform the task |
|---|---|
| Create a Service Account. | Select the Service Accounts tab, and click Create new Service Account. |
| Deactivate and delete a Service Account | In the Actions column, click Deactivate. Once deactivated, click Delete in the Actions column. |
Principal Group management​
| Task | How to perform the task |
|---|---|
| Create a Principal Group | On the Groups tab, click Create Group. Enter a unique name and optionally a description. |
| Add Users or Service Accounts to a Principal Group | On the Groups tab, click on the group's name. On the right side, in the Users or Service Accounts tab, click Add User or Service Account to Group and select the members. |
| Remove Users or Service Accounts from a Principal Group | On the Groups tab, click on the group's name. On the right side, in the Users or Service Accounts tab, click the delete icon next to the principals to delete. |
| Modify IdP attributes for a Principal Group | On the Groups tab, click on the group's name. On the left side, in the Identity Provider Attributes section, click Add Attribute, or click the update or delete icons next to an existing attribute. |
Assigning and un-assigning access​
| Task | How to perform the task |
|---|---|
| Show all workspaces a principal has access to, along with the roles they have been granted in each workspace. | On the Users, Service Accounts, or Groups tab, click on the principal’s name. This information is shown on the right side. |
| Add a principal to a workspace. | On the Users, Service Accounts, or Groups tab, click on the principal’s name. At the top, click Assign Workspace Access. |
| Modify a principal’s workspace roles. | On the Users, Service Accounts, or Groups tab, click on the principal’s name. On the right side, click the Edit icon on the right, then select None and click Change access. |
| Modify a principal’s account type. | On the Users, Service Accounts, or Groups tab, click on the principal’s name. On the left side, click the Edit icon next to Account Type, and select the desired account type. |
Managing Service Accounts and role assignments with the CLI​
The Tecton CLI additionally provides commands for creating and managing Service Accounts, and assigning or unassigning roles.
Service Account Management​
To create, modify, and delete Service Accounts, use the tecton service-account
command. Run tecton service-account --help for details on how to use the
command.
Assigning and un-assigning access​
To list, assign, or unassign a role from a principal, use the
tecton access-control command. Run tecton access-control --help for details
on how to use the command.
Authentication introspection​
For convenience, you can also run the tecton whoami CLI command to inspect
what principal is being used to authenticate the CLI.
User management using an identity provider​
If you use an identity provider with Tecton (i.e. have SSO configured), just-in-time (JIT) provisioning occurs; the first time a user signs in to Tecton, a user account is created and the account appears on the Accounts & Access screen. If the user already had a Tecton account with the same email, signin via SSO logs the user in as the existing user. Each time the user signs in via their identity provider, the user's first and last name are also updated.
If a user is removed from your identity provider, the user account will still exist in Tecton, although that user will not be able to sign in, as they will be denied access by your identity provider. To completely remove the user from Tecton, delete the user from the Accounts & Access screen.
To set up SSO, reach out to your account representative or support.
Group management using an identity provider​
This feature is currently in Public Preview.
Group memberships in Tecton can be managed by your Identity Provider. Tecton updates group memberships by matching group information provided by your Identity Provider during SAML-based single sign-on (SSO) with values configured on each group.
To have your Identity Provider manage group memberships:
- Ensure your users sign in to Tecton via single sign-on (SSO) with SAML.
- Configure your Identity Provider to include a
groupsattribute in the SAML assertion with attribute values that will be used to map to Tecton groups. Typically, this means passing through a subset of the groups defined in your Identity Provider (If using Okta, see Okta's Define group attribute statements docs for details). - Configure each group in Tecton (on the group's details page in the Accounts
& Access screen) with the
groupsattribute values that map to the group. Matching any value is sufficient to map a user to the group.
Each time a user signs in via SSO with SAML, the user's group memberships update
based upon whether the user's SAML's groups attribute values match any of a
group's identity provider groups mapping values.
- If a new match is made, the user is added to the group. For new matches or if the user was previously manually added to the group, the group membership becomes managed by identity provider groups mappings.
- If a previous match no longer exists, the user is removed from the group.
- Manually created group memberships are preserved.
Identity provider groups mapping example​
Consider a company with several teams that use Tecton and each of these has a group in their Identity Provider:
- Platform
- Fraud
If they want everyone to have the Viewer role, the Platform team to have Operator and the Fraud team to have Consumer, then they could define these principal groups:
| Group Name | Role | Identity Provider Groups Mapping |
|---|---|---|
| Everyone | Viewer (on all workspaces) | Plaform & Fraud |
| Operations | Operator (on all workspaces) | Plaform |
| ML Engineers | Consumer (on prod workspace) | Fraud |
Now imagine some users sign-in via SSO with SAML with different group information from their Identity Provider, they would be added to the following Tecton groups:
| Person | Identity Provider groups values | Tecton group memberships |
|---|---|---|
| Alice | Platform | Everyone & Operations |
| Sienna | Fraud | Everyone & ML Engineers |
| Isabel | Platform & Fraud | Everyone, Operations & ML Engineers |
Now imagine Alice moves from the Platform team to the Fraud team. On their next
sign-in to Tecton, their group memberships would change: they would be removed
from Operations and added to ML Engineers. Group memberships would then be:
| Person | Identity Provider groups values | Tecton group memberships |
|---|---|---|
| Alice | Fraud | Everyone & ML Engineers |
| Sienna | Fraud | Everyone & ML Engineers |
| Isabel | Platform & Fraud | Everyone, Operations & ML Engineers |
Below is a snippet showing how the group information should be passed in the
SAML for a user with both the Platform & Fraud identity provider group
attribute values. Note that each value must have its own AttributeValue
tag.
<saml2:Attribute Name="groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue>Platform</saml2:AttributeValue>
<saml2:AttributeValue>Fraud</saml2:AttributeValue>
</saml2:Attribute>
Best practices for configuring access controls​
Use Principal Groups for managing access​
Create principal groups with different access levels. For example, create an admin group for your Tecton administrators, and then grant it the admin role. Or create a group for a team of users with access granted on a set of workspaces. Grant the group a role on a new workspace, and all users in the group will inherit this role on the new workspace.
The moment a member is removed from the group, they immediately lose access to the roles and permissions they inherited from the group membership. They may still have access to the workspace via a role directly assigned to them.
Leverage your Identity Provider's data for group management​
Take advantage of the groups that exist in your identity provider and map them to groups in Tecton (See: Group management using an identity provider). With Identity Provider groups mappings, group memberships can be setup for new users OOTB so they have the access then need on first-login to Tecton. By leveraging your Identity Provider for group membership changes in Tecton, your existing internal controls for access grants can be followed.
Use caution when granting Owner or Editor role to live workspaces​
A principal with Owner or Editor roles can take actions in a workspace that can
impact a production system. For example, running tecton apply on a workspace
causes the workspace objects that were modified or removed to be deleted and
replaced with the objects that are being applied.
Typically the Editor role will only be granted to the Service Account used for CI/CD, as well as a limited number of team members in case there is a need to apply directly.
Users and service accounts who do not need to tecton apply should be granted
either the Viewer role, to view the workspace and metadata, or the Operator
role, to also manage materialization jobs.
Use development workspaces for feature development​
Feature development should be done in development workspaces. The developer should verify the transformation logic works as intended before promoting the feature to a production workspace.
Setting SDK credentials in a notebook​
When developing features in a notebook, there are several different ways to authenticate to a Tecton instance:
- For Databricks notebooks
- For EMR notebooks
- For Jupyter notebooks with Snowflake
- For Vertex notebooks It is recommended to use either session-scoped user credentials or session-scoped Service Account credentials, rather than environment-scoped Service Account credentials.
Limitations​
Offline materialized feature access depends on AWS or Snowflake roles​
Accessing offline materialized feature data with the Tecton SDK depends on both Tecton and underlying storage permissions. Accessing feature data without the Tecton SDK can be done with only permissions to the underlying feature storage.
The principal must have at least the Viewer role on the relevant workspace to
run commands that access offline materialized data, such as
FeatureService.get_historical_features(). To restrict a user's offline
materialized data access to specific workspaces, see
configuring offline store access per workspace.
For Tecton on Databricks or EMR, access to offline feature data depends on the instance profile for the notebook cluster having access to the Tecton S3 bucket created during deployment.
For Tecton on Snowflake, access to offline feature data depends on the user’s access to the Tecton database created during deployment.
Workspace objects, such as data sources and feature views, cannot be shared between workspaces​
If you set up separate workspaces for different teams, they will not be able to share objects in these workspaces. You can however use the same object definitions in multiple workspaces.
Complete list of permissions for each role​
Workspace permissions​
These roles are configured per workspace, or across all workspaces.
| Permission | Owner role | Editor role | Consumer role | Operator role | Viewer role |
|---|---|---|---|---|---|
| View workspace objects (such as data sources and feature views) and health status of the workspace | x | x | x | x | x |
| Interact with workspace objects in SDK | x | x | x | x | x |
| Request online features* | x | x | x | ||
| Delete workspace | x | ||||
| Run tecton plan | x | x | x | x | x |
| Run tecton apply | x | x | |||
| Run tecton apply --suppress-recreates | x | ||||
| Run tecton restore | x | x | x | x | x |
| Create and delete datasets | x | x | |||
| FeatureTable.ingest() | x | x | |||
| FeatureView.delete_keys() | x | x | |||
| Cancel/retry/overwrite materialization jobs | x | x | x | ||
| Manually trigger materialization jobs | x | x | x |
* Role changes may take up to a minute to propagate to the GetFeatures API.
Platform management permissions​
| Permission | Admin role | Principal role |
|---|---|---|
| Create live workspace | x | |
| Create dev workspace | x | x |
| Invite users (create, delete, resend) | x | |
| View all users | x | x |
| Remove user from account | x | |
| Create a Service Account | x | x |
| Modify Service Account metadata | x | x* |
| Deactivate or Delete a Service Account | x | x* |
| Create or update a Principal Group | x | |
| Delete a Principal Group | x | |
| Edit IdP attributes for a Principal Group | x | |
| View IdP attributes for a Principal Group | x | |
| Add members to a Principal Group | x | |
| Modify Data Platform configuration | x |
* Only if the principal created the Service Account.
Access control permissions​
| Permission | Admin role | Principal role | Owner role | Editor role | Consumer role | Operator role | Viewer role |
|---|---|---|---|---|---|---|---|
| View your assignments for user-facing roles | x | x | |||||
| View account types | x | ||||||
| Modify account types | x | ||||||
| Assign/unassign All Workspaces role | x | ||||||
| View assignments of workspace-level roles | x | x* | x* | x* | x* | x* | |
| Assign/unassign workspace-level roles | x | x* |
* The role applies to a specific workspace, or across all workspaces.
