07 — Governance Tour — Platform vs Data RBAC¶
Time : 5 min · Persona : alice (admin) · Path : A or B
AKKO separates two flavours of RBAC :
- Platform Access — which surfaces a role can see (sidebar pages, action buttons, admin panels).
- Data Access — which rows and columns a role can read or write inside the catalogs.
They are managed independently and audited side by side.
Pre-requisites
- You are signed in as
alice. - You completed chapter 03.
Step 1 — Open Platform Access¶
Click Governance in the sidebar, then the Platform Access tab.
You see a matrix : 5 roles × layer chips.
| Role | Chips visible |
|---|---|
akko-admin |
every layer |
akko-engineer |
Compute, Lab, Catalog, AI |
akko-analyst |
BI, AI |
akko-viewer |
Home dashboards only |
akko-steward |
Catalog, NORA, Audit |
Expected result : the matrix renders, every cell shows ✓ or ✗.
Step 2 — Edit a chip (don't save)¶
Click any chip to toggle it (for example, grant carol the Logs layer).
The cell shows a yellow "pending" border. The Save button at the top right activates.
Don't save — click Discard for this tour. We'll keep the demo state clean.
Why client-side preview. You see the new RBAC posture before committing. The backend only validates and persists on Save, never on toggle.
Step 3 — Open Data Access¶
Switch to the Data Access tab inside the Governance page.
You see a list of catalogs, each with :
- Scope — engineering / analyst / viewer / steward / custom.
- Row filters — for example
region = 'EU'for theanalystscope. - Column masks — for example
email → md5(email)for theviewerscope. - PII tags — which columns are flagged by NORA.
Expected result : the catalog list renders with health pills and row/column counts.
Step 4 — Inspect carol's scope¶
Click the analyst scope link next to the demo_postgres catalog.
You see :
| Field | Value |
|---|---|
| Row filter | region = 'EU' |
| Column mask | email → md5(email) |
| Tables denied | internal_audit, risk_models |
| Aggregation rules | MIN_GROUP_SIZE = 10 (k-anonymity) |
Layer in motion. This scope is enforced server-side by the policy engine. Carol cannot bypass it from ADEN, SQL Lab, BI, or the API.
Step 5 — Live test — switch persona to dave¶
- Sign out.
- Sign in as
dave/dave123. - Try to open the catalog tree via
DEMO_HOST/#catalogs.
Expected result : the page shows the AKKO RBAC "tip" banner :
"This area is not available for your role (
akko-viewer). Ask your administrator."
A button at the bottom-right says "Request access" — it raises a ticket in the audit log.
Step 6 — Audit the access¶
Sign back in as alice. Open Logs → filter event=access_denied user=dave.
You see the access-deny event with timestamp, request path, persona, and the RBAC rule that blocked it.
Expected result : at least one entry corresponds to dave's attempted access from the previous step.
Audit-first design. Every denial is logged, every grant is logged, every catalog change is logged. The audit trail is append-only and signed.
How it ties together¶
Identity provider → realm role
│
▼
Platform Access matrix → sidebar + UI
│
▼
Data Access scope → SQL WHERE / column mask
│
▼
Audit trail (signed)
Layer-first principle. The Platform RBAC matrix maps roles to layers, not to vendor product names. When you swap the BI engine, the matrix doesn't change — only the implementation behind the layer.
Troubleshooting¶
| Symptom | Likely cause | Fix |
|---|---|---|
| Platform Access matrix empty | Backend warming up | Refresh after 10 sec. |
| Save button doesn't activate | No change detected | Toggle a chip, ensure the yellow border appears. |
| Save returns 409 | Concurrent edit by another admin | Refresh, re-apply, save. |
| Carol still sees masked columns in plain | Cache TTL | Wait 60 sec or click "Invalidate scope cache". |
| Audit log empty | Logs not seeded yet | Generate a few queries (chapter 04), then refresh. |
What you just learned¶
- Two RBAC dimensions : Platform (UI) and Data (rows / columns).
- Scopes are server-side, append-only, audited.
- Every denied access leaves a signed trail.
Next : 08 — Troubleshooting.