Skip to main content
Version: 3.1

Access Control

Ververica Platform uses a two-stage access control model.

  • Authentication verifies who is making a request. Ververica Platform does not manage user credentials directly; it delegates authentication to an external identity provider using OpenID Connect (OIDC) or Security Assertion Markup Language (SAML).
  • Authorization determines what an authenticated entity is allowed to do. Permissions are governed by roles assigned to individual users, identity provider groups, or API tokens.

Group-Based Access

Starting with Ververica Platform 3.1.1, administrators can assign roles to identity provider groups rather than individual users. When a user authenticates, Ververica Platform reads the group memberships from their token or assertion and grants permissions based on all matching group assignments.

Managing access through groups offers several benefits:

  • Role changes take effect immediately when group membership is updated in the identity provider, without requiring changes in Ververica Platform.
  • New team members automatically receive the correct permissions as soon as they are added to the appropriate group.
  • Access policies are maintained centrally in the identity provider rather than in each application separately.

See the sub-pages for configuration details:

  • Authentication — configure your identity provider, enable group claim extraction, and review provider-specific setup for OIDC and SAML.
  • Authorization — assign roles to users and groups, understand how permissions are resolved, and troubleshoot common issues.
  • API Tokens — create tokens for machine-to-machine access.
On this page