Authorization

Authorization is the process of verifying that an authenticated entity has access to a resource and can perform a desired action. Ververica Platform uses a role-based access control model where roles are assigned to individual users or identity provider groups.

Roles

The following roles are available:

Role	Scope	Description
Viewer	Namespace	Read-only access to resources in the namespace
Editor	Namespace	Read and write access to most resources in the namespace
Owner	Namespace	Full access within the namespace
Admin	Workspace	Read and write access to all namespace resources across the workspace

Role Assignments

Roles are configured in the initialAccessFileContent block of your Helm values. Each entry in the initialAccess array grants a role to a principal (a user or a group) at a given scope.

Individual User Assignments

Use userId to assign a role to a specific user. The userId must match the identifier your identity provider sends — the email address for OIDC, or the NameId for SAML.

global:
  initialAccessFileContent:
    initialAccess:
      - userId: alice@example.com
        workspaceId: defaultworkspace
        namespaceId: default
        role: EDITOR

Group-Based Role Assignments

Use userId with a group: prefix to assign a role to all members of an identity provider group. The group name must exactly match a group value extracted from the ID token or SAML assertion, as configured by groupsClaim or groups-attribute in Authentication.

global:
  initialAccessFileContent:
    initialAccess:
      - userId: "group:platform-admins"
        workspaceId: defaultworkspace
        role: ADMIN
      - userId: "group:platform-editors"
        workspaceId: defaultworkspace
        namespaceId: default
        role: EDITOR
      - userId: "group:data-team"
        workspaceId: defaultworkspace
        namespaceId: analytics
        role: VIEWER

Omit namespaceId to scope the assignment to the workspace level. Include it to scope the assignment to a specific namespace.

Access Resolution

When a user authenticates, Ververica Platform evaluates all role assignments that apply to that user:

Direct assignments where userId matches the authenticated user.
Group assignments where a group:-prefixed userId matches any group present in the user's token or assertion.

The effective permissions are the union of all matching role assignments. If a user belongs to one group with Viewer access and another group with Editor access in the same namespace, that user receives Editor permissions.

User-level and group-level assignments combine in the same way. A direct userId assignment and one or more group:-prefixed userId assignments can all apply to the same user simultaneously, and the most permissive combination takes effect.

Troubleshooting

Group Claim Not Found in Token

If no groups are being recognized, confirm that groupsClaim (OIDC) or groupsAttribute (SAML) is set in your authentication configuration and matches the exact claim or attribute name your identity provider uses, including case.

For OIDC, some providers require explicit configuration to include group memberships in the ID token:

Add the groups scope (or equivalent) to the OAuth scopes in your Ververica Platform configuration.
In your identity provider, enable group claims for the application registration.

For SAML, ensure your identity provider is configured to release the group attribute in assertions for the Ververica Platform service provider.

User Receives No Permissions Despite Group Membership

Inspect the ID token or SAML assertion to verify the group values are present and match the expected format. For OIDC, decode the ID token at jwt.io to see the raw claims.
Confirm that the group name in the userId value (after the group: prefix) in initialAccessFileContent exactly matches the group name in the token, including case and any special characters.
For Azure Entra ID, check whether token size limits are causing groups to be omitted from the token. See Azure AD Token Size Limits.

Debugging OIDC and SAML Group Mappings

To diagnose group mapping issues, inspect the raw token or assertion during the authentication flow:

For OIDC: decode the ID token returned by your identity provider and look for the claim named in groupsClaim. Confirm both the claim name and the group name values.
For SAML: capture the SAML assertion (most browser developer tools or browser extensions can do this) and inspect the attribute named in groupsAttribute.

Once you confirm the exact group names in the token, compare them against the group:-prefixed userId values in your initialAccessFileContent.

Examples

OIDC Group Mapping

Identity provider ID token:

{
  "email": "alice@example.com",
  "groups": ["platform-admins", "data-team"]
}

Authentication configuration:

global:
  authentication:
    oidc:
      enabled: true
      clientId: my-client
      clientSecret: my-secret
      discoveryUri: https://idp.example.com/.well-known/openid-configuration
      groupsClaim: groups

Role assignments:

global:
  initialAccessFileContent:
    initialAccess:
      - userId: "group:platform-admins"
        workspaceId: defaultworkspace
        role: ADMIN
      - userId: "group:data-team"
        workspaceId: defaultworkspace
        namespaceId: default
        role: EDITOR

A user who belongs to platform-admins receives Admin access at workspace level. A user who belongs to both groups receives Admin at workspace level and Editor in the default namespace simultaneously.

SAML Group Mapping

Identity provider assertion:

<saml:Attribute Name="memberOf">
  <saml:AttributeValue>platform-editors</saml:AttributeValue>
</saml:Attribute>

Authentication configuration:

global:
  authentication:
    saml:
      enabled: true
      identity-provider:
        groups-attribute: memberOf

Role assignment:

global:
  initialAccessFileContent:
    initialAccess:
      - userId: "group:platform-editors"
        workspaceId: defaultworkspace
        namespaceId: default
        role: EDITOR

Multiple Groups, Multiple Roles

A user belongs to three groups: platform-owners, analytics-viewers, and global-admins.

global:
  initialAccessFileContent:
    initialAccess:
      - userId: "group:platform-owners"
        workspaceId: defaultworkspace
        namespaceId: production
        role: OWNER
      - userId: "group:analytics-viewers"
        workspaceId: defaultworkspace
        namespaceId: analytics
        role: VIEWER
      - userId: "group:global-admins"
        workspaceId: defaultworkspace
        role: ADMIN

The user receives Owner in the production namespace, Viewer in the analytics namespace, and Admin at workspace level. All three assignments apply simultaneously.

Roles​

Role Assignments​

Individual User Assignments​

Group-Based Role Assignments​

Access Resolution​

Troubleshooting​

Group Claim Not Found in Token​

User Receives No Permissions Despite Group Membership​

Debugging OIDC and SAML Group Mappings​

Examples​

OIDC Group Mapping​

SAML Group Mapping​

Multiple Groups, Multiple Roles​