Today, we’re thrilled to announce a significant enhancement to Arraylake: fine-grained, repository-level permissions! This highly anticipated feature empowers you with unprecedented control over who can access your valuable array data, and how.

By popular request

As teams and organizations grow in size and in their use of Arraylake, managing data access had become a complex challenge. Sharing data products efficiently while maintaining security and compliance is paramount. Without granular controls, organizations often face:

• Increased regulatory risk: Many industries operate under strict data governance regulations. Over-broad access can lead to compliance violations and significant penalties.
• Security vulnerabilities: Granting excessive permissions to individuals or automated processes increases the risk of accidental data modification, deletion, or exposure.
• Operational bottlenecks: Manual, ad-hoc access management slows down data sharing and collaboration, hindering productivity for teams building services or products on top of Arraylake and Flux.
• Insufficient access: Conversely, overly restrictive access can prevent legitimate users from accessing the data they need, slowing down development and innovation.

Our new fine-grained access controls directly address these issues, enabling you to confidently share your data while minimizing risk.

These new permissions are designed for a wide range of Arraylake users and use cases, including:

• Organizations with growing teams: Easily onboard new team members and ensure they have precisely the right level of access to your data.
• Organizations sharing data products externally: Confidently share data with partners, clients, or external collaborators without compromising your internal security or data product integrity.
• Teams building products or services on top of Flux: Grant tightly scoped permissions to automated jobs, web services, and applications that interact with your data via the Flux API.

Consider these practical examples:

• Your internal teams have noticed and coveted the productivity gains your team has achieved with Arraylake and Flux and want to join the party. Now you can grant them read-only access to your production datasets, allowing them to leverage your data without the risk of accidental changes.
• You can give an automated job tightly-scoped write access to a specific repository, ensuring it can only modify the data it’s intended to.
• You want to give your data customers direct Zarr read access, but only to a specific repository.
• Building a web map that visualizes your data product via Flux WMS? Grant your WMS client least-privileged access via a tightly-scoped token that allows access only through Flux.
• You can now give data customers direct read access to a specific repo via Flux OPeNDAP, streamlining data delivery.
• You can give your analysts read access via Flux EDR so they can pull live CSV representations of all of your data products.

A simple privilege model

We’ve introduced three main levels of user privileges, which can be applied at the organization level or to individual repositories:

• Admin: Users with admin privileges can create and manage other users and repositories within their scope (org or specific repo).
• Write: Users with write privileges can read from and write to repositories within their scope.
• Read: Users with read privileges can only read from repositories within their scope.

In addition to user privileges, you can now grant tokens specific permissions:

• Read: Allows the token to read data directly via Zarr and via Flux.
• Write: Allows the token to read and write data directly via Zarr and via Flux.
• Read-with-Flux-only: This specialized privilege allows the token to access data only via Flux (e.g., WMS, OPeNDAP, EDR), and not directly via Zarr. This is perfect for public-facing applications or integrations where direct Zarr access isn’t required or desired.

Availability

We’re excited to announce that these new fine-grained access controls are released today to all our users! There’s no migration or transition necessary; you can start using these powerful new features immediately.

To learn more and get started, check out our documentation.

We believe these new access controls will significantly enhance your ability to manage, share, and leverage your array data with greater security and efficiency. We look forward to seeing the amazing things you’ll build with Arraylake!