Authorization
RBAC Model
TensorDB provides role-based access control with table-level permissions.
Roles
| Role | Permissions |
|---|---|
| Admin | Full access — DDL, DML, configuration |
| ReadWrite | DML (INSERT, UPDATE, DELETE) + SELECT |
| ReadOnly | SELECT only |
Table-Level Permissions
-- Grant read access on specific tablesGRANT SELECT ON users TO role_readonly;
-- Grant write accessGRANT INSERT, UPDATE ON orders TO role_readwrite;
-- Revoke accessREVOKE ALL ON admin_logs FROM role_readwrite;Row-Level Security
Row-level security (RLS) policies restrict which rows a user can access based on SQL predicates.
CREATE POLICY
-- Only allow users to see their own rowsCREATE POLICY user_isolation ON orders FOR SELECT TO analyst, viewer USING (owner = CURRENT_USER);
-- Restrict deletes to admin roleCREATE POLICY admin_delete ON orders FOR DELETE TO admin USING (1 = 1);
-- Policy for all operationsCREATE POLICY tenant_isolation ON data FOR ALL USING (tenant_id = CURRENT_USER);DROP POLICY
DROP POLICY user_isolation ON orders;Policy Operations
| Operation | Applies To |
|---|---|
SELECT | Read queries |
INSERT | Insert operations |
UPDATE | Update operations |
DELETE | Delete operations |
ALL | All operations |
Policies are stored under __meta/policy/{table}/{name} and are evaluated at query time against the session user and roles.
Audit Log
TensorDB maintains an append-only audit log of all security-relevant operations.
Querying the Audit Log
-- Show recent audit eventsSHOW AUDIT LOG;SHOW AUDIT LOG LIMIT 50;Tracked Events
| Event Type | Trigger |
|---|---|
TableCreated | CREATE TABLE |
TableDropped | DROP TABLE |
IndexCreated | CREATE INDEX |
IndexDropped | DROP INDEX |
ViewCreated | CREATE VIEW |
ViewDropped | DROP VIEW |
PolicyCreated | CREATE POLICY |
PolicyDropped | DROP POLICY |
GdprErasure | FORGET KEY |
Login | User authentication |
UserCreated | User creation |
RoleGranted | Role grant |
RoleRevoked | Role revocation |
Audit events are stored under __audit_log/ prefix with monotonically increasing sequence numbers. Events are immutable — they cannot be modified or deleted.
GDPR Erasure
The FORGET KEY command supports GDPR right-to-erasure by tombstoning all temporal versions of a record.
-- Erase all versions of a specific keyFORGET KEY 'user_123' FROM customers;This command:
- Scans all temporal versions of the key in the specified table
- Writes empty-doc tombstones for every version found
- Triggers compaction to physically remove the data
- Records the erasure in the audit log
After erasure, historical AS OF queries will no longer return the erased key.