Skip to main content

Identity and Access Management

Waii's security model is designed to ensure safe and reliable access and management of database connections, API access, SQL generation and optimization, and query execution. This documentation provides an overview of Waii's security principals, role-based access control (RBAC), and integration with federated identity providers.

Security Principals

Waii operates with two main principals:

  1. Waii User:

    • Each Waii user can be associated with multiple databases.
    • These connections are used to build and maintain the knowledge graph required for SQL generation and to execute queries.
    • Each Waii user can enhance their knowledge graph for each database through adding template queries to the training set and managing semantic context.
    • (Please note that each user has a logical knowledge graph for any database, however Waii will not duplicate objects that are used by multiple users.)

  2. Database User:

    • The database user credentials are used to connect to the databases associated with Waii users.
    • Access control of database objects is governed by the underlying database’s permissions.
    • The same database user can be shared by multiple Waii users, if desired (such as with headless accounts)

Waii User Management

Waii users can be managed in two ways:

  1. Directly Through Waii:

    • Users can be created, managed, and deleted within the Waii platform.
    • In self-hosted environments Waii uses a database to manager users.
    • In SaaS deployments Waii uses auth0 to manage user accounts.

  2. Federated Identity Providers:

    • Waii supports integration with federated identity providers such as Okta and Active Directory (AD).
    • This allows for seamless, central management of users outside of Waii.

Waii Role-Based Access Control (RBAC)

Waii employs RBAC to control user permissions and actions within the platform. There are two primary roles:

  1. Admin:

    • Can add or delete databases in Waii.
    • Can publish semantic context and query templates for other users.

  2. User:

    • Can generate, optimize, analyze and run queries.

Database Access Control

  • The access control of database objects is passed through to the underlying database.
  • A Waii user only has read, write or list access to the databases, views, tables, rows, etc as defined by the database connection associated with the account. This is true for fine-grained access and masking policies too.

Single Sign-On (SSO) Support

SSO for Waii Users

  • Waii supports SSO, allowing users to log into Waii without a password.
  • SSO integration uses SAML tokens to validate users through centrally managed identity providers.

SSO for Database Users

  • Waii also supports SSO for database users.
  • Centrally managed users can access databases with the roles assigned to them.
  • Waii handles the SAML tokens for database connections, ensuring secure access and operations.