Introduction
Honeydew offers access control mechanisms to ensure secure, fine-grained management of user permissions across your organization. Access control in Honeydew operates at two primary levels: Honeydew Metadata and Configuration Applies to users working directly within Honeydew:- Modeling and administrative actions within Honeydew Studio are governed by roles assigned to Honeydew users.
- API restrictions are determined by the roles assigned to users and/or the API keys used for API actions.
- Field -level access is governed by domains and workspace-level access control.
- Data retrieved through queries is controlled by the user data access roles defined in the underlying data warehouse.
A user may see a field in their BI tool, but still be restricted from viewing the actual data
if they lack the appropriate data access role
User Sign-up and Login
Authentication Methods
Honeydew supports user sign-up and login using the following methods:- Username / Password
- Basic SSO (Single Sign-On), using Google and Microsoft accounts
- Enterprise SSO (Single Sign-On), using one of the supported identity providers (see below).
If your organization uses a different SSO (Single Sign-On) provider, please contact support@honeydew.ai.
Multi-Factor Authentication (MFA)
When authenticating via username and password, Multi-Factor Authentication (MFA) is enabled and enforced for all users by default, with the option to manage it through individual user settings. Supported MFA methods include Google Authenticator, Duo Security, or comparable one-time password generators.When using Single Sign-On (SSO), MFA is handled by the SSO provider
and does not require separate configuration within Honeydew.
User Roles
Honeydew supports three distinct user roles, each with specific permissions and capabilities:Admin Role
Required for: Setup, integration, credential management, deployment, and cache management functions. Capabilities:- Complete system administration and configuration
- User invitation and role management
- Integration setup and credential management
- Deployment and cache management
- Access to all organizational settings
- API keys creation and management
Editor Role
Required for: Modifying any semantic layer definitions. Capabilities:- Create, modify, and delete semantic layer components
- Access to modeling tools and data definitions
- Query execution and data exploration
- Limited administrative functions related to semantic layer
Viewer Role
Required for: Read-only access, reviewing semantic layer definitions, querying data, or retrieving metadata. Capabilities:- View semantic layer definitions
- Query execution and data exploration
- Access to reporting and analytics features
- Access to AI bots
- Read-only access to metadata and documentation
Only users with Admin role can invite additional users to the organization.
Organizations using SSO can manage user roles through their identity provider.
Workspace Level Access Control
Honeydew supports workspace-level access control, allowing you to restrict user access to specific workspaces within your organization. With workspace-level access control, you can manage access at a fine-grained level across teams, projects, or data domains.Overview
Workspace-level access control allows you to:- Restrict users to specific workspaces only
- Use separate Snowflake configuration and credentials per workspace
- Implement semantics and data segregation between different business units
- Control access to sensitive or confidential data domains
- Maintain compliance with data governance policies
Setup Instructions
To enable workspace-level access control for your organization, please contact Honeydew support at support@honeydew.ai.
- Admin Access: You must have Admin role permissions in Honeydew
- Workspace Planning: Identify which workspaces should be accessible to which users
- Access Requirements: Define the specific access patterns for your organization
- Contact Support: Reach out to support@honeydew.ai to enable workspace-level access control
- Snowflake Configuration: Ensure each workspace has the appropriate Snowflake configuration and credentials
- Define Access Rules: Configure the mapping of users to their allowed workspaces. Do the same also for API keys.
Snowflake Access Control
Honeydew provides two primary approaches for managing Snowflake access control, each suited for different organizational needs and security requirements.Option 1: Snowflake OAuth Integration
Best for: Organizations where individual users should access Snowflake using their own credentials and roles.How It Works
- Each Honeydew user connects to Snowflake using their own Snowflake user account
- Users authenticate through Snowflake’s OAuth mechanism
- Access is controlled through Snowflake’s native role-based access control (RBAC)
- Users can leverage existing Snowflake SSO integration
Benefits
- Individual Accountability: Each user’s actions are tracked with their Snowflake identity
- Native Snowflake Security: Leverages Snowflake’s built-in security features
- SSO Integration: Works seamlessly with existing Snowflake SSO setups
- Granular Permissions: Users inherit their Snowflake role permissions
Setup Requirements
- Snowflake OAuth integration configuration
- Individual user Snowflake accounts with appropriate roles
- Network policies allowing Honeydew IP addresses
Option 2: Service Account with Domain-Level Access Control
Best for: Organizations using centralized service accounts with domain-based data access control.How It Works
- Honeydew uses a single service account to connect to Snowflake
- Data access is controlled at the domain level through Snowflake roles
- Different domains are assigned different Snowflake roles
- Users accessing data through BI tools inherit the domain’s assigned role
Benefits
- Centralized Management: Single service account for easier credentials management
- Domain-Based Security: Data access controlled by domain assignments
- Simplified BI Integration: BI tools connect using domain-specific roles
- Audit Trail: Clear separation of access by domain
Implementation
- Service Account Setup: Configure a dedicated Snowflake service account
- Roles Mapping and Domain Configuration: Assign specific Snowflake roles to different domains in Honeydew
- BI Tool Integration: Configure BI tools to use domain-specific access
IP Address Restrictions
Honeydew supports IP address restrictions to limit which IP addresses can access the platform, providing an additional layer of security for your organization. For detailed information about IP address restrictions, see the IP Access Control documentation.AI Bots (Slack and Microsoft Teams) Access Control
Honeydew provides AI-powered bots for Slack and Microsoft Teams that enable conversational data analysis directly within your collaboration platforms. These bots support end-to-end user-level access control through integration with Honeydew’s authentication system. For detailed setup instructions, see:BI Tools Access Control
Honeydew integrates with various Data Consumption and Business Intelligence (BI) tools to provide seamless data access and analytics capabilities. User access control for BI tools depends on the specific tool’s capabilities and authentication mechanisms.Overview
Each BI tool has its own authentication and access control features:- Some tools support individual user authentication through OAuth or SSO
- Others may require shared service account credentials
- Access control granularity varies by tool capabilities
API Keys Access Control
Honeydew supports both centralized and per-user API keys, providing flexibility in access control management based on your organization’s security requirements. For comprehensive information about API keys, including setup instructions and security best practices, see the API Keys documentation.Integration with Other Security Features
User access control works in conjunction with other Honeydew security features:Authentication Methods
- SSO: Access control applies regardless of authentication method
- API Keys: API key access is also subject to role and workspace restrictions
- MFA: Multi-factor authentication is still required for authorized users
Audit and Compliance
- Access Logs: All access attempts and actions are logged
- Compliance Reports: Access control data can be included in compliance reporting
- Security Monitoring: Integrate with your existing security monitoring tools
Best Practices
Role Management
- Principle of Least Privilege: Assign minimal necessary roles
- Regular Reviews: Periodically review user roles and access levels
- Separation of Duties: Ensure critical functions require multiple approvals
Workspace Access
- Clear Boundaries: Define clear workspace boundaries based on business needs
- Regular Audits: Review workspace access assignments regularly
- Documentation: Maintain clear documentation of workspace access policies
Snowflake Integration
- Secure Credentials: Use strong authentication methods (OAuth or key-pair)
- Role Alignment: Ensure Snowflake roles align with Honeydew user roles
- Network Security: Implement proper network policies and IP restrictions
IP Restrictions
- Comprehensive Coverage: Include all necessary IP ranges (office, VPN, cloud)
- Regular Updates: Keep IP address lists current with network changes
- Testing: Thoroughly test access from all authorized locations
Support
For questions, issues, or changes related to user access control, please reach out to support@honeydew.ai. Our team can help you:- Configure workspace-level access control
- Set up Snowflake access control methods
- Implement IP address restrictions
- Troubleshoot access issues
- Review and optimize your access control configuration