User, role, and group management with role-based access control.
## Overview The Access Control page is the central administration surface for role-based access control (RBAC) in DeltaForge. It provides full CRUD operations for users, roles, groups, and service principals, and exposes the grant and revocation workflow for both object-level permissions and feature flags. Platform administrators use this page to define who can access which zones, schemas, and tables, and to control which product features are available to each role. All mutations issued from this page are sent to the control plane HTTP API; the GUI never accesses the catalog database or keychain directly. Changes take effect immediately and are reflected in subsequent authorization checks across all connected compute nodes. ## Key Features - Create, edit, disable, and drop users. Each user record includes authentication credentials, default role assignment, and workspace membership. - Define roles in a hierarchical tree. Child roles inherit all privileges of their parent, which simplifies permission management for large organizations. - Organize users into groups. Granting a role to a group propagates the grant to every member, eliminating the need for per-user assignment. - Manage service principals for non-interactive workloads such as scheduled pipelines and CI integrations. - Grant and revoke object-level permissions (SELECT, INSERT, CREATE, etc.) at the zone, schema, or table scope. - Assign feature flags per role to gate access to preview or licensed capabilities such as graph analytics or advanced lineage extraction. - Review effective permissions for any principal by inspecting the resolved privilege set after role inheritance and group membership are applied. ## Workflow 1. Navigate to the Admin section and select Access Control. 2. Use the Users tab to create or import user accounts. Assign a default role and workspace to each user. 3. Switch to the Roles tab to define a role hierarchy. Create top-level roles (e.g., data_engineer, analyst) and optional child roles for finer-grained control. 4. Open the Groups tab to create groups and add users. Assign roles to groups rather than individual users when possible. 5. Select a role and open the Grants panel. Grant object permissions at the desired scope (zone, schema, or table) and enable or disable feature flags. 6. Use the Effective Permissions view to verify that a specific user or service principal resolves to the intended privilege set. 7. Save changes. The control plane propagates updated grants to all active sessions.