As more teams adopt streaming data, it becomes essential to balance accessibility with security. Apache Pulsar, combined with Streamvisor's Role-Based-Access-Control (RBAC), makes it easy to grant the right level of access to the right people, enabling collaboration without sacrificing control.
In this guide, we’ll walk through setting up RBAC to restrict access to specific topics, ensuring users can consume the data they need without risking accidental changes or exposure to unrelated streams.
Logged in as an admin user, we can see the full Pulsar environment: multiple tenants, each with several namespaces and topics.
Now imagine the Customer Support team needs access to the customer topic in the crm namespace of the demo tenant. They should be able to view the topic and consume messages, but not modify anything or access other topics.
This is a perfect use case for RBAC.
The first step is to create a group for the team. In the sidebar, click on Groups to see the list of existing groups. Then click on the New Group button on the top right to create a new group and fill out its name and description. In our example, we will name our group customer-support.
Members of this group will inherit whatever permissions we assign. This way, access control is managed at the group level - no need to configure each user individually.
Once you have opened the group detail page, we can grant permissions. There are two different types of permissions you can define:
Platform Permissions are mostly only necessary for admins or devops users. For our customer-support team, we will only need to define Resource Permissions.
Under the Resource Permissions > Topic Permissions, click on Add Permission to define a new rule:
Now, the customer-support group has read-only access to exactly the data they need, nothing more.
To add users to our customer-support group, scroll to the Members section. Here you can see the list of group members.
To add a user to this group, click on Add Members and select the users you want to add, then press Confirm. You will now find the newly added users in the members list.
To confirm, log in as a user that you previously assigned to the customer-support group.
In the Explorer, you will now notice a very different view compared to the admin user:
Opening the customer topic, the user can safely consume messages or inspect the topic schema without the risk of altering topic data or accessing unrelated streams.
RBAC in Pulsar ensures that the right people see the right data - no more, no less.
By grouping users and assigning precise permissions, you democratize access to your streaming data, while keeping security and data governance front and center. Try it out next time you need to onboard new team members, limit data visibility, or just make sure you stay compliant with governance guidelines!
