​

Authentication and Security

​

Overview

​

Security Architecture

User Authentication Layer
         ↓
Role-Based Access Control (RBAC)
         ↓
Application Security Layer
         ↓
Data Source Security
         ↓
Network & Infrastructure Security

• Zero Trust: Every request is authenticated and authorized
• Least Privilege: Users receive minimum necessary permissions
• Defense in Depth: Multiple security layers protect against threats
• Audit Trail: Complete logging of security-relevant activities

​

Security Components

• Token-based authentication with automatic renewal
• Session management with configurable timeouts

• Hierarchical role-based permission system
• Granular access control for data sources and features
• API key management for programmatic access

• Encrypted credential storage and transmission
• Data source access controls and query filtering
• Audit logging of all data access activities

• HTTPS/TLS encryption for all communications
• Secure integration with external systems
• Network isolation and firewall protection

​

User Authentication

​

Authentication Flow

​

Login Process

1. User Login: User provides credentials (username/password)
2. Credential Validation: System validates against configured authentication provider
3. Token Generation: System generates secure access token with expiration
4. Session Establishment: User session created with appropriate permissions
5. Token Renewal: Automatic token refresh before expiration

​

Token Management

Login → Token Issued (Valid 1 hour) → Auto-Renewal (if active) → Session Timeout/Logout

• Expiration: Default 1-hour lifetime with automatic renewal
• Scope: Contains user identity and role information
• Storage: Securely cached in browser with automatic cleanup

​

Authentication Methods

​

Local Authentication

• Username and password stored securely in the system
• Password complexity requirements configurable
• Account lockout protection after failed attempts
• Password expiration and rotation policies

1. Administrator creates account through user management interface
2. Initial credentials provided securely to user
3. First login may require password change
4. User profile populated with role assignments and permissions

​

Role-Based Access Control (RBAC)

​

Permission Hierarchy

​

Role Definitions

Capabilities:
├── All system administration functions
├── User management and role assignment
├── LLM configuration and system settings
├── Access to admin overlay and advanced features
├── Full data source and connector management
└── All query and analysis capabilities

Capabilities:
├── Users and Groups management menu access
├── Add, remove, and manage users within tenant
├── Create and manage groups with permissions
├── Create tenant-wide rules for all users
├── Configure tenant resources and settings
├── Data Agent and Data Sources management
├── Data Connections configuration
├── Playground access for querying
└── Personal API key management

Requirement: Both ROLE_ADMINISTER_USERS AND ROLE_ADMINISTER_GROUPS
must be present (supervisor role includes both automatically)

Capabilities:
├── Data Agent access for AI-powered data source creation
├── Data Sources management and configuration
├── Playground access for natural language querying
├── Personal API key management
└── Basic user query capabilities

Capabilities:
├── Data Connections configuration and management
├── Database connection setup and testing
├── Playground access for querying connected data
├── Infrastructure integration capabilities
└── Basic user query capabilities

Capabilities:
├── Playground interface for natural language queries
├── Query results viewing, analysis, and export
├── Personal settings and preferences
└── Personal API key management

​

Permission Enforcement

​

UI-Level Access Control

• Menu items appear only for users with appropriate permissions
• Disabled or hidden interface elements for restricted functions
• Role-based redirection to appropriate landing pages

// Supervisor sees all menu items
[Home, Data Agent, Data Sources, Data Connections, Playground, Admin]

// ROLE_CREATE_SOURCES sees
[Home, Data Agent, Data Sources, Playground]

// Basic User sees  
[Home, Playground]

​

API-Level Authorization

• Token validation: Verify user authentication token
• Permission check: Ensure user has required role for requested operation
• Resource access: Verify user can access specific data sources or resources
• Action authorization: Confirm user can perform the requested action

API Request → Token Validation → Role Check → Resource Access Check → Action Execution

​

Dynamic Permission Evaluation

​

Context-Aware Permissions

• User roles: Assigned roles and their associated capabilities
• Data source access: Specific permissions for individual data sources
• Resource ownership: Access to user-created resources
• Time-based access: Configurable time-based access restrictions

​

Permission Caching and Performance

• Permission cache: User permissions cached in session for performance
• Cache invalidation: Automatic cache refresh when roles change
• Minimal latency: Sub-millisecond permission checks for common operations

​

API Security

​

API Key Management

​

Personal API Keys

• Self-service creation: Users generate their own API keys through the interface
• Permission inheritance: API keys inherit the user’s role-based permissions
• Key rotation: Users can regenerate keys as needed for security

• Key generation: Create new API keys with custom names/descriptions
• Key visibility: Toggle between masked and visible key display
• Key deletion: Remove compromised or unused keys
• Usage monitoring: Track API key usage patterns

​

API Key Security Features

• Key masking: Keys displayed as •••••••• by default with reveal option
• Audit logging: All API key operations logged for security monitoring

​

API Authentication

​

Authentication Methods

# API request with authentication
curl -H "Authorization: Bearer your-api-key" \
     https://your-domain/api/v1/query

1. Client includes API key in Authorization header
2. Server validates key against stored keys
3. User permissions retrieved based on key owner
4. Request processed with user’s permission context

​

API Security Best Practices

​

For API Users

• Never commit keys to version control or share in plain text
• Use environment variables to store keys in applications
• Rotate keys regularly according to security policies
• Monitor key usage for unexpected activity

• Always use HTTPS for API requests
• Validate responses and handle errors appropriately
• Implement retry logic with exponential backoff
• Log API usage for debugging and monitoring

​

For Administrators

• Monitor API usage patterns across all users
• Set up alerts for unusual activity or potential abuse
• Regular security audits of API key usage and permissions
• Enforce corporate policies for API key management

​

Data Security

​

Data Source Access Control

​

Permission-Based Data Access

1. Connection-level: User must have appropriate role to use data connections
2. Source-level: Specific permissions required for individual data sources
3. Query-level: Row and column-level security applied during queries
4. Result-level: Additional filtering applied to query results

​

Credential Management

​

Secure Credential Storage

• Encryption at rest: All credentials encrypted using strong encryption
• Secure transmission: Credentials transmitted only over encrypted connections
• Access control: Only authorized systems can access stored credentials

​

AI Provider Credential Security

• Encrypted storage: All AI provider credentials encrypted at rest
• Scope limitation: Credentials configured with minimal necessary permissions

​

Data Privacy and Compliance

​

Data Processing Privacy

• Query text: Natural language questions (may contain business context)
• Schema information: Table and column names for query generation
• No raw data: Actual data values never sent to external AI services

• Local processing: Data analysis performed within your infrastructure
• Minimal external data: Only metadata sent to AI providers
• Data sovereignty: Support for regional data processing requirements

​

Troubleshooting Security Issues

​

Common Authentication Problems

​

Login Failures

• Verify credentials: Ensure username and password are correct
• Check account status: Verify account is not locked or disabled
• Password expiration: Check if password has expired

• Token renewal: Check if automatic token renewal is working
• Session timeout: Verify session timeout configuration
• Network connectivity: Ensure stable connection during session
• Clear browser cache: Try clearing cookies and browser cache

​

Permission Issues

• Role verification: Check user’s assigned roles in user management
• Permission propagation: Wait for permission changes to take effect
• Resource-specific access: Verify user has access to specific data sources
• Session refresh: Log out and back in to refresh permissions

​

API Authentication Issues

​

API Key Problems

• Key format: Verify API key format and completeness
• Key status: Check if API key has been revoked or expired
• User permissions: Ensure API key owner has required permissions
• Rate limiting: Check if requests are being rate limited

• Key visibility: Use reveal toggle to verify key is copied correctly
• Key rotation: Generate new key if current key is compromised
• Permission inheritance: Verify user’s role provides necessary API permissions

​

Security Best Practices

​

For Users

​

Account Security

• Use strong, unique passwords for Simba Intelligence accounts
• Enable password managers to generate and store secure passwords
• Change passwords immediately if compromise is suspected
• Report suspicious account activity to administrators

• Always log out when finished, especially on shared computers
• Don’t share login credentials with colleagues
• Use secure networks and avoid public WiFi for accessing sensitive data
• Keep browser and security software updated

​

API Security

• Never share API keys or commit them to version control
• Store API keys securely using environment variables or secret management
• Rotate API keys regularly according to security policies
• Monitor API key usage for unexpected activity

​

For Administrators

​

System Hardening

• Enforce strong password policies and multi-factor authentication
• Implement principle of least privilege for all user accounts
• Regular security audits and permission reviews
• Keep system components updated with latest security patches

• Implement comprehensive security monitoring and alerting
• Establish incident response procedures and practice regularly
• Regular backup and disaster recovery testing
• Maintain security documentation and runbooks

​

Compliance and Governance

• Implement appropriate data classification and handling procedures
• Ensure compliance with relevant regulations (GDPR, HIPAA, SOX, etc.)
• Regular compliance audits and documentation updates
• Data retention and destruction policies

• Develop and maintain comprehensive security policies
• Regular security training for users and administrators
• Vendor security assessments for third-party integrations
• Business continuity and disaster recovery planning