RBAC Policy Best Practices

Table of Contents

Stream Access Resolution
Policy Access Types
How Multiple Policies Combine on a Team
The Default RBAC Policy Fallback
Recommendations

Policies control which telemetry streams — Metrics, Events, Logs, Traces, and APM — a team or service account can query. Understanding how Kloudfuse resolves access when multiple policies apply to the same team helps you design a policy structure that is both secure and maintainable.

Stream Access Resolution

Every time a user queries a stream, Kloudfuse evaluates access in a fixed order. The first matching condition determines the result.

USER STREAM QUERY
       │
       ▼
┌──────────────────────────┐    YES
│   User has Admin role?   │──────────────────────────► FULL ACCESS
└──────────┬───────────────┘
           │ NO
           ▼
┌──────────────────────────┐    NO     Check default_rbac_policy:
│  Any policy assigned to  │─────────► • rbac_allow_all  → FULL ACCESS
│  this team for stream?   │           • rbac_allow_none → NO ACCESS
└──────────┬───────────────┘
           │ YES
           ▼
┌──────────────────────────┐    YES
│  Any policy grants       │──────────────────────────► FULL ACCESS
│      "All Access"?       │
└──────────┬───────────────┘
           │ NO
           ▼
┌──────────────────────────┐    YES   FILTERED ACCESS
│  Any policy grants       │─────────► (union of all label filters:
│  "Filtered Access"?      │           data matching any filter
└──────────┬───────────────┘           across all policies is returned)
           │ NO
           ▼
       NO ACCESS

Admins always have full access to all streams regardless of any policy or default_rbac_policy setting.

Policy Access Types

Each policy defines one of three access levels per stream type.

Access Type What it means Can it be overridden by another policy on the same team?

Access Type	What it means	Can it be overridden by another policy on the same team?
All Access	The team can query all data in this stream with no restrictions.	No — All Access is the highest level. Any single "All Access" policy grants full stream access, regardless of other policies.
Filtered Access	The team can only query data that matches specific label key-value pairs (for example, `env=production`).	Yes — a more permissive policy (All Access) overrides it. A less restrictive policy (No Access) does not override it.
No Access	The team cannot query this stream.	Yes — any other policy granting Filtered or All Access overrides it.

All Access

The team can query all data in this stream with no restrictions.

No — All Access is the highest level. Any single "All Access" policy grants full stream access, regardless of other policies.

Filtered Access

The team can only query data that matches specific label key-value pairs (for example, env=production).

Yes — a more permissive policy (All Access) overrides it. A less restrictive policy (No Access) does not override it.

No Access

The team cannot query this stream.

Yes — any other policy granting Filtered or All Access overrides it.

How Multiple Policies Combine on a Team

When a team has more than one policy assigned, Kloudfuse applies OR (union) logic across all policies for each stream independently. The most permissive result across all policies wins.

Example:

Policy Metrics Logs Traces

Policy	Metrics	Logs	Traces
Policy A	All Access	No Access	Filtered (`env=prod`)
Policy B	No Access	Filtered (`team=ops`)	Filtered (`env=staging`)
Effective access	Full Access (Any "All" wins)	Filtered (`team=ops`) (Filtered overrides No Access)	Filtered (`env=prod` OR `env=staging`) (union of both filters)

Policy A

All Access

No Access

Filtered (env=prod)

Policy B

No Access

Filtered (team=ops)

Filtered (env=staging)

Effective access

Full Access (Any "All" wins)

Filtered (team=ops) (Filtered overrides No Access)

Filtered (env=prod OR env=staging) (union of both filters)

Key rules to remember:

All Access in any policy → the team has full access to that stream, even if another policy says No Access.
No Access in all policies → the team has no access to that stream.
Multiple Filtered policies → data matching any of the filters is returned (OR logic). Adding more filter policies expands access, not restricts it.

The Default RBAC Policy Fallback

Non-Admin users whose teams have no policy assigned for a stream fall through to the default_rbac_policy platform setting:

user-mgmt-service:
  config:
    default_rbac_policy: rbac_allow_all  # or rbac_allow_none

yaml

Setting Effect on users with no team policy

Setting	Effect on users with no team policy
`rbac_allow_all`	Full access to all streams. Use in low-security environments or during initial rollout where open access is acceptable.
`rbac_allow_none`	No access to any stream. Requires explicit policies to be assigned before users can query data. Recommended for production environments with strict data isolation requirements.

rbac_allow_all

Full access to all streams. Use in low-security environments or during initial rollout where open access is acceptable.

rbac_allow_none

No access to any stream. Requires explicit policies to be assigned before users can query data. Recommended for production environments with strict data isolation requirements.

Admin users are unaffected by default_rbac_policy. They always have full access.

Recommendations

Start with rbac_allow_none

Set default_rbac_policy: rbac_allow_none and grant access explicitly through policies. This prevents new users or teams from inadvertently accessing data before a policy is assigned.

Use Filtered Access instead of All Access where possible

All Access cannot be narrowed by adding another policy to the same team. If you later need to restrict a team’s access, you must remove the All Access policy and replace it. Filtered Access policies are easier to adjust incrementally.

Define policies at the stream level

Create separate, single-purpose policies — for example, one policy for production Logs and another for staging Metrics. Combining multiple stream types in a single policy makes it harder to audit and adjust access over time.

Understand that adding a filter policy always expands access

Because Kloudfuse uses union (OR) logic, adding a Filtered policy to a team that already has a Filtered policy will increase what data the team can see, not restrict it. If you need to restrict access further, remove the existing policy and replace it with a more specific one.

Verify effective access before promoting to production

After assigning policies to a team, review Effective Policies in the Team detail interface. The Effective Policies view shows the resolved access level per stream, making it easy to spot unintended combinations before they affect users.

For instructions on reviewing effective policies, see Review Effective Policies.

Apply consistent policies across related streams

APM Services correlates Metrics and Traces data. If a team has different access levels for these two streams, the APM Services interface may not display complete information. Apply the same access level to both Metrics and Traces for teams that use APM.