Hey @jocelyn here! I sometimes run across questions about access control in Pinecone and how it works.
Curious?
Well, read on:
1 Like
Basicially, Pinecone implements access control through several key mechanisms:
1. API Keys and Permissions:
- Each project has one or more API keys for authentication
- API keys can be assigned different permission roles including ReadWrite, ReadOnly, or None for both control plane and data plane operations
2. Role-Based Access Control (RBAC):
- Pinecone uses RBAC to manage access to resources
- Access is determined by roles assigned to principals (service accounts, API keys, and users) for specific resources (projects or organizations)
3. Single Sign-On (SSO):
- [Enterprise dedicated tier organizations can set up SSO to manage team access through their identity management solution
- Organizations can require domain users to sign in through SSO and specify default roles
4. Audit Logging:
- Provides detailed records of user and API actions
- Events are captured every 30 minutes and saved as JSON blobs
- Logs track organization events, project events, index events, and security events
The system is designed to ensure:
- Data protection through proper authorization)
- Compliance with industry regulations
- Accountability through audit trails
- Scalability and flexibility as organizations grow
1 Like
The reason Im posting this here is because as the head of community,. I attend a lot of events, and meet a lot of users as a result (and prospective users on the fence!)
I would say that questions around access control are one of the top categories I’m asked about.
of course on the one hand it would be odd indeed if Pinecone had not considered these issues.
I don’t think anyone seriously expects that to be the case, which is why I don’t take the challenge at face value, but instead dig in with clarifying questions.
Those clarifying questions generally reveal that people are wondering not about whether it exists at all, but whether its in a state where it would be feasible to introduce to their workflow.
So it isn’t quite that people dont think we would have those in place, but how it’s implemented, how robust it is, and scalability - those are all feeding into the question benetah the question, which is: what are you doing and why should I trust you?
^ I actually did not write this using ChatGPT, so I apologize if that ending sounds choppy 
At any rate, feel free to imagine I wrapped up with some em-dashes, rhetorical questions and something that was “the best part of all”. 
Hopefully some folks who made it this far will have comments and and replies below.
We’re here, we (mostly) human and we want to talk with you!