RBAC in ParadeDB secures vector indexes and search functions with PostgreSQL role-based permissions.
RBAC prevents unauthorized users from creating, querying, or deleting ParadeDB indexes.It leverages native PostgreSQL roles, so you keep one security model.
Users need: ① USAGE on the schema holding vector indexes, ② EXECUTE on ParadeDB search functions, ③ INSERT/UPDATE on tables that store embeddings, and ④ SELECT on any materialized view used for search.
Create a dedicated role (e.g., product_searcher) and grant only the minimum rights required for read-only vector search.Then assign that role to analysts.
PostgreSQL grants EXECUTE on new functions to PUBLIC by default. REVOKE that right first, then grant explicit roles so ParadeDB functions stay private.
Turn on log_statement=‘ddl’ or pgAudit to record who runs ParadeDB DDL, ensuring you catch unauthorized index drops or re-ingests.
Place all ParadeDB objects in a paradedb schema. Grant USAGE only to trusted roles.This isolates vector operations from core OLTP data.
Give each microservice its own login role and bind it to a limited ParadeDB role. Compromise in one service won’t expose all vector data.
.
Yes. Create RLS policies on the underlying tables. ParadeDB respects them because it calls standard SELECT queries under the hood.
No. A role with CREATEROLE can manage RBAC. Superuser is only needed when first installing the ParadeDB extension.
No. Use ALTER DEFAULT PRIVILEGES to automatically grant EXECUTE on any new functions inside the paradedb schema.