Skip to main content
Coming Soon — This page describes an architecture that is currently in development and not yet generally available. Contact us to learn more.
The federated semantic layer is built on a multi-layer security model that ensures customer data is never exposed beyond the user’s existing permissions — without AstroBee needing to replicate or manage those permissions.

Multi-Layer Security

Layer 1: AstroBee Application Security

CapabilityDescription
User AuthenticationEmail/Password + MFA
Organization Multi-TenancyIsolates org data
Role-Based Access ControlAdmin/Editor/Viewer roles

Layer 2: Credential Management

CapabilityDescription
Encrypted Credential StorageAES-256 at rest
Per-User Token ScopingNever shared across users
Automatic Token RefreshOAuth refresh flow

Layer 3: Native Platform Security

Each connected data source enforces its own access control:
PlatformSecurity Model
SnowflakeRBAC with role hierarchies
DatabricksUnity Catalog with fine-grained access
SalesforceProfiles with object/field permissions

Layer 4: Audit & Compliance

CapabilityDescription
Query LoggingUser, SQL, timestamp
Access Audit TrailWho accessed what
Compliance ReportsGDPR/HIPAA exports

Zero-Trust Principle

AstroBee operates on a zero-trust model — it assumes it has no inherent rights to customer data and must prove authorization for every query.

Comparison with Traditional Data Integration

AspectTraditional (Service Account)Zero-Ingestion (User Tokens)
CredentialsSingle service account with broad accessIndividual user OAuth tokens
Permission ModelReplicate warehouse permissions in AstroBeeUse warehouse permissions directly
Access Escalation RiskHigh — service account is single point of failureLow — compromising one user token exposes only their data
Audit GranularityAll queries appear as service accountEvery query attributed to specific user
ComplianceMust maintain parallel access control systemInherits compliance from warehouse (SOC2, ISO)

Credential Lifecycle Management

Credentials go through a well-defined lifecycle:
1

Initial Connection

User redirects to data source OAuth, grants scopes (read data, list tables/objects), receives access + refresh tokens.
2

Active Usage

Tokens used for queries (validity varies by provider).
3

Background Refresh

Before expiry, AstroBee uses the refresh token to get a new access token (transparent to user).
4

Expiry/Revocation

If refresh fails, the connection is marked as expired and the user is prompted to re-authenticate.
5

Deletion

User can disconnect a data source anytime — tokens are securely deleted.

Compliance & Data Residency

Key Compliance Benefits

  • Data Residency — Customer data never leaves their cloud region. If Snowflake is in EU, data stays in EU.
  • GDPR Compliance — No data processing agreement needed (AstroBee doesn’t process personal data, just query results)
  • HIPAA Compliance — PHI remains in customer’s BAA-covered warehouse. AstroBee only sees aggregated results.
  • SOC2 Inheritance — Leverage data platform provider’s SOC2 certification (Snowflake, Databricks, Salesforce audited annually)
  • Right to Deletion — Deleting data in source system immediately reflects in AstroBee queries (no stale copies)

Audit Capabilities

  • Query logs — “Show all queries Bob ran against sensitive_customers table”
  • Access reports — “Which users accessed finance data in last 30 days?”
  • Compliance dashboards — Track failed permission attempts, unusual query patterns

Deployment: Customer Onboarding Flow

1

Admin setup

Organization admin connects data sources, defines ontology (business model).
2

User onboarding

Each team member authenticates individually with data sources (their own credentials).
3

Permission inheritance

Users automatically inherit their source system permissions in AstroBee.
4

Usage

Users ask questions, get insights respecting their access levels.

Next Steps

Federated Query Layer

Core architecture and credential delegation model

Architecture Overview

Back to the high-level architecture overview