By default, no user can read, write, or entitle (add entitlements to) any data in TwiceDB. To grant access, you must connect to TwiceDB with the admin-entitlements credentials provided on sign-up and add the appropriate level of access: read, write, and/or entitle.
Entitlements allow access to a (User, Fqn) pair where the User is identified by the EmailAddress provided by the client certificate. The admin-entitlements credentials are special because they are not associated with any EmailAddress, but they have entitle permission on all pairs. You may add read and/or write access for those credentials if you wish. However, we recommend that you maintain separation of duties by not expanding admin-entitlements’ access. Instead, add only the minimum required permissions to each User's credentials.
For broad access to shared data, TwiceDB supports entitlements on the following wildcards:
Wildcard
Access
(*, Fqn)
All users have access to Fqn.
(EmailAddress, *)
EmailAddress has access to all Fqns.
(*, *).
All users have access to all Fqns.
Bitemporality
Entitlements are bitemporal to enforce referentially transparent reads. Therefore, a query that fails with insufficient permissions at a specific tt in the past will continue to fail at that tt even after the necessary entitlement is added since the new entitlement will be added at a later tt.
