Overview

If Kerberos authentication is enabled for the cluster (the cluster is in security mode), LakeSearch allows you to control access permission based on roles. If Kerberos authentication is disabled for the cluster (the cluster is in normal mode), you do not need to manage permission.

lakesearchgroup user group: LakeSearch administrator permission granted. Only users in this user group can create and delete knowledge bases.
LakeSearch role: permission to read, write, and operate specified knowledge bases. To use LakeSearch, you need to be granted a role with permission to create, delete, and update data in a knowledge base.

**Table 1** LakeSearch role permissions
Permission	Description
read	Knowledge base management View the basic information about a specified knowledge base, such as the knowledge base ID, name, status, creator, creation time, and update time. View the document list and detailed information. View FAQs, FAQ import list, and detailed information. View the list of structured data and detailed information. Dialog management: View dialog history, including the dialog ID, questions, usernames, and dialog start time. Experience platform: Search for documents, answer questions, and view the search content.
write	Perform all operations that require the read permission. Upload documents (doc, docx, pdf, and JSON structured data), create FAQs, and upload FAQs in batches. Set the number of top k recalls in a knowledge base, customize prompts, set the number of reference documents, and rank search results.
delete	Delete documents in a specified knowledge base.
operate	Enable and disable a knowledge base.