Provisioning Profiles
Provisioning Profiles define what resources a team or domain is allowed to provision within Kadeck. They act as controlled templates or guardrails for initializing streaming services and infrastructure.
Provisioning Profiles are centrally managed by the platform team and can be:
- Assigned to specific domains, enabling self-service for domain owners
- Used system-wide, enforcing creation rules based on roles and organizational policy
They are designed to support both self-service and governed provisioning across the platform.
If a user lacks permission to create a topic, access a namespace, or provision a specific resource—even if the provisioning profile includes it—the action will be blocked. This ensures that provisioning remains aligned with both governance rules and explicit security permissions.
Use Cases
- Enable domain owners to provision compliant resources for new services
- Enforce policy-driven topic creation (naming, configuration, retention, etc.)
- Define reusable blueprints for streaming applications
- Restrict and govern sensitive resource types like ACLs or database access
Assignment & Scope
Provisioning Profiles can be:
- Domain-scoped:
Assigned to specific domains. Domain owners can initialize services based on those profiles. - Global/system-wide:
Applied across the platform as policy templates, used to enforce governance rules based on user roles or group membership.
Services and Resources
When a domain owner or service owner provisions a new service, the provisioning profile defines which resources are available for that service.
Provisioning Profiles do not automatically create resources. They define what can be provisioned—not what is provisioned.
Resources
The following resource types can be provisioned as part of a provisioning profile. Please note that most resources are not provisioned automatically but at the discretion of the user or service owner. Think of a provisioning profile as guardrails. The user can then choose to create one, multiple or all resources that are available within a provisioning profile.
| Resource | Description |
|---|---|
| Topics | A provisioning profile defines one or more topic namespaces and allowed configurations (e.g., cleanup policy, retention, compaction). |
| ACLs | A provisioning profile allows the definition of ACLs for consumer groups, transactions, or users. |
| Users | Define whether application-level user credentials can be requested or automatically generated. |
| Database | Allow provisioning of a database (if integrated with an external DB service). |
Example Scenarios
- A provisioning profile for the "Payments" domain allows topics with the prefix
payments-, limits partitions to max 12, enforces compaction, and enables ACLs for team-specific consumer groups. - A global profile prohibits topic creation with fewer than 3 replicas and enforces 7-day retention for all new topics, regardless of the domain.