Database Permissions
How to set role permissions.
Authentication and authorization should be set based on roles, rather than users. Authentication and authorization are based on roles, and user commands are included only for legacy backwards compatibility.
Roles may be granted to other roles to create hierarchical permissions structures; in
these hierarchies, permissions and SUPERUSER
status are inherited,
but the LOGIN
privilege is not.
Permissions can be granted at any level of the database hierarchy and flow downwards.
Keyspaces and tables are hierarchical as follows:
ALL KEYSPACES > KEYSPACE >
TABLE
. Functions are hierarchical in the following manner: ALL
FUNCTIONS > KEYSPACE > FUNCTION
. ROLES
can also be
hierarchical and encompass other ROLES
. Permissions can be granted
on:- CREATE - keyspace, table, function, role, index
- ALTER - keyspace, table, function, role
- DROP - keyspace, table, function, role, index
- SELECT - keyspace, table
- MODIFY - INSERT, UPDATE, DELETE, TRUNCATE - keyspace, table
- AUTHORIZE - GRANT PERMISSION, REVOKE PERMISSION - keyspace, table, function, and role
- DESCRIBE - LIST ROLES
- EXECUTE - SELECT, INSERT, UPDATE - functions
Note: Index must additionally have ALTER permission on the base table in order to
CREATE or DROP.
The permissions are extensive with many variations. A few
examples are described below.