RESTRICT
Use RESTRICT to deny access to a role on a data resource, that is a keyspace or table. Restrict denies access even if permission to access the resource has been granted or inherited.
However, regardless of how you use |
If your goal is that certain database administrators should not be able to see or modify data, do not assign superuser
to those accounts.
Instead, use RESTRICT
to create database administrator accounts that are able to manage database resources and roles, but are unable to see or modify data.
See also Restricting access to data.
|
Synopsis
RESTRICT <permission> ON [<keyspace_name>.]<table_name> TO <role_name> ;
Syntax legend
Syntax conventions | Description |
---|---|
UPPERCASE |
Literal keyword. |
Lowercase |
Not literal. |
|
Variable value. Replace with a user-defined value. |
|
Optional.
Square brackets ( |
|
Group.
Parentheses ( |
|
Or.
A vertical bar ( |
|
Repeatable.
An ellipsis ( |
|
Single quotation ( |
|
Map collection.
Braces ( |
Set, list, map, or tuple.
Angle brackets ( |
|
|
End CQL statement.
A semicolon ( |
|
Separate the command line options from the command arguments with two hyphens ( |
|
Search CQL only: Single quotation marks ( |
|
Search CQL only: Identify the entity and literal value to overwrite the XML element in the schema and solrConfig files. |
- permission
-
A comma separated list of permissions that the role is prevented from using on the resources even if the permissions is granted. Where the permission types are:
ALL PERMISSIONS
orALTER
,AUTHORIZE [FOR permission_list]
,CREATE
,DESCRIBE
,DROP
,MODIFY
(deprecated),SELECT
,TRUNCATE
, orUPDATE
(allowsINSERT
,UPDATE
, orDELETE
). - resource
-
Database object to which the permission is denied. Restriction is applied using modeled hierarchy as follows:
-
ALL KEYSPACES
- restricts access to every keyspace and table. -
KEYSPACE <keyspace_name>
- restricts access on the keyspace and any table it contains -
TABLE <table_name>
- restricts access on the table and all the data it contains
-
Examples
Prevent the role admin from seeing any data in the cycling keyspace:
RESTRICT TRUNCATE, UPDATE, SELECT
ON KEYSPACE cycling
TO role_admin;