• Glossary
  • Support
  • Downloads
  • DataStax Home
Get Live Help
Expand All
Collapse All

DataStax Astra DB Classic Documentation

    • Overview
      • Release notes
      • Astra DB FAQs
      • Astra DB glossary
      • Get support
    • Getting Started
      • Grant a user access
      • Load and retrieve data
        • Use DSBulk to load data
        • Use Data Loader in Astra Portal
      • Connect a driver
      • Build sample apps
      • Use integrations
        • Connect with DataGrip
        • Connect with DBSchema
        • Connect with JanusGraph
        • Connect with Strapi
    • Planning
      • Plan options
      • Database regions
    • Securing
      • Security highlights
      • Security guidelines
      • Default user permissions
      • Change your password
      • Reset your password
      • Authentication and Authorization
      • Astra DB Plugin for HashiCorp Vault
    • Connecting
      • Connecting to a VPC
      • Connecting Change Data Capture (CDC)
      • Connecting CQL console
      • Connect the Spark Cassandra Connector to Astra
      • Drivers for Astra DB
        • Connecting C++ driver
        • Connecting C# driver
        • Connecting Java driver
        • Connecting Node.js driver
        • Connecting Python driver
        • Drivers retry policies
      • Connecting Legacy drivers
      • Get Secure Connect Bundle
    • Migrating
      • FAQs
      • Preliminary steps
        • Feasibility checks
        • Deployment and infrastructure considerations
        • Create target environment for migration
        • Understand rollback options
      • Phase 1: Deploy ZDM Proxy and connect client applications
        • Set up the ZDM Automation with ZDM Utility
        • Deploy the ZDM Proxy and monitoring
          • Configure Transport Layer Security
        • Connect client applications to ZDM Proxy
        • Manage your ZDM Proxy instances
      • Phase 2: Migrate and validate data
      • Phase 3: Enable asynchronous dual reads
      • Phase 4: Change read routing to Target
      • Phase 5: Connect client applications directly to Target
      • Troubleshooting
        • Troubleshooting tips
        • Troubleshooting scenarios
      • Additional resources
        • Glossary
        • Contribution guidelines
        • Release Notes
    • Managing
      • Managing your organization
        • User permissions
        • Pricing and billing
        • Audit Logs
        • Configuring SSO
          • Configure SSO for Microsoft Azure AD
          • Configure SSO for Okta
          • Configure SSO for OneLogin
      • Managing your database
        • Create your database
        • View your databases
        • Database statuses
        • Use DSBulk to load data
        • Use Data Loader in Astra Portal
        • Monitor your databases
        • Manage multiple keyspaces
        • Using multiple regions
        • Terminate your database
        • Resize your classic database
        • Park your classic database
        • Unpark your classic database
      • Managing with DevOps API
        • Managing database lifecycle
        • Managing roles
        • Managing users
        • Managing tokens
        • Managing multiple regions
        • Get private endpoints
        • AWS PrivateLink
        • Azure PrivateLink
        • GCP Private Service
    • Astra CLI
    • Developing with Stargate APIs
      • Develop with REST
      • Develop with Document
      • Develop with GraphQL
        • Develop with GraphQL (CQL-first)
        • Develop with GraphQL (Schema-first)
      • Develop with gRPC
        • gRPC Rust client
        • gRPC Go client
        • gRPC Node.js client
        • gRPC Java client
      • Develop with CQL
      • Tooling Resources
      • Node.js Document API client
      • Node.js REST API client
    • Stargate QuickStarts
      • Document API QuickStart
      • REST API QuickStart
      • GraphQL API CQL-first QuickStart
    • API References
      • DevOps REST API v2
      • Stargate Document API v2
      • Stargate REST API v2
  • DataStax Astra DB Classic Documentation
  • Managing
  • Managing with DevOps API
  • Managing roles

Managing roles

Use the DevOps API to create, modify, and delete roles for your organization.

You can use the DevOps API to perform the actions your role permissions allow.

Use a token with the Organization Administrator role, which by default has the correct set of permissions to manage your organization. Or create a custom role that includes Organization Administrator. Do not use the Database Adminstrator role; it lacks the permissions needed to manage your organization.

Prerequisites

  1. Create an application token to authenticate your service account in the DevOps API.

  2. Once you have authenticated your service account, you can create, update, and delete roles in the DevOps API.

Creating a new role

  1. Submit a GET query to check existing roles within the organization to ensure you don’t duplicate roles:

    • cURL command (/v2)

    • Result

    curl --request GET \
 --url 'https://api.astra.datastax.com/v2/organizations/roles' \
 --header 'Accept: application/json' \
 --header 'Authorization: Bearer <application_token>'
    [
	{"ID":"3fb93abd-7abe-4a3d-9f71-9ded80070a4a”,
	"Name":"API Admin Svc Acct”,
	"Type":"default","policy”:”
		{\"description\":\"API Admin Svc Acct\”,
		\"actions\”:[
			\"accesslist-read\”,
			\"org-billing-read\”,
			\"org-billing-write\”,
			\"org-user-read\”,
			\"org-user-write\”,
			\"org-db-create\”,
			\"org-db-passwordreset\”,
			\"org-db-view\”,
			\"org-db-terminate\”,
			\"org-db-suspend\”,
			\"org-db-addpeering\”,
			\"org-db-managemigratorproxy\”,
			\"org-db-expand\”,
			\"db-all-keyspace-create\”,
			\"db-all-keyspace-describe\”,
			\"db-keyspace-grant\”,
			\"db-keyspace-modify\”,
			\"db-keyspace-describe\”,
			\"db-keyspace-create\”,
			\"db-keyspace-authorize\”,
			\"db-keyspace-alter\”,
			\"db-keyspace-drop\”,
			\"db-table-select\”,
			\"db-table-grant\”,
			\"db-table-modify\”,
			\"db-table-describe\”,
			\"db-table-create\”,
			\"db-table-authorize\”,
			\"db-table-alter\”,
			\"db-table-drop\”,
			\"db-graphql\",\"db-rest\”],
		\"effect\":\"allow\”,
		\"resources\":
			[\"drn:astra:org:__ORG_ID__\”,
			\"drn:astra:org:__ORG_ID__:db:*\”,
			\"drn:astra:org:__ORG_ID__:db:*:keyspace:*\”,
			\"drn:astra:org:__ORG_ID__:db:*:keyspace:*:table:*\"]}”}
	}
]

  2. Create a new role for your organization:

    • cURL command (/v2)

    • Result

    curl --request POST \
  --url 'https://api.astra.datastax.com/v2/organizations/roles' \
  --header 'Accept: application/json' \
  --header 'Authorization: Bearer <application_token>' \
  --data '{
    	"name":"<roleName>",
    	"policy": {
    	  "description": "Create and describe keyspaces",
    	  "resources": ["drn:astra:org:<organizationId>"],
    	  "actions": ["db-all-keyspace-create", "db-all-keyspace-describe"],
    	  "effect": "allow"}
    }'
    {
	"OrgID":"dccb8c32-cc2a-4bea-bd95-47ab8eb20510",
	"ID":"b125f9ab-675e-4bc7-9306-5e50a05b7c56",
	"Name":"keyspaceRole",
	"Policy":"{
		\"description\":\"keyspaces\",
		\"resources\":[\"drn:astra:org:dccb8c32-cc2a-4bea-bd95-47ab8eb20510\"],
		\"actions\":[\"db-all-keyspace-create\",\"db-all-keyspace-describe\"],
		\"effect\":\"allow\"
		}",
	"LastUpdateDateTime":"",
	"LastUpdateUserID":"wsbCtHyXCfuSHkiKbYWHsYZa"
}

    If a role with the same name already exists, you’ll get an error when trying to create the new role: "unable to create role".

    You can assign actions to the following resources to determine the available permissions for the custom role you create:

    Group of permissions Resource assignment options Applicable actions

    For organization permissions (org-)

    • drn:astra:org:<organizationId>

    • org-audits-read

    • org-billing-read

    • org-billing-write

    • org-external-auth-read

    • org-external-auth-write

    • org-notification-write

    • org-read

    • org-role-delete

    • org-role-read

    • org-role-write

    • org-token-read

    • org-token-write

    • org-user-read

    • org-user-write

    • org-write

    • accesslist-read

    • accesslist-write

    For database permissions (org-db)

    • drn:astra:org:<organizationId>:db:*

    • drn:astra:org:<organizationId>:db:<databaseId>

    • db-cql

    • db-graphql

    • db-rest

    • org-db-addpeering

    • org-db-create

    • org-db-expand

    • org-db-managemigratorproxy

    • org-db-passwordreset

    • org-db-suspend

    • org-db-terminate

    • org-db-view

    For keyspace permissions (db-keyspace)

    • drn:astra:org:<organizationId>:db:*:keyspace:*

    • drn:astra:org:<organizationId>:db:<databaseId>:keyspace:*

    • drn:astra:org:<organizationId>:db:<databaseId>:keyspace:<keyspaceName>

    • db-all-keyspace-create

    • db-all-keyspace-describe

    • db-keyspace-alter

    • db-keyspace-authorize

    • db-keyspace-create

    • db-keyspace-describe

    • db-keyspace-drop

    • db-keyspace-grant

    • db-keyspace-modify

    For table permissions (db-table)

    • drn:astra:org:<organizationId>:db:*:keyspace:*:table:*

    • drn:astra:org:<organizationId>:db:<databaseId>:keyspace:*:table:*

    • drn:astra:org:<organizationId>:db:<databaseId>:keyspace:<keyspaceName>:table:*

    • db-table-alter

    • db-table-authorize

    • db-table-create

    • db-table-describe

    • db-table-drop

    • db-table-grant

    • db-table-modify

    • db-table-select

    If you grant access to a specified keyspace, the following permissions are allowed:

    • All actions for database access (org-db or db actions) are granted for the entire database, even if access is granted to only a single keyspace in the database.

    • Keyspace-specific access is granted for all db-keyspace actions.

    • Table-specific access is granted for all tables belonging to the specified keyspace.

    For example, if you wanted to create a custom role that allows the users to use the REST and GraphQL APIs and also allow the role to modify tables, use the following call:

    curl --request POST \
  --url 'https://api.astra.datastax.com/v2/organizations/roles' \
  --header 'Accept: application/json' \
  --header 'Authorization: Bearer <application_token>' \
  --data '{
  	"name":"apiRole",
  	"policy": {
  	  "description": "Access to REST and GraphQL APIs, modify tables",
  	  "resources": ["drn:astra:org:<organizationId>", "drn:astra:org:<organizationId>:db:<databaseId>:keyspace:<keyspaceName>:table:*"],
  	  "actions": ["db-graphql", "db-rest", "db-table-modify"],
  	  "effect": "allow"}
    }'

    By using the *, the role will be able to modify all tables within the specified keyspace. If you want to grant the modify permission to a specified table, include the <tableName> in the resource.

  3. Confirm role was created with the necessary permissions:

    • cURL command (/v2)

    • Result

    curl --request GET \
 --url 'https://api.astra.datastax.com/v2/organizations/roles/<roleId>' \
 --header 'Accept: application/json' \
 --header 'Authorization: Bearer <application_token>'
    {
	"ID":"b125f9ab-675e-4bc7-9306-5e50a05b7c56",
	"Name":"keyspaceRole",
	"policy":"{
		\"description\":\"keyspaces\",
		\"resources\":[\"drn:astra:org:dccb8c32-cc2a-4bea-bd95-47ab8eb20510\"],
		\"actions\":[\"db-all-keyspace-create\",\"db-all-keyspace-describe\"],
		\"effect\":\"allow\"
	}"
}

For more, see Create a role in an organization in the DevOps API.

Updating a role

  1. If you need to make changes to the permissions for an existing role, you can change the policy:

    curl --request PUT \
  --url 'https://api.astra.datastax.com/v2/organizations/roles/<roleId>' \
  --header 'Accept: application/json' \
  --header 'Authorization: Bearer <application_token>' \
  --data '{
  	"name":"<roleName>",
  	"policy": {
  	  "description": "Create and describe keyspaces",
  	  "resources": ["drn:astra:org:<organizationId>"],
  	  "actions": ["db-all-keyspace-create", "db-all-keyspace-describe"],
  	  "effect": "allow"}
    }'

  2. Confirm role was created with the necessary permissions:

    • cURL command (/v2)

    • Result

    curl --request GET \
 --url 'https://api.astra.datastax.com/v2/organizations/roles/<roleId>' \
 --header 'Accept: application/json' \
 --header 'Authorization: Bearer <application_token>'
    {
	"OrgID":"dccb8c32-cc2a-4bea-bd95-47ab8eb20510",
	"ID":"b125f9ab-675e-4bc7-9306-5e50a05b7c56",
	"Name":"newRoleName",
	"Policy":"{
		\"description\":\"keyspaces\",
		\"resources\":[\"drn:astra:org:dccb8c32-cc2a-4bea-bd95-47ab8eb20510\"],
		\"actions\":[\"db-all-keyspace-create\",\"db-all-keyspace-describe\"],
		\"effect\":\"allow\"
		}",
	"LastUpdateDateTime":"",
	"LastUpdateUserID":"wsbCtHyXCfuSHkiKbYWHsYZa"
}

For more, see Update a role within an organization in the DevOps API.

Deleting a custom role

When you delete a custom role, all users and tokens assigned to that role will no longer have access.

  1. Delete a custom role to revoke access based on that role:

    curl --request DELETE \
  --url 'https://api.astra.datastax.com/v2/organizations/roles/<roleId>' \
  --header 'Accept: application/json' \
  --header 'Authorization: Bearer <application_token>'

  2. Confirm role no longer exists:

    • cURL command (/v2)

    • Result

    curl --request GET \
 --url 'https://api.astra.datastax.com/v2/organizations/roles/<roleId>' \
 --header 'Accept: application/json' \
 --header 'Authorization: Bearer <application_token>'
    "unable to get role for organization"

For more, see Delete a role by ID in the DevOps API.

What’s next?

Learn how to manage tokens using the DevOps API.

Managing database lifecycle Managing users

General Inquiries: +1 (650) 389-6000 info@datastax.com

© DataStax | Privacy policy | Terms of use

DataStax, Titan, and TitanDB are registered trademarks of DataStax, Inc. and its subsidiaries in the United States and/or other countries.

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries.

Kubernetes is the registered trademark of the Linux Foundation.

landing_page landingpage