• Glossary
  • Support
  • Downloads
  • DataStax Home
Get Live Help
Expand All
Collapse All

DataStax Astra DB Classic Documentation

    • Overview
      • Release notes
      • Astra DB FAQs
      • Astra DB glossary
      • Get support
    • Getting Started
      • Grant a user access
      • Load and retrieve data
        • Use DSBulk to load data
        • Use Data Loader in Astra Portal
      • Connect a driver
      • Build sample apps
      • Use integrations
        • Connect with DataGrip
        • Connect with DBSchema
        • Connect with JanusGraph
        • Connect with Strapi
    • Planning
      • Plan options
      • Database regions
    • Securing
      • Security highlights
      • Security guidelines
      • Default user permissions
      • Change your password
      • Reset your password
      • Authentication and Authorization
      • Astra DB Plugin for HashiCorp Vault
    • Connecting
      • Connecting to a VPC
      • Connecting Change Data Capture (CDC)
      • Connecting CQL console
      • Connect the Spark Cassandra Connector to Astra
      • Drivers for Astra DB
        • Connecting C++ driver
        • Connecting C# driver
        • Connecting Java driver
        • Connecting Node.js driver
        • Connecting Python driver
        • Drivers retry policies
      • Connecting Legacy drivers
      • Get Secure Connect Bundle
    • Migrating
      • FAQs
      • Preliminary steps
        • Feasibility checks
        • Deployment and infrastructure considerations
        • Create target environment for migration
        • Understand rollback options
      • Phase 1: Deploy ZDM Proxy and connect client applications
        • Set up the ZDM Automation with ZDM Utility
        • Deploy the ZDM Proxy and monitoring
          • Configure Transport Layer Security
        • Connect client applications to ZDM Proxy
        • Manage your ZDM Proxy instances
      • Phase 2: Migrate and validate data
      • Phase 3: Enable asynchronous dual reads
      • Phase 4: Change read routing to Target
      • Phase 5: Connect client applications directly to Target
      • Troubleshooting
        • Troubleshooting tips
        • Troubleshooting scenarios
      • Additional resources
        • Glossary
        • Contribution guidelines
        • Release Notes
    • Managing
      • Managing your organization
        • User permissions
        • Pricing and billing
        • Audit Logs
        • Configuring SSO
          • Configure SSO for Microsoft Azure AD
          • Configure SSO for Okta
          • Configure SSO for OneLogin
      • Managing your database
        • Create your database
        • View your databases
        • Database statuses
        • Use DSBulk to load data
        • Use Data Loader in Astra Portal
        • Monitor your databases
        • Manage multiple keyspaces
        • Using multiple regions
        • Terminate your database
        • Resize your classic database
        • Park your classic database
        • Unpark your classic database
      • Managing with DevOps API
        • Managing database lifecycle
        • Managing roles
        • Managing users
        • Managing tokens
        • Managing multiple regions
        • Get private endpoints
        • AWS PrivateLink
        • Azure PrivateLink
        • GCP Private Service
    • Astra CLI
    • Developing with Stargate APIs
      • Develop with REST
      • Develop with Document
      • Develop with GraphQL
        • Develop with GraphQL (CQL-first)
        • Develop with GraphQL (Schema-first)
      • Develop with gRPC
        • gRPC Rust client
        • gRPC Go client
        • gRPC Node.js client
        • gRPC Java client
      • Develop with CQL
      • Tooling Resources
      • Node.js Document API client
      • Node.js REST API client
    • Stargate QuickStarts
      • Document API QuickStart
      • REST API QuickStart
      • GraphQL API CQL-first QuickStart
    • API References
      • DevOps REST API v2
      • Stargate Document API v2
      • Stargate REST API v2
  • DataStax Astra DB Classic Documentation
  • Managing
  • Managing your organization

Managing your Astra DB organization

As an administrator, you can manage your database and organization. This includes the following tasks:

Add organizations in Astra DB

Creating multiple organizations in DataStax Astra DB is useful for segmenting groups of users and creating various environments.

  1. From any page in Astra DB, select the Organizations dropdown.

    Organization Selection
  2. In the main dropdown, select Manage Organizations.

  3. Select Add Organization. The Add Organization window opens.

    • Enter the name and email address for your new organization.

    • Select Add to add the new organization.

The organization is added to the list. An email is sent to the email address entered for the organization owner.

Invite users to an organization

Invite users to join your organization and provide them with access based on the selected role.

  1. From any page in Astra DB, select the Organizations dropdown.

    Organization Selection
  2. In the main dropdown, select Organization Settings.

  3. From User Management, select Invite User.

  4. Enter the email address for the user you want to invite for the specific user role. If adding multiple users, separate the email addresses with commas, spaces, or line breaks.

  5. Select the user role(s) for the user(s) you are inviting. Multiple roles are available within each group of roles for Organization Access, Database, Keyspace, or Table Access, and API Access.

  6. Select Invite Users to send email invitations to the users at their email address.

Invited users are listed as pending until they accept the invitation to join your organization.

Manage user permissions

Default and custom roles allow admins to manage unique permissions for users based on your organization and database requirements.

You can manage roles using the DataStax Astra DB user interface or the DevOps API.

Which default roles are available?

Default Operational Roles

The default roles address four types of operational users and three levels of access.

This matrix show how the four types of operational users with each of the three levels of access:

User API User User Service Account API Service Account

Admin

Administrator User

API Administrator User

Administrator Svc Acct

API Administrator Svc Acct

Read Only

RO User

API RO User

RO Svc Acct

API RO Svc Acct

Read/Write

R/W User

API R/W User

R/W Svc Acct

API R/W Svc Acct

Service Account Roles are limited from listing users and databases. API Roles limit CQL access.

Default Special Roles

In addition to the operational roles, four special default roles exist:

  • Organization Administrator: Super User

  • Database Administrator: Full access to CRUD organizations and databases

  • UI View Only: Read only access to view organizations and databases

  • Billing Admin: Billing only access

Operational Roles Detail

User Roles

Role name Console name DevOps API Parameters

Admin User

Create All Keyspace,
Describe All Keyspaces,
Access GraphQL API,
Access CQL,
Alter Keyspace,
Authorize Keyspace,
Create Keyspace,
Describe Keyspace,
Drop Keyspace,
Grant Keyspace,
Modify Keyspace,
Manage Private Endpoint,
Manage Region,
Access REST,
Alter Table,
Authorize Table,
Create Table,
Describe Table,
Drop Table,
Grant Table,
Modify Table,
Select Table,
Read Billing,
Write Billing,
Add Peering,
Create DB,
Expand DB,
Manage Migrator Proxy,
Reset Password,
Suspend DB,
Terminate DB,
View DB,
Read Organization,
Read User,
Write User

db-all-keyspace-create,
db-all-keyspace-describe,
db-graphql,
db-cql,
db-keyspace-alter,
db-keyspace-authorize,
db-keyspace-create,
db-keyspace-describe,
db-keyspace-drop,
db-keyspace-grant,
db-keyspace-modify,
db-manage-privateendpoint,
db-manage-region,
db-rest,
db-table-alter,
db-table-authorize,
db-table-create,
db-table-describe,
db-table-drop,
db-table-grant,
db-table-modify,
db-table-select,
org-billing-read,
org-billing-write,
org-db-addpeering,
org-db-create,
org-db-expand,
org-db-managemigratorproxy,
org-db-passwordreset,
org-db-suspend,
org-db-terminate,
org-db-view,
org-read,
org-user-read,
org-user-write

RO User

Read IP Access List,
Describe All Keyspaces,
Access GraphQL API,
Access CQL,
Describe Keyspace,
Access REST,
Describe Table,
Select Table,
View DB,
Read User

accesslist-read,
db-all-keyspace-describe,
db-graphql,
db-cql,
db-keyspace-describe,
db-rest,
db-table-describe,
db-table-select,
org-db-view,
org-user-read

R/W User

Read IP Access List,
Describe All Keyspaces,
Access GraphQL API,
Access CQL,
Describe Keyspace,
Access REST,
Describe Table,
Modify Table,
Select Table,
View DB,
Read User

accesslist-read,
db-all-keyspace-describe,
db-graphql,
db-cql,
db-keyspace-describe,
db-rest,
db-table-describe,
db-table-modify,
db-table-select,
org-db-view,
org-user-read

API User Roles

Role name Console name DevOps API Parameters

API Admin User

Read IP Access List,
Create All Keyspace,
Describe All Keyspaces,
Access GraphQL API,
Alter Keyspace,
Authorize Keyspace,
Create Keyspace,
Describe Keyspace,
Drop Keyspace,
Grant Keyspace,
Modify Keyspace,
Manage Private Endpoint,
Manage Region,
Access REST,
Alter Table,
Authorize Table,
Create Table,
Describe Table,
Drop Table,
Grant Table,
Modify Table,
Select Table,
Read Billing,
Write Billing,
Add Peering,
Create DB,
Expand DB,
Manage Migrator Proxy,
Reset Password,
Suspend DB,
Terminate DB,
View DB,
Read User,
Write User

accesslist-read,
db-all-keyspace-create,
db-all-keyspace-describe,
db-graphql,
db-keyspace-alter,
db-keyspace-authorize,
db-keyspace-create,
db-keyspace-describe,
db-keyspace-drop,
db-keyspace-grant,
db-keyspace-modify,
db-manage-privateendpoint,
db-manage-region,
db-rest,
db-table-alter,
db-table-authorize,
db-table-create,
db-table-describe,
db-table-drop,
db-table-grant,
db-table-modify,
db-table-select,
org-billing-read,
org-billing-write,
org-db-addpeering,
org-db-create,
org-db-expand,
org-db-managemigratorproxy,
org-db-passwordreset,
org-db-suspend,
org-db-terminate,
org-db-view,
org-user-read,
org-user-write

API RO User

Read IP Access List,
Describe All Keyspaces,
Access GraphQL API,
Describe Keyspace,
Access REST,
Describe Table,
Select Table,
View DB,
Read User

accesslist-read,
db-all-keyspace-describe,
db-graphql,
db-keyspace-describe,
db-rest,
db-table-describe,
db-table-select,
org-db-view,
org-user-read

API R/W User

Read IP Access List,
Describe All Keyspaces,
Access GraphQL API,
Describe Keyspace,
Access REST,
Describe Table,
Modify Table,
Select Table,
View DB,
Read User

accesslist-read,
db-all-keyspace-describe,
db-graphql,
db-keyspace-describe,
db-rest,
db-table-describe,
db-table-modify,
db-table-select,
org-db-view,
org-user-read

User Service Account Roles

Role name Console name DevOps API Parameters

Admin Svc Acct

Create All Keyspace,
Describe All Keyspaces,
Access GraphQL API,
Access CQL,
Alter Keyspace,
Authorize Keyspace,
Create Keyspace,
Describe Keyspace,
Drop Keyspace,
Grant Keyspace,
Modify Keyspace,
Manage Private Endpoint,
Manage Region,
Access REST,
Alter Table,
Authorize Table,
Create Table,
Describe Table,
Drop Table,
Grant Table,
Modify Table,
Select Table,
Read Billing,
Write Billing,
Add Peering,
Create DB,
Expand DB,
Manage Migrator Proxy,
Reset Password,
Suspend DB,
Terminate DB,
View DB,
Read User,
Write User

db-all-keyspace-create,
db-all-keyspace-describe,
db-graphql,
db-cql,
db-keyspace-alter,
db-keyspace-authorize,
db-keyspace-create,
db-keyspace-describe,
db-keyspace-drop,
db-keyspace-grant,
db-keyspace-modify,
db-manage-privateendpoint,
db-manage-region,
db-rest,
db-table-alter,
db-table-authorize,
db-table-create,
db-table-describe,
db-table-drop,
db-table-grant,
db-table-modify,
db-table-select,
org-billing-read,
org-billing-write,
org-db-addpeering,
org-db-create,
org-db-expand,
org-db-managemigratorproxy,
org-db-passwordreset,
org-db-suspend,
org-db-terminate,
org-db-view,
org-user-read,
org-user-write

RO Svc Acct

Read IP Access List,
Describe All Keyspaces,
Access GraphQL API,
Access CQL,
Describe Keyspace,
Access REST,
Describe Table,
Select Table

accesslist-read,
db-all-keyspace-describe,
db-graphql,
db-cql,
db-keyspace-describe,
db-rest,
db-table-describe,
db-table-select

R/W Svc Acct

Read IP Access List,
Describe All Keyspaces,
Access GraphQL API,
Access CQL,
Describe Keyspace,
Access REST,
Describe Table,
Modify Table,
Select Table

accesslist-read,
db-all-keyspace-describe,
db-graphql,
db-cql,
db-keyspace-describe,
db-rest,
db-table-describe,
db-table-modify,
db-table-select

API Service Account Roles

Role name Console name DevOps API Parameters

API Admin Svc Acct

Create All Keyspace,
Describe All Keyspaces,
Access GraphQL API,
Access CQL,
Alter Keyspace,
Authorize Keyspace,
Create Keyspace,
Describe Keyspace,
Drop Keyspace,
Grant Keyspace,
Modify Keyspace,
Manage Private Endpoint,
Manage Region,
Access REST,
Alter Table,
Authorize Table,
Create Table,
Describe Table,
Drop Table,
Grant Table,
Modify Table,
Select Table,
Read Billing,
Write Billing,
Add Peering,
Create DB,
Expand DB,
Manage Migrator Proxy,
Reset Password,
Suspend DB,
Terminate DB,
View DB,
Read User,
Write User

db-all-keyspace-create,
db-all-keyspace-describe,
db-graphql,
db-cql,
db-keyspace-alter,
db-keyspace-authorize,
db-keyspace-create,
db-keyspace-describe,
db-keyspace-drop,
db-keyspace-grant,
db-keyspace-modify,
db-manage-privateendpoint,
db-manage-region,
db-rest,
db-table-alter,
db-table-authorize,
db-table-create,
db-table-describe,
db-table-drop,
db-table-grant,
db-table-modify,
db-table-select,
org-billing-read,
org-billing-write,
org-db-addpeering,
org-db-create,
org-db-expand,
org-db-managemigratorproxy,
org-db-passwordreset,
org-db-suspend,
org-db-terminate,
org-db-view,
org-user-read,
org-user-write

API RO Svc Acct

Read IP Access List,
Describe All Keyspaces,
Access GraphQL API,
Describe Keyspace,
Access REST,
Describe Table,
Select Table

accesslist-read,
db-all-keyspace-describe,
db-graphql,
db-keyspace-describe,
db-rest,
db-table-describe,
db-table-select

API R/W Svc Acct

Read IP Access List,
Describe All Keyspaces,
Access GraphQL API,
Describe Keyspace,
Access REST,
Describe Table,
Modify Table,
Select Table

accesslist-read,
db-all-keyspace-describe,
db-graphql,
db-keyspace-describe,
db-rest,
db-table-describe,
db-table-modify,
db-table-select

Special Roles Detail

Billing Admin

The Billing Admin role provides only access to view the billing information for Astra DB services. This role has no management capabilities nor access to data.

Console name DevOps API Parameters

Read Billing,
Write Billing,
View DB,
Read User

org-billing-read,
org-billing-write,
org-db-view,
org-user-read

Database Administrator

The Database Administrator role is designed to effectively manage organizations and the databases using CRUD. This role does not have the ability to view billing, mange role-based access control (RBAC), or manage users.

Console name DevOps API Parameters

Read IP Access List,
Write IP Access List,
Create All Keyspace,
Describe All Keyspaces,
Access GraphQL API,
Access CQL,
Alter Keyspace,
Authorize Keyspace,
Create Keyspace,
Describe Keyspace,
Drop Keyspace,
Grant Keyspace,
Modify Keyspace,
Manage Private Endpoint,
Manage Region,
Access REST,
Alter Table,
Authorize Table,
Create Table,
Describe Table,
Drop Table,
Grant Table,
Modify Table,
Select Table,
Add Peering,
Create DB,
Expand DB,
Manage Migrator Proxy,
Reset Password,
Suspend DB,
Terminate DB,
View DB,
Read Token,
Write Token,
Read User

accesslist-read,
accesslist-write,
db-all-keyspace-create,
db-all-keyspace-describe,
db-graphql,
db-cql,
db-keyspace-alter,
db-keyspace-authorize,
db-keyspace-create,
db-keyspace-describe,
db-keyspace-drop,
db-keyspace-grant,
db-keyspace-modify,
db-manage-privateendpoint,
db-manage-region,
db-rest,
db-table-alter,
db-table-authorize,
db-table-create,
db-table-describe,
db-table-drop,
db-table-grant,
db-table-modify,
db-table-select,
org-db-addpeering,
org-db-create,
org-db-expand,
org-db-managemigratorproxy,
org-db-passwordreset,
org-db-suspend,
org-db-terminate,
org-db-view,
org-token-read,
org-token-write,
org-user-read

Organization Administrator

The Organization Administrator role is the most permissive default role.

Console name DevOps API Parameters

Read IP Access List,
Write IP Access List,
Create All Keyspace,
Describe All Keyspaces,
Access GraphQL API,
Access CQL,
Alter Keyspace,
Authorize Keyspace,
Create Keyspace,
Describe Keyspace,
Drop Keyspace,
Grant Keyspace,
Modify Keyspace,
Manage Private Endpoint,
Manage Region,
Access REST,
Alter Table,
Authorize Table,
Create Table,
Describe Table,
Drop Table,
Grant Table,
Modify Table,
Select Table,
Read Audits,
Read Billing,
Write Billing,
Add Peering,
Create DB,
Expand DB,
Manage Migrator Proxy,
Reset Password,
Suspend DB,
Terminate DB,
View DB,
Read External Auth,
Write External Auth,
Notification Write,
Read Organization,
Delete Custom Role,
Read Custom Role,
Write Custom Role,
Read Token,
Write Token,
Read User,
Write User,
Write Organization

accesslist-read,
accesslist-write,
db-all-keyspace-create,
db-all-keyspace-describe,
db-graphql,
db-cql,
db-keyspace-alter,
db-keyspace-authorize,
db-keyspace-create,
db-keyspace-describe,
db-keyspace-drop,
db-keyspace-grant,
db-keyspace-modify,
db-manage-privateendpoint,
db-manage-region,
db-rest,
db-table-alter,
db-table-authorize,
db-table-create,
db-table-describe,
db-table-drop,
db-table-grant,
db-table-modify,
db-table-select,
org-audits-read,
org-billing-read,
org-billing-write,
org-db-addpeering,
org-db-create,
org-db-expand,
org-db-managemigratorproxy,
org-db-passwordreset,
org-db-suspend,
org-db-terminate,
org-db-view,
org-external-auth-read,
org-external-auth-write,
org-notification-write,
org-read,
org-role-delete,
org-role-read,
org-role-write,
org-token-read,
org-token-write,
org-user-read,
org-user-write,
org-write

UI View Only

The UI View Only role is a highly limited role that is only able to list users, databases, and access lists.

Console name DevOps API Parameters

Read IP Access List,
View DB,
Read User

accesslist-read,
org-db-view,
org-user-read

Custom permissions

The tables below contain detailed descriptions of each of the permissions available in Astra DB and can be used to get more detail on the permissions assigned to the roles above.

Organization permissions

Console name Description DevOps API parameter

View DB

See a database in a list of databases or Astra Portal.

org-db-view

Create DB

Create a database using the DevOps API or Astra Portal.

org-db-create

Terminate DB

Permanently delete a database and all of of its data using the DevOps API or Astra Portal.

org-db-terminate

Expand DB

Classic only: Resize a database using the DevOps API or Astra Portal to add more capacity units.

org-db-expand

Reset Password

Reset the password for a classic database.

org-db-passwordreset

Manage Migrator Proxy

Add and remove the migrator proxy from a db.

org-db-managemigratorproxy

Read Audits

Enables read and download audits.

org-audits-read

Write Billing

Enables links and ability to add or edit billing payment info.

org-billing-write

Write IP Access List

Create or modify an access list using the DevOps API or Astra Portal.

accesslist-write

Manage Region

Add, create, or remove a region using the DevOps API or Astra Portal.

db-manage-region

Write User

Add, create, or remove a user using the DevOps API or Astra Portal.

org-user-write

Write Organization

Create new organizations or delete an existing organization. Hides manage org and org settings.

org-write

Write Custom Role

Create custom role.

org-role-write

Write External Auth

Update security settings related to external auth providers.

org-external-auth-write

Write Token

Create application token.

org-token-write

Read Billing

Enables links and access to billing details page.

org-billing-read

Read IP Access List

Enables links and access to acess list page.

accesslist-read

Read User

Access to viewing users of an organization.

org-user-read

Read Organization

View organization in Astra Portal.

org-read

Read Custom Role

See a custom role and its associated permissions.

org-role-read

Read External Auth

See security settings related to external authentication providers.

org-external-auth-read

Read Token

Read token details.

org-token-read

Delete Custom Role

Delete of custom role.

org-role-delete

Add Peering

Create of VPC peering connection.

org-db-addpeering

Notification Write

Enable or disable notifications in organization notification settings.

org-notification-write

Keyspace permissions

Console name Description DevOps API parameter

Alter Keyspace

Make changes to a specified keyspace.

db-keyspace-alter

Describe Keyspace

Get a list of tables within a specified keyspace.

db-keyspace-describe

Modify Keyspace

Access or modify a keyspace.

db-keyspace-modify

Authorize Keyspace

Give access to specified keyspace.

db-keyspace-authorize

Drop Keyspace

Remove keyspace. Available in only Astra Portal.

db-keyspace-drop

Create Keyspace

Create keyspace. Available in only Astra Portal.

db-keyspace-create

Grant Keyspace

Grant specific permissions for specified keyspace.

db-keyspace-grant

API access permissions

Console name Description DevOps API parameter

Access GraphQL API

Connect to database via GraphQL API.

db-graphql

Access REST

Connect to database via REST API.

db-rest

Access CQL

Connect to database via CQL.

db-cql

Which role should I assign a user?

Database Access Method Roles

Astra User Interface access

  • Organization Administrator

  • Database Administrator

  • Billing Administrator

  • UI View Only

  • Developer Administrator

  • Developer Read/Write

  • Developer Read Only

  • Administrator Service Account

  • Read/Write Service Account

  • Read Only Service Account

GraphQL, REST, and Document API access based on database access permissions

  • Organization Administrator

  • Database Administrator

  • Billing Administrator

  • UI View Only

  • Administrator User

  • Read/Write User

  • Read Only User

  • Administrator Service Account

  • Read/Write Service Account

  • Read Only Service Account

  • API Administrator User

  • API Read/Write User

  • API Read Only User

  • API Administrator Service Account

  • API Read/Write Service Account

  • API Read Only Service Account

Data Loader access based on database access permissions

  • Administrator User

  • Read/Write User

  • Read Only User

  • Administrator Service Account

  • Read/Write Service Account

  • Read Only Service Account

dsbulk access based on database access permissions

  • Read/Write Service Account

  • Read Only Service Account

DevOps API access based on database access permissions

  • Organization Administrator

  • Database Administrator

Drivers based on database access permissions

  • Administrator User

  • Read/Write User

  • Read Only User

  • Administrator Service Account

  • Read/Write Service Account

  • Read Only Service Account

Manage access list for IP addresses and CIDR

  • Organization Administrator

  • Database Administrator

Manage application tokens

Application tokens allow you to connect to your database from your application using the Document, REST, and GraphQL APIs for DataStax Astra DB.
As of 4 March 2021, your Astra DB username and password will not work for your database. You will need to use an application token to connect to your database.

Create application token

You can also create an application token using the DevOps API.

  1. From any page in Astra DB, select the Organizations dropdown.

    Organization Selection
  2. In the main dropdown, select Organization Settings.

  3. From your Organization page, select Token Management.

  4. Select the role you want to attach to your token. The permissions for your selected role will be displayed.

  5. Select Generate Token. Astra DB will generate your token and display the Client ID, Client Secret, and Token.

  6. Download your Client ID, Client Secret, and Token.

After you navigate away from the page, you won’t be able to download your Client ID, Client Secret, and Token again. These tokens do not automatically expire, but can be destroyed in case they are compromised or no longer needed.

You can now use your token to connect to the Astra DB APIs. See more about the available APIs:

  • Document API

  • REST API

  • GraphQL CQL first API

  • GraphQL Schema first API

You can use your Client ID and Client Secret to connect to your database. See more about the available connection options:

  • Standalone CQL shell

  • Connecting C++ driver

  • Connecting C# driver

  • Connecting Java driver

  • Connecting Node.js driver

  • Connecting Python driver

  • Connecting Legacy drivers

Set environment variables

In your command-line interface associated with your environment, paste the following environment variables copied for your Astra DB database:

export ASTRA_DB_ID=<database_id>
export ASTRA_DB_REGION=<database_region>
export ASTRA_DB_KEYSPACE=<keyspace_name>
export ASTRA_DB_APPLICATION_TOKEN=<app_token>

Delete application token

If you need to limit access to your database, you can delete an application token.

  1. Select the overflow menu for the application token you want to delete.

  2. Select Delete to delete that application token.

  3. If necessary, generate a new application token for the same user role.

Authenticating classic databases

This information applies to only classic databases.

Classic databases were created before 4 March 2021. These databases have fixed compute and storage capabilities and do not include the latest authentication version.

To authenticate your DataStax Astra DB classic database, generate an authorization token. You’ll use this token to authenticate with your database and make additional requests, such as creating tables or adding rows.

Use the authorization endpoint to generate the token. For the following examples, we’ll use cURL commands. If you’re making requests from your application, use the code samples described in the authorization endpoint details.

The authorization token is active for 30 minutes from the most recent request made. If no request has been made within 30 minutes, the authorization token expires.

  1. Open a browser, navigate to Astra DB, and log in.

  2. From your Dashboard page, select your database.

  3. Copy the Cluster ID of your database. You can also find the Cluster ID in the URL, which is the last UUID in the path: https://astra.datastax.com/org/{org-Id}/database/{databaseid}

  4. Add the Cluster ID as an environment variable with the following command:

  • Set environment variable

  • Example

export ASTRA_CLUSTER_ID={databaseid}
export ASTRA_CLUSTER_ID=b5285f63-8da5-4c6e-afd8-ade371a48795
  1. Copy the Region of your database, the region where your database is located.

  2. Add the Region as an environment variable with the following command:

  • Set environment variable

  • Example

export ASTRA_CLUSTER_REGION={region}
export ASTRA_CLUSTER_REGION=us-east1
  1. Add your username, keyspace, and your password as environment variables with the following command:

  • Set environment variable

  • Example

export ASTRA_DB_USERNAME={username}
export ASTRA_DB_KEYSPACE={keyspace}
export ASTRA_DB_PASSWORD={password}
export ASTRA_DB_USERNAME=john.smith@datastax.com
export ASTRA_DB_KEYSPACE=users
export ASTRA_DB_PASSWORD=P@ssw0rd
  1. Use printenv to ensure the environment variables were exported.

  2. Run the entire cURL command with the values for your database:

    • Replace db_username with your database username.

    • Replace db_password with your database password.

    • Optional: Add a unique UUID for the authorization request:

curl --request POST \\
 --url https://${ASTRA_CLUSTER_ID}-${ASTRA_CLUSTER_REGION}.apps.astra.datastax.com/api/rest/v1/auth \
 --header 'Content-Type: application/json' \
 --data '{"username":"'"$ASTRA_DB_USERNAME"'", "password":"'"$ASTRA_DB_PASSWORD"'"}'
 --header 'x-cassandra-request-id: {unique-UUID}

Consider using a tool like this Online UUID generator to quickly create a random UUID to pass with your authorization request.

An authorization token is returned:

{"authToken": "37396a44-dcb8-4740-a97f-79f0dba47973"}
  1. Copy the value of the returned authToken and store the authorization token in the ASTRA_AUTHORIZATION_TOKEN environment variable:

  • Set environment variable

  • Example

export ASTRA_AUTHORIZATION_TOKEN={authToken}
export ASTRA_AUTHORIZATION_TOKEN=37396a44-dcb8-4740-a97f-79f0dba47973

The authorization token must be included when making requests to your database, such as creating tables, adding rows, or modifying columns.

  1. If the authorization token expires, generate a new authorization token and update it in the ASTRA_AUTHORIZATION_TOKEN environment variable.

What’s next?

You can now use your token to connect to the Astra DB APIs. See more about the available APIs:

  • Document API

  • REST API

  • GraphQL CQL first API

  • GraphQL Schema first API endif::[]

Manage custom roles

Within Role Management, you can see the permissions for a specific role by hovering over the number in the Permissions column of the table. This will show the permissions granted to the role.

Roles

If the default roles don’t meet your requirements, you can use custom roles that meet your organizational needs.

Create custom role

You can also create custom roles using the DevOps API.

  1. From any page in Astra DB, select the Organizations dropdown.

  2. In the main dropdown, select the organization for which you want to add your custom role.

  3. From your Organization page, select Role Management.

  4. Select Add Custom Role.

  5. Enter the name you want to use for your custom role. This name should help you easily identify when you want to assign this role to users.

  6. Select the Organization, Keyspace, Table, and API permissions you want to assign to your custom role.

    If you want users with this role to be able to see the Astra DB user interface, make sure you select Read User and View DB permissions.

  7. If you want to apply your selected permissions to specific databases or keyspaces, toggle the switch to not apply the permissions to all databases in an organization. Then select the specific databases or keyspaces to which you want to apply the permissions.

  8. Once you have selected your permissions, select Create Role.

To see your custom roles, select Role Management within your Organization. You can now invite users using your new custom role.

Edit user roles

  1. From your Organization page, select Role Management.

  2. Select Edit Role from the overflow menu for the custom role you want to update.

  3. When editing the role, you can edit the name, permissions, database, and keyspace.

  4. Once you have updated your permissions, select Edit Role.

Your updated custom role will show up in Role Management within your Organization.

Pricing and billing

Learn about the pricing model and billing structure for DataStax Astra DB serverless and databases.

Classic pricing

Classic databases can no longer be created through Astra Portal. We recommend migrating your database to our current serverless option, which could save you money and allow you to manage your compute and storage capabilities separately.

Pricing for Astra DB classic databases is based on plan, units of measure, cloud provider, and region.

The cost of your classic Astra DB database depends on the classic database plan you select. Classic Astra DB databases use a single capacity unit (CU) by default, which represents three database instances that are grouped together for three replicas. The classic database plan represents the amount of compute power allocated to each CU, and represents three compute instances per CU. Classic database pricing is presented in the DataStax Astra Portal in hourly terms, but billed in one-minute granularity.

In addition, all Astra Classic customers are charged additional data transfer cost as state below:

  • Data transfer (GB): the transfer of Customer Data out of the database. Billable units and pricing vary depending on whether the Data Transfer occurs within the same region of a cloud provider network (“Data Transfer - Same Region”), across regions within the same cloud provider network (“Data Transfer - Cross Region within Cloud Provider Network”), or leaves the cloud provider network over the internet (“Data Transfer - Internet”).

    • If data transfer is within the same region of the same Cloud Service Provider (e.g. application and database are both in AWS us-east-1), no data transfer charges are incurred, effective July 1, 2022.

Cloud providers and regions

You can select AWS, Google Cloud, or Azure as your cloud provider. Each cloud provider offers Standard, Premium and Premium+ regions. The cloud provider and region you select affects the price of each unit of measure for your database.

Effective July 1, 2022, there is no separate premium pricing for Astra Classic Multi-region. All Astra Classic customers are charged additional data transfer cost. Data Transfer pricing is the same as Astra Serverless pricing. For more details on the definitions of "Multi-Region" and "Data Transfer" as well as respective pricing, please visit the Astra Serverless pricing page.

Billing

Astra DB handles billing through an integration with Stripe, and displays all related billing information in the Billing & Payments section of your Organization.
In Billing & Payments, you can see your plan and payment method, along with when the plan was created. You can also select Manage to change your plan.

You can also update your payment method in the Billing & Payments section. Your Billing & Payments also displays each database included in your server, allowing you to see what your total cost is per database.

Managing payment methods

Optionally, update your payment method in the Billing & Payments section. Your Billing & Payments also displays each database included in your server, allowing you to see your total cost per database.

Update the payment method you entered when creating your DataStax Astra DB database. Before your monthly credit runs out, you must enter your credit card number and associated billing information to ensure your database remains accessible.

Enter updated credit card information and associated billing details, or delete the existing payment method.

Astra DB supports one payment method for each organization.

Updating your payment information

  1. From any page in Astra DB, select the Organizations dropdown.

OrgSelection
  1. In the main dropdown, select Organization Settings.

  2. From Billing & Payment, select Invite User.

    • From your Astra Dashboard, select Add Payment Method or Update beside the existing payment method.

    • In the Update Payment Method menu, confirm that you want to Update your payment method.

    • Enter the new billing information and Save.

Your payment method is updated. All future billing will use the new payment entered.

Prerequisites

Ensure your organization meets the following requirements to remove your payment method:

  • With no outstanding balance and no premium features, you can remove your payment method at any time. A dialog box appears to confirm you want to remove the payment method; select Remove Payment Method.

    want to remove payment

    A message appears that you have successfully removed the payment method. An email is also sent for your records.

  • If you have no outstanding balance and premium features, you must remove all of these features before you can proceed. Click the link for each premium feature (as shown below) to remove them.

    payment removal
  • If you have an outstanding balance and no premium features, you must wait until the next billing cycle to settle this account.

    ob features
  • If you have an outstanding balance and premium features, you must remove your premium features before you can remove your payment method. You must wait until the next billing cycle to settle this account.

    balance and features

Removing premium features

Each premium feature is unique and has specific instructions for removal. The following links offer instructions on removing the following premium features:

  • Private endpoints

    • AWS private endpoints

    • Azure private enddpoints

    • Google Cloud private endpoints

  • Managing multiple regions

Managing User permissions

General Inquiries: +1 (650) 389-6000 info@datastax.com

© DataStax | Privacy policy | Terms of use

DataStax, Titan, and TitanDB are registered trademarks of DataStax, Inc. and its subsidiaries in the United States and/or other countries.

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries.

Kubernetes is the registered trademark of the Linux Foundation.

landing_page landingpage