Managing roles

Use the DevOps API to create, modify, and delete roles for your organization.

You can use the DevOps API to perform the actions your role permissions allow.

Use a token with the Organization Administrator role, which by default has the correct set of permissions to manage your organization. Or create a custom role that includes Organization Administrator. Do not use the Database Adminstrator role; it lacks the permissions needed to manage your organization.

Prerequisites

  1. Create an application token to authenticate your service account in the DevOps API.

  2. Once you have authenticated your service account, you can create, update, and delete roles in the DevOps API.

Creating a new role

  1. Submit a GET query to check existing roles within the organization to ensure you don’t duplicate roles:

    • cURL command (/v2)

    • Result

    curl --request GET \
 --url 'https://api.astra.datastax.com/v2/organizations/roles' \
 --header 'Accept: application/json' \
 --header 'Authorization: Bearer <application_token>'
    [
	{"ID":"3fb93abd-7abe-4a3d-9f71-9ded80070a4a”,
	"Name":"API Admin Svc Acct”,
	"Type":"default","policy”:”
		{\"description\":\"API Admin Svc Acct\”,
		\"actions\”:[
			\"accesslist-read\”,
			\"org-billing-read\”,
			\"org-billing-write\”,
			\"org-user-read\”,
			\"org-user-write\”,
			\"org-db-create\”,
			\"org-db-passwordreset\”,
			\"org-db-view\”,
			\"org-db-terminate\”,
			\"org-db-suspend\”,
			\"org-db-addpeering\”,
			\"org-db-managemigratorproxy\”,
			\"org-db-expand\”,
			\"db-all-keyspace-create\”,
			\"db-all-keyspace-describe\”,
			\"db-keyspace-grant\”,
			\"db-keyspace-modify\”,
			\"db-keyspace-describe\”,
			\"db-keyspace-create\”,
			\"db-keyspace-authorize\”,
			\"db-keyspace-alter\”,
			\"db-keyspace-drop\”,
			\"db-table-select\”,
			\"db-table-grant\”,
			\"db-table-modify\”,
			\"db-table-describe\”,
			\"db-table-create\”,
			\"db-table-authorize\”,
			\"db-table-alter\”,
			\"db-table-drop\”,
			\"db-graphql\",\"db-rest\”],
		\"effect\":\"allow\”,
		\"resources\":
			[\"drn:astra:org:__ORG_ID__\”,
			\"drn:astra:org:__ORG_ID__:db:*\”,
			\"drn:astra:org:__ORG_ID__:db:*:keyspace:*\”,
			\"drn:astra:org:__ORG_ID__:db:*:keyspace:*:table:*\"]}”}
	}
]

  2. Create a new role for your organization:

    • cURL command (/v2)

    • Result

    curl --request POST \
  --url 'https://api.astra.datastax.com/v2/organizations/roles' \
  --header 'Accept: application/json' \
  --header 'Authorization: Bearer <application_token>' \
  --data '{
    	"name":"<roleName>",
    	"policy": {
    	  "description": "Create and describe keyspaces",
    	  "resources": ["drn:astra:org:<organizationId>"],
    	  "actions": ["db-all-keyspace-create", "db-all-keyspace-describe"],
    	  "effect": "allow"}
    }'
    {
	"OrgID":"dccb8c32-cc2a-4bea-bd95-47ab8eb20510",
	"ID":"b125f9ab-675e-4bc7-9306-5e50a05b7c56",
	"Name":"keyspaceRole",
	"Policy":"{
		\"description\":\"keyspaces\",
		\"resources\":[\"drn:astra:org:dccb8c32-cc2a-4bea-bd95-47ab8eb20510\"],
		\"actions\":[\"db-all-keyspace-create\",\"db-all-keyspace-describe\"],
		\"effect\":\"allow\"
		}",
	"LastUpdateDateTime":"",
	"LastUpdateUserID":"wsbCtHyXCfuSHkiKbYWHsYZa"
}

    If a role with the same name already exists, you’ll get an error when trying to create the new role: "unable to create role".

    You can assign actions to the following resources to determine the available permissions for the custom role you create:

    Group of permissions Resource assignment options Applicable actions

    For organization permissions (org-)

    • drn:astra:org:<organizationId>

    • org-audits-read

    • org-billing-read

    • org-billing-write

    • org-external-auth-read

    • org-external-auth-write

    • org-notification-write

    • org-read

    • org-role-delete

    • org-role-read

    • org-role-write

    • org-token-read

    • org-token-write

    • org-user-read

    • org-user-write

    • org-write

    • accesslist-read

    • accesslist-write

    For database permissions (org-db)

    • drn:astra:org:<organizationId>:db:*

    • drn:astra:org:<organizationId>:db:<databaseId>

    • db-cql

    • db-graphql

    • db-rest

    • org-db-addpeering

    • org-db-create

    • org-db-expand

    • org-db-managemigratorproxy

    • org-db-passwordreset

    • org-db-suspend

    • org-db-terminate

    • org-db-view

    For keyspace permissions (db-keyspace)

    • drn:astra:org:<organizationId>:db:*:keyspace:*

    • drn:astra:org:<organizationId>:db:<databaseId>:keyspace:*

    • drn:astra:org:<organizationId>:db:<databaseId>:keyspace:<keyspaceName>

    • db-all-keyspace-create

    • db-all-keyspace-describe

    • db-keyspace-alter

    • db-keyspace-authorize

    • db-keyspace-create

    • db-keyspace-describe

    • db-keyspace-drop

    • db-keyspace-grant

    • db-keyspace-modify

    For table permissions (db-table)

    • drn:astra:org:<organizationId>:db:*:keyspace:*:table:*

    • drn:astra:org:<organizationId>:db:<databaseId>:keyspace:*:table:*

    • drn:astra:org:<organizationId>:db:<databaseId>:keyspace:<keyspaceName>:table:*

    • db-table-alter

    • db-table-authorize

    • db-table-create

    • db-table-describe

    • db-table-drop

    • db-table-grant

    • db-table-modify

    • db-table-select

    If you grant access to a specified keyspace, the following permissions are allowed:

    • All actions for database access (org-db or db actions) are granted for the entire database, even if access is granted to only a single keyspace in the database.

    • Keyspace-specific access is granted for all db-keyspace actions.

    • Table-specific access is granted for all tables belonging to the specified keyspace.

    For example, if you wanted to create a custom role that allows the users to use the REST and GraphQL APIs and also allow the role to modify tables, use the following call:

    curl --request POST \
  --url 'https://api.astra.datastax.com/v2/organizations/roles' \
  --header 'Accept: application/json' \
  --header 'Authorization: Bearer <application_token>' \
  --data '{
  	"name":"apiRole",
  	"policy": {
  	  "description": "Access to REST and GraphQL APIs, modify tables",
  	  "resources": ["drn:astra:org:<organizationId>", "drn:astra:org:<organizationId>:db:<databaseId>:keyspace:<keyspaceName>:table:*"],
  	  "actions": ["db-graphql", "db-rest", "db-table-modify"],
  	  "effect": "allow"}
    }'

    By using the *, the role will be able to modify all tables within the specified keyspace. If you want to grant the modify permission to a specified table, include the <tableName> in the resource.

  3. Confirm role was created with the necessary permissions:

    • cURL command (/v2)

    • Result

    curl --request GET \
 --url 'https://api.astra.datastax.com/v2/organizations/roles/<roleId>' \
 --header 'Accept: application/json' \
 --header 'Authorization: Bearer <application_token>'
    {
	"ID":"b125f9ab-675e-4bc7-9306-5e50a05b7c56",
	"Name":"keyspaceRole",
	"policy":"{
		\"description\":\"keyspaces\",
		\"resources\":[\"drn:astra:org:dccb8c32-cc2a-4bea-bd95-47ab8eb20510\"],
		\"actions\":[\"db-all-keyspace-create\",\"db-all-keyspace-describe\"],
		\"effect\":\"allow\"
	}"
}

For more, see Create a role in an organization in the DevOps API.

Updating a role

  1. If you need to make changes to the permissions for an existing role, you can change the policy:

    curl --request PUT \
  --url 'https://api.astra.datastax.com/v2/organizations/roles/<roleId>' \
  --header 'Accept: application/json' \
  --header 'Authorization: Bearer <application_token>' \
  --data '{
  	"name":"<roleName>",
  	"policy": {
  	  "description": "Create and describe keyspaces",
  	  "resources": ["drn:astra:org:<organizationId>"],
  	  "actions": ["db-all-keyspace-create", "db-all-keyspace-describe"],
  	  "effect": "allow"}
    }'

  2. Confirm role was created with the necessary permissions:

    • cURL command (/v2)

    • Result

    curl --request GET \
 --url 'https://api.astra.datastax.com/v2/organizations/roles/<roleId>' \
 --header 'Accept: application/json' \
 --header 'Authorization: Bearer <application_token>'
    {
	"OrgID":"dccb8c32-cc2a-4bea-bd95-47ab8eb20510",
	"ID":"b125f9ab-675e-4bc7-9306-5e50a05b7c56",
	"Name":"newRoleName",
	"Policy":"{
		\"description\":\"keyspaces\",
		\"resources\":[\"drn:astra:org:dccb8c32-cc2a-4bea-bd95-47ab8eb20510\"],
		\"actions\":[\"db-all-keyspace-create\",\"db-all-keyspace-describe\"],
		\"effect\":\"allow\"
		}",
	"LastUpdateDateTime":"",
	"LastUpdateUserID":"wsbCtHyXCfuSHkiKbYWHsYZa"
}

For more, see Update a role within an organization in the DevOps API.

Deleting a custom role

When you delete a custom role, all users and tokens assigned to that role will no longer have access.

  1. Delete a custom role to revoke access based on that role:

    curl --request DELETE \
  --url 'https://api.astra.datastax.com/v2/organizations/roles/<roleId>' \
  --header 'Accept: application/json' \
  --header 'Authorization: Bearer <application_token>'

  2. Confirm role no longer exists:

    • cURL command (/v2)

    • Result

    curl --request GET \
 --url 'https://api.astra.datastax.com/v2/organizations/roles/<roleId>' \
 --header 'Accept: application/json' \
 --header 'Authorization: Bearer <application_token>'
    "unable to get role for organization"

For more, see Delete a role by ID in the DevOps API.

Next steps

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2024 DataStax | Privacy policy | Terms of use

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com