Roles and permissions reference
Astra uses role-based access control (RBAC) to manage the levels of access that users and applications have to your databases and organizations.
Roles define the level of access that an entity has to your organization and databases. Roles are assigned to users and application tokens. Then, users and applications can interact with your Astra resources according to the permissions granted by the assigned roles.
You can use default (built-in) and custom roles. All roles have a set of permissions and resource scopes.
When you create and assign roles, consider your organization’s security policies and industry best practices for RBAC, such as the principle of least privilege.
Default (built-in) and custom roles
Astra provides a default set of built-in enterprise roles and built-in organization roles that you can assign to users and application tokens. These roles are designed to cover the most common use cases for enterprise administration, organization administration, database access, and interactions with other Astra resources.
You cannot edit or delete built-in roles.
|
Built-in roles are broadly scoped
Built-in organization roles have access to resources in your entire organization, including all databases. If you assign a built-in role to an application token, then any application using that token can perform the actions permitted by that role on any of your databases. To limit access to specific databases or keyspaces, you must create a custom role with limited scopes. |
For information about the permissions assigned to each role, see the built-in enterprise roles reference and the built-in-organization-roles reference, or inspect roles using the Astra Portal and DevOps API.
Inspect roles
There are several ways to inspect roles and the permissions granted those roles.
Inspect roles in the Astra Portal
There are two ways to inspect roles in the Astra Portal:
- Tokens page
-
In the Astra Portal, you can inspect role permissions when creating application tokens at the organization or enterprise level. You don’t need to create the token, but you can use the Tokens page to preview a role’s permissions
-
In the Astra Portal header, click Settings.
-
In the Settings navigation menu, make sure the enterprise/organization filter is set to the enterprise or organization that you want to manage.
To view an organization that belongs to an enterprise, you must filter on the enterprise, and then click the organization name in the Organizations list.
-
In the Settings navigation menu, click Tokens.
The Tokens page for an enterprise exposes enterprise roles only.
The Tokens page for an organization exposes organization roles only.
-
In the Generate new token section, select a role to view the roles permissions.
-
- Roles page
-
In the Astra Portal, you can inspect custom roles on the Roles page.
This method exposes custom roles only. To inspect built-in roles, you must use another method.
-
In the Astra Portal header, click Settings.
-
In the Settings navigation menu, make sure the enterprise/organization filter is set to the enterprise or organization that you want to manage.
To view an organization that belongs to an enterprise, you must filter on the enterprise, and then click the organization name in the Organizations list.
-
In the Settings navigation menu, click Roles.
The Role management page for an enterprise exposes custom enterprise roles only.
The Role management page for an organization exposes custom organization roles only.
Custom roles named
DATABASE_NAME Database Administratorare automatically created when you generate an application token scoped to a database, and you can edit these roles like any other custom role.
-
Inspect roles with the DevOps API
|
This is the only method that exposes resource scopes for all roles. |
To get information about all built-in and custom roles in an organization, use GET /v2/organizations/roles:
curl -sS -L -X GET "https://api.astra.datastax.com/v2/organizations/roles" \
--header "Authorization: Bearer APPLICATION_TOKEN" \
--header "Content-Type: application/json"The returned roles depend on the scope of the application token. Organization-scoped application tokens return the roles in that organization. Enterprise-scoped application tokens return the roles in that enterprise.
For each role, the response includes the following:
-
id: Role IDOnce you have a role’s ID, you can use
GET /v2/organizations/roles/ROLE_IDto get information for that role only. -
name: Role nameCustom roles named
DATABASE_NAME Database Administratorare automatically created when you generate an application token scoped to a database, and you can edit these roles like any other custom role. -
last_update: The date and time when the role was last edited -
policy: An object defining the role’s permissions and resource access, including the following fields:-
description: The role name. -
resources: An array of resource IDs that define the role’s access to Astra resources. For more information, see Resource scopes. -
actions: The permissions granted to the role. -
effect: Indicates that the role grants access to the named resources and permissions. This is alwaysallow.
-
The following example is truncated for clarity:
[
{
"id": "ad0566b5-2a67-49de-89e8-92258c2f2c98",
"name": "Organization Administrator",
"policy": {
"description": "Organization Administrator",
"resources": [
"drn:astra:org:__ORG_ID__",
"drn:astra:org:__ORG_ID__:db:*",
"drn:astra:org:__ORG_ID__:db:*:keyspace:*",
"drn:astra:org:__ORG_ID__:db:*:keyspace:*:table:*",
"drn:astra:org:__ORG_ID__:stream:*",
"drn:astra:org:__ORG_ID__:role:*"
],
"actions": [
"accesslist-read",
"accesslist-write",
"org-read",
"org-write",
...TRUNCATED...
"db-table-alter",
"db-table-drop",
"db-manage-thirdpartymetrics"
],
"effect": "allow"
},
"last_update_date_time": "0001-01-01T00:00:00Z",
"last_update_user_id": ""
},
{
"id": "b73e44b2-b9e9-43b8-a7c1-c6a2fe2dab50",
"name": "R/W User",
"policy": {
"description": "R/W User",
"resources": [
"drn:astra:org:__ORG_ID__",
"drn:astra:org:__ORG_ID__:db:*",
"drn:astra:org:__ORG_ID__:db:*:keyspace:*",
"drn:astra:org:__ORG_ID__:db:*:keyspace:*:table:*"
],
"actions": [
"accesslist-read",
"org-db-view",
...TRUNCATED...
"db-cql"
],
"effect": "allow"
},
"last_update_date_time": "0001-01-01T00:00:00Z",
"last_update_user_id": ""
}
]Built-in enterprise roles
The following roles are available at the enterprise level, and they grant enterprise permissions only:
| Role name | Enterprise permissions |
|---|---|
Built-in organization roles
The following roles are available at the organization level.
Administrative roles
These built-in organization roles are intended for administrators and users that require elevated permissions within the organization. These roles include organization-wide administrators as well as database administrators.
Organization Administrator
This role grants all organization, keyspace, table, and API access permissions within the scope of one organization.
| Organization permissions | Keyspace permissions | Table Permissions | API access permissions |
|---|---|---|---|
Add Peering |
Administrator User
This role grants most organization, keyspace, table, and API access permissions within the scope of one organization. It has the following limitations:
-
Cannot create, view, edit, or delete application tokens, custom roles, IP access lists, or SSO configurations.
-
Cannot download audit logs.
-
Cannot view or modify any aspect of Astra Streaming.
-
Cannot delete the organization.
However, this role can access organization billing information, and create, read, write, and delete databases.
| Organization permissions | Keyspace permissions | Table Permissions | API access permissions |
|---|---|---|---|
Billing Administrator
This role has access to subscription-related functionality only. The View DB permission is required for access to the Astra Portal and database details in usage reports.
| Organization permissions | Keyspace permissions | Table Permissions | API access permissions |
|---|---|---|---|
None |
None |
None |
Database Administrator
This role is intended for users who need to manage databases at a high level without requiring access to all organization settings. The role grants permissions necessary to manage databases in an organization, including the following:
-
Create and delete databases, keyspaces, tables, and collections.
-
Read and write data.
-
Manage database security configurations, including IP access lists and private endpoints.
-
Create and delete application tokens.
-
Deploy databases to multiple regions.
-
View and export database metrics.
This role cannot access audit logs, SSO configurations, subscription plans and usage information, users, or any aspect of Astra Streaming.
| Organization permissions | Keyspace permissions | Table Permissions | API access permissions |
|---|---|---|---|
Non-administrative roles
These roles have a reduced set of permissions compared to administrative roles. They are intended for users who don’t need elevated access within an organization.
UI View Only
This role grants access to the Astra Portal at the lowest level. A user with this role can sign in to the Astra Portal and view the most minimal information about databases, but they cannot access any other functions, and they cannot read from databases.
| Organization permissions | Keyspace permissions | Table Permissions | API access permissions |
|---|---|---|---|
None |
None |
None |
Read Only User
This role is slightly more elevated than UI View Only. A user with this role can sign in to the Astra Portal, view database metadata, and read data from databases.
| Organization permissions | Keyspace permissions | Table Permissions | API access permissions |
|---|---|---|---|
Read/Write User
This role slightly expands on Read Only User by granting permission to write to databases.
| Organization permissions | Keyspace permissions | Table Permissions | API access permissions |
|---|---|---|---|
Service account and API access roles
These roles are generally intended for programmatic access.
Roles without the View DB permission cannot access the Astra Portal. Such roles can only be used to authenticate programmatic interactions with Astra through application tokens.
Administrator Service Account
This role provides administrative access with the exception of custom roles, audit logs, SSO configurations, IP access lists, application tokens, and the highest-level organization settings (deleting the organization and changing the administrator email). However, this role can access and manage Astra Streaming.
| Organization permissions | Keyspace permissions | Table Permissions | API access permissions |
|---|---|---|---|
Read Only Service Account
This role provides only programmatic read access to databases in an organization.
| Organization permissions | Keyspace permissions | Table Permissions | API access permissions |
|---|---|---|---|
Read/Write Service Account
This role provides only programmatic read/write access to databases in an organization.
| Organization permissions | Keyspace permissions | Table Permissions | API access permissions |
|---|---|---|---|
API Administrator Service Account
This role is comparable to Administrator Service Account, with the following exceptions:
-
This role cannot view or export database metrics.
-
This role cannot manage customer-managed encryption keys.
-
This role cannot access databases through CQL, including the CQL console, CQL shell (
cqlsh) in the Astra CLI, or a Cassandra driver.
| Organization permissions | Keyspace permissions | Table Permissions | API access permissions |
|---|---|---|---|
API Read Only Service Account
This role provides read-only access to databases in an organization through the Data API.
This role cannot access databases through CQL, including the CQL console, CQL shell (cqlsh) in the Astra CLI, or a Cassandra driver.
| Organization permissions | Keyspace permissions | Table Permissions | API access permissions |
|---|---|---|---|
API Administrator User
This role is the same as API Administrator Service Account.
| Organization permissions | Keyspace permissions | Table Permissions | API access permissions |
|---|---|---|---|
API Read/Write Service Account
This role provides read/write access to databases in an organization through the Data API.
This role cannot access databases through CQL, including the CQL console, CQL shell (cqlsh) in the Astra CLI, or a Cassandra driver.
| Organization permissions | Keyspace permissions | Table Permissions | API access permissions |
|---|---|---|---|
API Read Only User
This role provides read-only access to databases in an organization through the Data API and the Astra Portal.
This role cannot access databases through CQL, including the CQL console, CQL shell (cqlsh) in the Astra CLI, or a Cassandra driver.
| Organization permissions | Keyspace permissions | Table Permissions | API access permissions |
|---|---|---|---|
API Read/Write User
This role provides read/write access to databases in an organization through the Data API and the Astra Portal.
This role cannot access databases through CQL, including the CQL console, CQL shell (cqlsh) in the Astra CLI, or a Cassandra driver.
| Organization permissions | Keyspace permissions | Table Permissions | API access permissions |
|---|---|---|---|
Permissions
Permissions define the actions that an entity can take on a resource, such as a database, keyspace, or an entire organization. Possible actions range from limited read-only operations to expansive create, edit, and delete operations.
The following tables describe permissions available in Astra.
|
Each permission has a Permission name that is visible in the Astra Portal as well as a DevOps API value for role management with the DevOps API. Unless otherwise specified, permissions grant the ability to perform a function both in the Astra Portal and programmatically, such as through an API or the Astra CLI. |
Enterprise permissions
Enterprise permissions define the operations a role can perform at the enterprise level, such as adding enterprise users, adding organizations to the enterprise, and creating enterprise application tokens.
Enterprise roles are separate from organization roles, which means that enterprise permissions don’t inherently grant the equivalent organization permissions.
For example, the Read Enterprise Role permission doesn’t include the organization-level Read Custom Role permission. With Read Enterprise Role, you can view enterprise roles only. If you want to view both enterprise and organization roles, you must have an enterprise role with the Read Enterprise Role permission and an organization role with the Read Custom Role permission. If your enterprise has multiple organizations, you need an organization role in each organization that you want to view.
For more information about the relationship between enterprise and organization roles, see Enterprise users and roles.
| Permission name | DevOps API value | Description |
|---|---|---|
Read Enterprise Billing |
|
Retrieve billing details for organizations in an enterprise. |
Write Enterprise Billing |
|
This permission is inactive. To manage billing for an organization, use Write Billing. |
Read Enterprise User |
|
View users in an enterprise. To view users in an organization, use Read User. |
Write Enterprise User |
|
Modify users at the enterprise level:
To manage users within an organization, use Write User. |
Read Enterprise Token |
|
View enterprise application tokens. |
Write Enterprise Token |
|
Create and revoke enterprise application tokens. |
Manage Enterprise Organization |
|
Create an organization under an enterprise. |
Read Enterprise Role |
|
View custom enterprise roles and their associated permissions. |
Write Enterprise Role |
|
Create, edit, and delete custom enterprise roles. |
Read Enterprise Audits |
|
Download enterprise audit logs in the Astra Portal. |
Organization permissions
Organization permissions define the operations a role can perform at the organization level, such as billing administration, user administration, and the ability to create databases.
Organization permissions related to database management, such as Manage Region and View DB, can be further limited to specific databases.
|
To view the Astra Portal, a role must have the View DB permission. |
| Permission name | DevOps API value | Description |
|---|---|---|
Add Peering |
|
Create VPC peering connections for Astra Managed Clusters databases. |
Create DB |
|
Create a database. |
Delete Custom Role |
|
Delete a custom role. |
Expand DB |
|
Resize Astra Managed Clusters databases. |
Manage Metrics |
|
Manage health metrics export destinations for Astra DB Serverless databases. |
Manage Migrator Proxy |
|
(Deprecated) Previously used to manage the ZDM Proxy tool that was bundled with Astra Managed Clusters databases. This tool is no longer built-in. Instead, you can run ZDM Proxy outside of Astra. For more information, see Phases of the Zero Downtime Migration process. |
Manage Private Endpoint |
|
Configure private endpoints. |
Manage Region |
|
Add or remove regions from multi-region databases. |
Manage Streaming |
|
View, add, edit, or remove Astra Streaming configurations. |
Password Reset |
|
(Deprecated) Previously used to reset passwords for Astra Managed Clusters databases. This functionality is deprecated. Instead, use application tokens. |
Read Audits |
|
Download organization audit logs and configure organization audit log streaming. See View audit logs. |
Read Billing |
|
Access the Billing page and download usage reports in the Astra Portal. |
Read CMK Key |
|
View customer keys in an organization. |
Read Custom Role |
|
View custom roles and their associated permissions. |
Read External Auth |
|
View an organization’s SSO configuration in the Astra Portal. |
Read Integrations |
|
View an organization’s enabled integrations on the Integrations page in the Astra Portal, including Astra DB Serverless vectorize embedding provider integrations. |
Read IP Access List |
|
View database and DevOps API IP access lists. Visibility of database access lists depends on the role’s resource scopes. |
Read Organization |
|
View an organization. |
Read Token |
|
View application tokens in an organization. |
Read User |
|
View users in an organization. |
Suspend DB |
|
(Deprecated) Previously used to suspend or unsuspend Astra Managed Clusters databases. This functionality is deprecated with no replacement. |
Terminate DB |
|
Permanently delete a database and all of of its data. |
View DB |
|
View the Astra Portal generally. View databases in the Astra Portal. View database information returned by an API request. |
Write Billing |
|
Modify the organization’s subscription plan and PCU groups. |
Write CMK Key |
|
Create and manage customer keys. |
Write Custom Role |
|
Create and manage custom roles. |
Write External Auth |
|
Manage an organization’s SSO configuration in the Astra Portal. |
Write Integrations |
|
Add, edit, and remove an organization’s integrations on the Integrations page in the Astra Portal, including Astra DB Serverless vectorize embedding provider integrations. |
Write IP Access List |
|
Create and modify database and DevOps API IP access lists. Access to database access lists depends on the role’s resource scopes. |
Write Organization |
|
Grants the following:
|
Write Token |
|
Create application tokens. |
Write User |
|
Invite (add) users, edit users' assigned roles, and remove users from an organization. |
Keyspace permissions
Keyspace permissions apply to keyspaces within your Astra DB databases. You can use resource scopes to further restrict a role’s access to individual keyspaces and resources within keyspaces.
| Permission name | DevOps API value | Description |
|---|---|---|
Alter Keyspace |
|
Add, edit, or remove a keyspace’s configuration or tables, such as with CQL |
|
Grant admin permissions on a keyspace, such as with CQL |
|
Create All Keyspaces |
|
Create keyspaces programmatically. |
Create Keyspace |
|
Create a keyspace in the Astra Portal. |
Describe All Keyspaces |
|
Get a list of tables in multiple keyspaces, such as with CQL |
Describe Keyspace |
|
Get a list of tables within a single keyspace. |
Drop Keyspace |
|
Remove a keyspace. |
Grant Keyspace |
|
Grant specific permissions on a keyspace, such as with CQL |
Modify Keyspace |
|
Edit a keyspace (a limited version of Alter Keyspace). |
Table permissions
These permissions apply to collections and tables in Astra DB Serverless databases, and tables in Astra Managed Clusters databases. You can use database, keyspace, and table scopes to further restrict table permissions.
| Permission name | DevOps API value | Description |
|---|---|---|
Alter Table |
|
Add, edit, or remove a table’s columns, such as with CQL |
|
Grant admin permissions on a table, such as with CQL |
|
Create Table |
|
Create a table. |
Describe Table |
|
Get table information, such as with CQL |
Drop Table |
|
Delete a table. |
Grant Table |
|
Grant specific permissions on a table, such as with CQL |
Modify Table |
|
Edit a table (a limited version of Alter Table). |
Select Table |
|
Use CQL |
API access permissions
API access permissions grant a role access to databases through cqlsh and some legacy APIs.
You cannot control universal access to the DevOps API or Astra DB Serverless Data API on a role level. Instead, API authentication and authorization is controlled through application tokens. The token’s role determines the permitted operations.
| Permission name | DevOps API value | Description |
|---|---|---|
Access CQL |
|
Connect to database through CQL. |
Access GraphQL |
|
Legacy permission used to connect to databases through the Stargate GraphQL API (deprecated). |
Access REST |
|
Legacy permission used to connect to databases through the Stargate REST API (deprecated). |
