Manage users

To collaborate with others on projects in Astra DB, you can add users to your Astra DB organization.

To manage users, you need an application token or user role with the necessary permissions, such as the Organization Administrator role.

Add a user

  • Astra Portal

  • DevOps API

  1. In the Astra Portal navigation menu, click Settings, and then click Users.

  2. Click Invite User.

  3. Enter the email address of the user you want to invite. The user must use this email address to sign in to Astra DB. If the user has an Astra DB account, make sure this email address matches the user’s existing account.

  4. Select the roles that you want to assign to the user.

    After the user accepts your invitation, you can edit their roles as needed.

  5. Click Invite User.

To invite a user, use PUT /v2/organizations/users:

curl -sS --location -X PUT "https://api.astra.datastax.com/v2/organizations/users" \
--header "Authorization: Bearer APPLICATION_TOKEN" \
--header "Content-Type: application/json" \
--data '{
  "email": "USER_EMAIL",
  "orgID": "ORGANIZATION_ID",
  "roles": [
    "ROLE_ID",
    "ROLE_ID"
  ]
}'

Replace the following:

  • APPLICATION_TOKEN: Your application token.

  • USER_EMAIL: The user’s email address.

  • ORGANIZATION_ID: Your organization ID.

  • ROLE_ID: One or more roles to assign to the user. To get role IDs, use GET /v2/organizations/roles.

The user receives an email with a link to accept the invitation. Until the user accepts the invitation, the user’s status remains Invited.

Accept the invite

To accept an organization invitation, the invited user must sign in to Astra DB with the same email address that received the invitation.

The user can log in through SSO, as long as their SAML IdP profile, Google account, or GitHub account has the same email address as the organization invitation. Alternatively, the user can create a new account with the same email address, and then log in to accept the invitation.

Sign in with a SAML IdP

You can sign in to the Astra Portal through your SAML IdP if your Organization Administrator has enabled SSO. DataStax supports any SAML-compatible IdP, including Entra ID, Okta, OneLogin, Google Identity Platform, and Ping Identity. For more information, see Configure single sign-on.

Sign in with Google

You can use your Gmail or Google Workspace account to create an Astra DB account and sign in to the Astra Portal.

Sign in with GitHub

You can use your GitHub account to create an Astra DB account and sign in to the Astra Portal.

To use GitHub for Astra DB authentication, you must have a public email address in your GitHub profile.

If you are a new user, make your email public before you create an Astra DB account.

If you are an existing user and you selected keep my email address private in your GitHub profile, you must make your email address public, and then change your password to switch to Astra DB local authentication. Alternatively, you can use another SSO option with the same email address as your GitHub account.

If you don’t want to make your email address public, you must use a different SSO option or username and password authentication.

Sign in with a username and password

If you can’t use SSO, you can sign in with a username and password.

If you don’t already have an Astra DB account under the email address that you were invited with, you must create a new account with that email address:

  1. Navigate to the Astra Portal.

  2. On the Sign In page, click Sign Up.

  3. Follow the prompts to create your account. Make sure to use the same email address that received the invitation.

  4. After you create your account, follow the link in the invitation email to accept the invitation.

  5. After you accept the invitation, you can switch to the organization that you were invited to.

Remove a user or revoke an invitation

Removing a user removes their access to your organization, but it doesn’t delete their account.

The user retains their personal Astra DB account under their associated email address, including access to their default (personal) organization and any other organizations they belong to. The user can still access their personal Astra DB account, if they have access to the associated authentication method.

If your organization uses SSO, make sure that you also remove the user from your IdP, if necessary.

  • Astra Portal

  • DevOps API

  1. In the Astra Portal navigation menu, click Settings, and then click Users.

  2. Find the user you want to remove, click more_vert More, and then select Delete.

  1. Use GET /v2/organizations/users to get the user ID of the user you want to remove:

    curl -sS --location -X GET "https://api.astra.datastax.com/v2/organizations/users" \
    --header "Authorization: Bearer APPLICATION_TOKEN" \
    --header "Content-Type: application/json"

    The response includes information for all users in the organization. Copy the UserID of the user you want to remove.

    {
      "OrgID": "ORG_ID",
      "OrgName": "ORG_NAME",
      "Users": [
        {
          "UserID": "a891c81c-4520-8318-88b6-4813c78da26e",
          "Email": "USER_EMAIL",
          "Status": "active",
          "Roles": [
            {
              "ID": "ROLE_ID",
              "Name": "ROLE_NAME"
            }
          ]
        }
      ]
    }
  2. Use DELETE /v2/organizations/users to remove the user:

    curl -sS --location -X DELETE "https://api.astra.datastax.com/v2/organizations/users/USER_ID" \
    --header "Authorization: Bearer APPLICATION_TOKEN" \
    --header "Content-Type: application/json"
  3. Use GET /v2/organizations/users/USER_ID to verify the user was removed:

    curl -sS --location -X GET "https://api.astra.datastax.com/v2/organizations/users/USER_ID" \
    --header "Authorization: Bearer APPLICATION_TOKEN" \
    --header "Content-Type: application/json"

    A 404 Not Found status code indicates that the user was removed.

Edit user roles

  • Astra Portal

  • DevOps API

  1. In the Astra Portal navigation menu, click Settings, and then click Users.

  2. Find the user you want to edit, click more_vert More, and then select Edit User.

  3. Select the default and custom roles to assign to the user, and then click Update User.

A user’s role list is a desired state list. When you use the DevOps API to edit a user’s roles, you must include all roles that you want the user to have. This includes all currently assigned roles you want to keep plus any new roles you want to add.

  1. Use GET /v2/organizations/users to get the user ID of the user you want to edit:

    curl -sS --location -X GET "https://api.astra.datastax.com/v2/organizations/users" \
    --header "Authorization: Bearer APPLICATION_TOKEN" \
    --header "Content-Type: application/json"

    The response includes information for all users in the organization. Copy the UserID of the user you want to edit.

    {
      "OrgID": "ORG_ID",
      "OrgName": "ORG_NAME",
      "Users": [
        {
          "UserID": "a891c81c-4520-8318-88b6-4813c78da26e",
          "Email": "USER_EMAIL",
          "Status": "active",
          "Roles": [
            {
              "ID": "ROLE_ID",
              "Name": "ROLE_NAME"
            }
          ]
        }
      ]
    }
  2. Use GET /v2/organizations/users/USER_ID to get the roles currently assigned to the user:

    curl -sS --location -X GET "https://api.astra.datastax.com/v2/organizations/users/USER_ID" \
    --header "Authorization: Bearer APPLICATION_TOKEN" \
    --header "Content-Type: application/json"

    The response includes information for the specified user. In the Roles object, copy the ID of each currently assigned role that you want to keep. You don’t need the ID for roles that you want to remove from the user.

    {
      "UserID": "USER_ID",
      "Email": "USER_EMAIL",
      "Status": "active",
      "Roles": [
        {
          "ID": "ad0566b5-2a67-49de-89e8-92258c2f2c98",
          "Name": "Organization Administrator"
        }
      ]
    }
  3. If you want to assign new roles to this user, use GET /v2/organizations/roles to get the IDs for those roles:

    curl -sS --location -X GET "https://api.astra.datastax.com/v2/organizations/roles" \
    --header "Authorization: Bearer APPLICATION_TOKEN" \
    --header "Content-Type: application/json"

    The response includes information about all default and custom roles in your organization. Copy the id for each role that you want to assign to the user.

    Response

    The following example is truncated for clarity.

    [
      {
        "id": "b4ed0e9e-67e8-47b6-8b58-c6629be961a9",
        "name": "R/W Svc Acct",
        "policy": {
          "description": "R/W Svc Acct",
          "resources": [
            ...
          ],
          "actions": [
            ...
          ],
          "effect": "allow"
        },
        "last_update_date_time": "0001-01-01T00:00:00Z",
        "last_update_user_id": ""
      },
      {
        "id": "43745b73-ad46-46e4-b826-c15d06d2cea0",
        "name": "Admin User",
        "policy": {
          "description": "Admin User",
          "resources": [
            ...
          ],
          "actions": [
            ...
          ],
          "effect": "allow"
        },
        "last_update_date_time": "0001-01-01T00:00:00Z",
        "last_update_user_id": ""
      },
    ]
  4. Use PUT /v2/organizations/users/USER_ID/roles to edit the user’s assigned roles. The body is a roles array containing a comma-separated list of role ID strings.

    The roles array is a desired state list. You must include all roles that you want the user to have, including currently assigned roles and new roles.

    curl -sS --location -X PUT "https://api.astra.datastax.com/v2/organizations/users/USER_ID/roles" \
    --header "Authorization: Bearer APPLICATION_TOKEN" \
    --header "Content-Type: application/json" \
    -- data '{
      "roles": [
        "ROLE_ID",
        "ROLE_ID"
      ]
    }'

    A successful request returns a 204 No Content status code.

  5. (Optional) To review the user’s updated role list, use GET /v2/organizations/users/USER_ID.

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2024 DataStax | Privacy policy | Terms of use

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com