Manage Astra Streaming roles and permissions

You manage role-based access control (RBAC) for Astra Streaming through your Astra organization. For more information about Astra RBAC, see Roles and permissions reference.

Astra roles and permissions for Astra Streaming

To access Astra Streaming, the minimum required permissions are as follows:

  • Manage Streaming (org-stream-manage): Create, read, update, and delete Astra Streaming resources in the Astra Portal and with the APIs.

  • View DB (org-db-view): View the Astra Portal. This permission is required for a user to access Astra Streaming through the Astra Portal. This permission isn’t required for programmatic access.

By default, Astra has no roles that are scoped exclusively to Astra Streaming.

The following built-in roles have the Manage Streaming permission in addition to other permissions:

Additionally, you can create custom roles with a narrower set of permissions. Make sure these roles have the minimum required permissions for Astra Streaming (Manage Streaming and View DB), and any other permissions required for the tasks the role needs to perform. For example, to enable Change Data Capture (CDC), the role also needs permission to manage the relevant databases.

To control access to specific streaming tenants, you can set granular resource scopes on custom roles.

Authentication and authorization in Apache Pulsar™ and Astra

Pulsar has the concept of clients with role tokens. In Pulsar, authentication is the process of verifying a provided token (JWT), and authorization is the process of determining if the role claimed in that token is allowed to complete the requested action.

Astra Streaming uses the DataStax distribution of Apache Pulsar. This project is an open fork of the Apache Pulsar™ project that maintains feature parity with OSS Pulsar. Astra Streaming, as a managed service, abstracts some features/options of Pulsar to ensure continuous, reliable service.

On a shared cluster, your Astra organization has one or more tenants on a shared Pulsar cluster. Each of your tenants is secured by Pulsar authentication and authorization models, as well as your Astra organization’s authentication and authorization (Astra RBAC).

Astra Streaming shared clusters are created and administered by Astra Streaming administrators. Each tenant is assigned a custom role and permissions limited to that tenant only. All tokens created within a tenant are assigned roles similar to the assigning tenant.

For programmatic access, you use Astra application tokens or Pulsar JWT, depending on the operation you need to perform. For more information, see Manage tokens.

See also

Was this helpful?

Edit this page

Give Feedback

How can we improve the documentation?

© Copyright IBM Corporation 2026 | Privacy policy | Terms of use Manage Privacy Choices

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: Contact IBM