Manage database roles and permissions
The DataStax Astra DB Serverless (Vector) documentation site is currently in Public Preview and is provided on an “AS IS” basis, without warranty or indemnity of any kind. For more, see the DataStax Preview Terms. |
Organization users can access databases via the Astra Portal, and applications can access them via the API.
To grant a user access to a database in the Astra Portal, you assign a role to the user’s account in your organization. To grant your application access to a database, you assign a role to the application token that your application uses to authenticate with the Astra API.
About roles
A role defines the level of access that a user or application has to a database. A role can be either a default role or a custom role.
All roles consist of:
-
A name
-
A set of permissions
-
A set of database and keyspace scopes
For example, you could assign one role to an organization user that grants access to a set of databases and another role to an application token that grants access to a specific set of keyspaces within a single database. This system allows you to mix and match access levels to different databases and keyspaces to satisfy your application and security requirements.
Default roles
Astra provides a set of default roles that you can assign to organization users and application tokens. These roles are designed to cover the most common use cases for accessing databases and other Astra resources.
Default roles are permitted to access all databases in an organization. If you assign a default role to an application token, then any application using that token is granted the privileges of that role on any of your databases. To limit the databases an application token can access, you must create a custom role.
Role name | Role permissions |
---|---|
Organization Administrator |
Grants all permissions. |
Database Administrator |
Grants the following Organization permissions: Grants the following Keyspace permissions: Grants the following Table permissions: Grants the following API access permissions: |
Custom roles
If none of the default roles meet your specific security requirements, you can create a custom role.
Manage roles
In the Astra Portal, you can view all custom roles in your organization by going to Settings > Roles.
To manage roles, you must have one of the following roles:
Create a custom role
-
In the Astra Portal, go to Settings > Roles.
-
Click Add Custom Role.
-
Enter a name for the role in the Role Name field.
-
In the Add Permissions section, use the checkboxes to add specific permissions to the role.
You can add permissions from the following categories:
-
In the Add Databases section, select the specific databases and respective keyspaces you want the role scoped to. Or you can use the Apply permissions to all databases in this organization toggle to scope the role to all current and future databases.
-
Click Create Role.
The new role appears in the Roles tab. You can assign the role to an organization user or application token.
Edit a custom role
-
In the Astra Portal, go to Settings > Roles.
-
Find the role you want to edit and click the overflow menu icon (three dots). Select Edit Role.
-
You can modify all of the same settings that you can when creating a role.
-
When you’re done, click Edit Role.
Delete a custom role
-
In the Astra Portal, go to Settings > Roles.
-
Find the role you want to delete and click the overflow menu icon (three dots). Select Delete Role.
-
In the confirmation dialog, click Delete Role.
Deleting a custom role removes it from all organization users and application tokens it is currently assigned to. Before deleting a custom role, reassign users to new roles and generate new application tokens to ensure continuity of access. |
About permissions
Permissions define resources and actions that can be accessed in a database. Permissions are assigned to roles and determine the level of access that a user or application has to a database.
Organization permissions
Permission name | DevOps API parameter | Description |
---|---|---|
Add Peering |
|
Create a VPC peering connection. |
Create DB |
|
Create a database using the DevOps API or Astra Portal. |
Delete Custom Role |
|
Delete a custom role. |
Manage Metrics |
|
|
Manage Private Endpoint |
|
|
Manage Region |
|
Add, create, or remove a region using the DevOps API or Astra Portal. |
Manage Streaming |
||
Read Audits |
|
Enables read and download audits. |
Read Billing |
|
Enables links and access to billing details page. |
Read CMK Key |
|
|
Read Custom Role |
|
See a custom role and its associated permissions. |
Read External Auth |
|
See security settings related to external authentication providers. |
Read IP Access List |
|
Enables links and access to acess list page. |
Read Organization |
|
View organization in Astra Portal. |
Read Token |
|
Read token details. |
Read User |
|
Access to viewing users of an organization. |
Terminate DB |
|
Permanently delete a database and all of of its data. |
View DB |
|
See a database in a list of databases or Astra Portal. |
Write Billing |
|
Enables links and ability to add or edit billing payment info. |
Write CMK Key |
|
|
Write Custom Role |
|
Create custom role. |
Write External Auth |
|
Update security settings related to external auth providers. |
Write IP Access List |
|
Create or modify an access list using the DevOps API or Astra Portal. |
Write Organization |
|
Create new organizations or delete an existing organization. |
Write Token |
|
Create application token. |
Write User |
|
Add, create, or remove a user using the DevOps API or Astra Portal. |
Keyspace permissions
Permission name | DevOps API parameter | Description |
---|---|---|
Alter Keyspace |
|
Make changes to a specified keyspace. |
|
Give access to specified keyspace. |
|
Create All Keyspaces |
|
|
Create Keyspace |
|
Create keyspace. Available in only Astra Portal. |
Describe All Keyspaces |
|
|
Describe Keyspace |
|
Get a list of tables within a specified keyspace. |
Drop Keyspace |
|
Remove keyspace. Available in only Astra Portal. |
Grant Keyspace |
|
Grant specific permissions for specified keyspace. |
Modify Keyspace |
|
Access or modify a keyspace. |
Table permissions
Applies to all tables in the selected keyspace(s).
Permission name | DevOps API parameter | Description |
---|---|---|
Alter Table |
|
|
|
||
Create Table |
|
|
Describe Table |
|
|
Drop Table |
|
|
Grant Table |
|
|
Modify Table |
|
|
Select Table |
|
API access permissions
Permission name | DevOps API parameter | Description |
---|---|---|
Access CQL |
|
Connect to database via CQL. |
Access GraphQL |
|
Connect to database via GraphQL API. |
Access REST |
|
Connect to database via REST API. |