User permissions

Default and custom roles allow admins to manage unique permissions for users based on your organization and database requirements.

You can manage roles using the DataStax Astra DB user interface or the DevOps API.

Which roles are available?

You can add users to your organization with a defined role.

The following roles can use the application token to use the DevOps API:

  • Organization Administrator

  • Database Administrator

  • Custom roles with create, terminate, and expand database permissions

Each role allows for unique permissions as defined below:

Organization Access Roles

Administrator User

Preexisting Database Access roles have been replaced with the Administrator User role and its associated permissions.

  • Schema changes, including select, grant, modify, describe, authorize, drop for the tables and/or keyspaces for which the permission is granted

  • Modify and describe keyspaces and tables within the database

  • Select and describe keyspaces and tables within the database

  • View databases in organization

  • CQL access based on database access permissions

  • GraphQL API access based on database access permissions

  • REST and Document API access based on database access permissions

  • Reset database password

  • Park/unpark database

Organization Administrator

  • View billing

  • Modify billing

  • View users in an organization

  • Modify users in an organization

  • View databases in organization

  • Create, terminate, and expand database

  • VPC peering for database

  • Reset database password

  • Park/unpark database

  • Modify access list

Billing Administrator

  • View databases in organization

  • View billing

  • Modify billing

Database Administrator

  • View databases in organization

  • Create, terminate, and expand database

  • VPC peering for database

  • Reset database password

  • Park/unpark database

  • Modify access list

UI View Only

  • View databases in organization

  • View access list

Administrator Service Account

  • Schema changes, including select, grant, modify, describe, authorize, drop for the tables and/or keyspaces for which the permission is granted

  • Modify and describe keyspaces and tables within the database

  • Select and describe keyspaces and tables within the database

  • CQL access based on database access permissions

  • GraphQL API access based on database access permissions

  • REST and Document API access based on database access permissions

  • Reset database password

  • Park/unpark database

Database, Keyspace, or Table Access Roles

Read/Write Service Account

  • Modify and describe keyspaces and tables within the database

  • Select and describe keyspaces and tables within the database

  • CQL access based on database access permissions

  • GraphQL API access based on database access permissions

  • REST and Document API access based on database access permissions

  • View access list

Read Only Service Account

  • Select and describe keyspaces and tables within the database

  • CQL access based on database access permissions

  • GraphQL API access based on database access permissions

  • REST and Document API access based on database access permissions

  • View access list

Read/Write User

  • Modify and describe keyspaces and tables within the database

  • Select and describe keyspaces and tables within the database

  • View databases in organization

  • CQL access based on database access permissions

  • GraphQL API access based on database access permissions

  • REST and Document API access based on database access permissions

  • View access list

Read Only User

  • Select and describe keyspaces and tables within the database

  • View databases in organization

  • CQL access based on database access permissions

  • GraphQL API access based on database access permissions

  • REST and Document API access based on database access permissions

  • View access list

API Access Roles

API Administrator User

  • Schema changes, including select, grant, modify, describe, authorize, drop for the tables and/or keyspaces for which the permission is granted

  • Modify and describe keyspaces and tables within the database

  • Select and describe keyspaces and tables within the database

  • View databases in organization

  • GraphQL API access based on database access permissions

  • REST and Document API access based on database access permissions

  • Reset database password

  • Park/unpark database

  • View access list

API Read Only Service Account

  • Select and describe keyspaces and tables within the database

  • GraphQL API access based on database access permissions

  • REST and Document API access based on database access permissions

  • View access list

API Read/Write User

  • Modify and describe keyspaces and tables within the database

  • Select and describe keyspaces and tables within the database

  • View databases in organization

  • GraphQL API access based on database access permissions

  • REST and Document API access based on database access permissions

  • View access list

API Administrator Service Account

  • Schema changes, including select, grant, modify, describe, authorize, drop for the tables and/or keyspaces for which the permission is granted

  • Modify and describe keyspaces and tables within the database

  • Select and describe keyspaces and tables within the database

  • GraphQL API access based on database access permissions

  • REST and Document API access based on database access permissions

  • Reset database password

  • Park/unpark database

  • View access list

API Read/Write Service Account

  • Modify and describe keyspaces and tables within the database

  • Select and describe keyspaces and tables within the database

  • GraphQL API access based on database access permissions

  • REST and Document API access based on database access permissions

  • View access list

API Read Only User

  • Select and describe keyspaces and tables within the database

  • View databases in organization

  • GraphQL API access based on database access permissions

  • REST and Document API access based on database access permissions

  • View access list

Which role should I assign a user?

Database Access Method Roles

Astra User Interface access

  • Organization Administrator

  • Database Administrator

  • Billing Administrator

  • UI View Only

  • Developer Administrator

  • Developer Read/Write

  • Developer Read Only

  • Administrator Service Account

  • Read/Write Service Account

  • Read Only Service Account

GraphQL, REST, and Document API access based on database access permissions

  • Organization Administrator

  • Database Administrator

  • Billing Administrator

  • UI View Only

  • Administrator User

  • Read/Write User

  • Read Only User

  • Administrator Service Account

  • Read/Write Service Account

  • Read Only Service Account

  • API Administrator User

  • API Read/Write User

  • API Read Only User

  • API Administrator Service Account

  • API Read/Write Service Account

  • API Read Only Service Account

Data Loader access based on database access permissions

  • Administrator User

  • Read/Write User

  • Read Only User

  • Administrator Service Account

  • Read/Write Service Account

  • Read Only Service Account

dsbulk access based on database access permissions

  • Read/Write Service Account

  • Read Only Service Account

DevOps API access based on database access permissions

  • Organization Administrator

  • Database Administrator

Drivers based on database access permissions

  • Administrator User

  • Read/Write User

  • Read Only User

  • Administrator Service Account

  • Read/Write Service Account

  • Read Only Service Account

Manage access list fo IP addresses and CIDR

  • Organization Administrator

  • Database Administrator