LIST PERMISSIONS

List the permissions, filtered by either resource and/or role. When using this command, you can omit the ON clause to display all related resources or omit the OF clause to display all role permissions. A role must have the DESCRIBE permission on the target resources and roles to list their permissions. Only superusers can list all permissions.

Syntax

LIST ( ALL PERMISSIONS | <permission_list> )[ ON <resource_name> ]
  [ OF <role_name> ][ NORECURSIVE ] ;

Syntax legend

Legend
Syntax conventions	Description
UPPERCASE	Literal keyword.
Lowercase	Not literal.
`< >`	Variable value. Replace with a user-defined value.
`[]`	Optional. Square brackets (`[]`) surround optional command arguments. Do not type the square brackets.
`( )`	Group. Parentheses ( `( )` ) identify a group to choose from. Do not type the parentheses.
`\|`	Or. A vertical bar (`\|`) separates alternative elements. Type any one of the elements. Do not type the vertical bar.
`...`	Repeatable. An ellipsis ( `...` ) indicates that you can repeat the syntax element as often as required.
`'<Literal string>'`	Single quotation (`'`) marks must surround literal strings in CQL statements. Use single quotation marks to preserve upper case.
`{ <key> : <value> }`	Map collection. Braces (`{ }`) enclose map collections or key value pairs. A colon separates the key and the value.
`<datatype2`	Set, list, map, or tuple. Angle brackets ( `< >` ) enclose data types in a set, list, map, or tuple. Separate the data types with a comma.
`<cql_statement>;`	End CQL statement. A semicolon (`;`) terminates all CQL statements.
`[--]`	Separate the command line options from the command arguments with two hyphens ( `--` ). This syntax is useful when arguments might be mistaken for command line options.
`' <<schema\> ... </schema\>> '`	Search CQL only: Single quotation marks (`'`) surround an entire XML schema declaration.
`@<xml_entity>='<xml_entity_type>'`	Search CQL only: Identify the entity and literal value to overwrite the XML element in the schema and solrConfig files.

Parameters

Access control matrix tables

In the following tables, the hierarchy of permissions is shown for each resource type, as well as the permissions that can be granted on each resource.

Data resources

Cassandra database objects on which permissions are applied. Database resources have modelled hierarchy, the permission on a top level object gives the role the same permission on the objects ancestors.

Resource permissions

Type of access a role has to a database resource.

The following hierarchy is true for data: ALL KEYSPACES > KEYSPACE <keyspace_name> > ALL TABLES IN KEYSPACE <keyspace_name> > TABLE <table_name> > '<filtering_data>' ROWS IN <table_name>

Resource type: Data

Privilege Resource Permissions

Privilege	Resource	Permissions
ALL PERMISSIONS	`resource_name`	All operations that are applicable to the resource and its ancestors, where resource name is listed below.
ALTER	ALL KEYSPACES	ALTER KEYSPACE, ALTER TABLE, ALTER TYPE, RESTRICT ROW in any keyspace.
ALTER	KEYSPACE `keyspace_name`	ALTER KEYSPACE, ALTER TABLE, ALTER TYPE, and RESTRICT ROW in specified keyspace.
ALTER	TABLE `table_name`	ALTER TABLE and RESTRICT ROW of specified table.
CREATE	ALL KEYSPACES	CREATE KEYSPACE, CREATE TABLE, CREATE FUNCTIONS, and CREATE TYPE in any keyspace.
CREATE	KEYSPACE `keyspace_name`	CREATE TABLE and CREATE TYPE in specified keyspace.
DROP	ALL KEYSPACES	DROP KEYSPACE, DROP TABLE, and DROP TYPE in any keyspace
DROP	KEYSPACE `keyspace_name`	DROP TABLE and DROP TYPE in specified keyspace
DROP	TABLE `table_name`	DROP TABLE specified.
MODIFY	`filtering_data` ROWS IN `table_name`	MODIFY on rows that exactly match the `filtering_data` in specified table.
MODIFY	ALL KEYSPACES	INSERT, UPDATE, DELETE, and TRUNCATE on any table.
MODIFY	KEYSPACE `keyspace_name`	INSERT, UPDATE, DELETE, and TRUNCATE on any table in specified keyspace.
MODIFY	TABLE `table_name`	INSERT, UPDATE, DELETE, and TRUNCATE on specified table.
SELECT	`filtering_data` ROWS IN `table_name`	SELECT on rows that exactly match the `filtering_data` in specified table.
SELECT	ALL KEYSPACES	SELECT on any table.
SELECT	KEYSPACE `keyspace_name`	SELECT on any table in specified keyspace.
SELECT	TABLE `table_name`	SELECT on specified table.

ALL PERMISSIONS

resource_name

All operations that are applicable to the resource and its ancestors, where resource name is listed below.

ALTER

ALL KEYSPACES

ALTER KEYSPACE, ALTER TABLE, ALTER TYPE, RESTRICT ROW in any keyspace.

ALTER

KEYSPACE keyspace_name

ALTER KEYSPACE, ALTER TABLE, ALTER TYPE, and RESTRICT ROW in specified keyspace.

ALTER

TABLE table_name

ALTER TABLE and RESTRICT ROW of specified table.

CREATE

ALL KEYSPACES

CREATE KEYSPACE, CREATE TABLE, CREATE FUNCTIONS, and CREATE TYPE in any keyspace.

CREATE

KEYSPACE keyspace_name

CREATE TABLE and CREATE TYPE in specified keyspace.

DROP

ALL KEYSPACES

DROP KEYSPACE, DROP TABLE, and DROP TYPE in any keyspace

DROP

KEYSPACE keyspace_name

DROP TABLE and DROP TYPE in specified keyspace

DROP

TABLE table_name

DROP TABLE specified.

MODIFY

filtering_data ROWS IN table_name

MODIFY on rows that exactly match the filtering_data in specified table.

MODIFY

ALL KEYSPACES

INSERT, UPDATE, DELETE, and TRUNCATE on any table.

MODIFY

KEYSPACE keyspace_name

INSERT, UPDATE, DELETE, and TRUNCATE on any table in specified keyspace.

MODIFY

TABLE table_name

INSERT, UPDATE, DELETE, and TRUNCATE on specified table.

SELECT

filtering_data ROWS IN table_name

SELECT on rows that exactly match the filtering_data in specified table.

SELECT

ALL KEYSPACES

SELECT on any table.

SELECT

KEYSPACE keyspace_name

SELECT on any table in specified keyspace.

SELECT

TABLE table_name

SELECT on specified table.

The following hierarchy is true for JMX resources: ALL MBEANS > MBEAN <mbean_name> and MBEANS <pattern>

Resource type: JMX

Privilege Resource Permissions

Privilege	Resource	Permissions
DESCRIBE	ALL MBEANS	Retrieve metadata about any mbean from the platform’s MBeanServer.
DESCRIBE	MBEAN `mbean_name`	Retrieve metadata about a named mbean from the platform’s MBeanServer.
DESCRIBE	MBEANS pattern	Retrieve metadata about any mbean matching a wildcard pattern from the platform’s MBeanServer.
EXECUTE	ALL MBEANS	Execute operations on any mbean.
EXECUTE	MBEAN `mbean_name`	Execute operations on named mbean.
EXECUTE	MBEANS pattern	Execute operations on any mbean matching a wildcard pattern.
MODIFY	ALL MBEANS	Call setter methods on any mbean.
MODIFY	MBEAN `mbean_name`	Call setter methods on named mbean.
MODIFY	MBEANS pattern	Call setter methods on any mbean matching a wildcard pattern.
SELECT	ALL MBEANS	Call getter methods on any mbean.
SELECT	MBEAN `mbean_name`	Call getter methods on named mbean.
SELECT	MBEANS pattern	Call getter methods on any mbean matching a wildcard pattern.

DESCRIBE

ALL MBEANS

Retrieve metadata about any mbean from the platform’s MBeanServer.

DESCRIBE

MBEAN mbean_name

Retrieve metadata about a named mbean from the platform’s MBeanServer.

DESCRIBE

MBEANS pattern

Retrieve metadata about any mbean matching a wildcard pattern from the platform’s MBeanServer.

EXECUTE

ALL MBEANS

Execute operations on any mbean.

EXECUTE

MBEAN mbean_name

Execute operations on named mbean.

EXECUTE

MBEANS pattern

Execute operations on any mbean matching a wildcard pattern.

MODIFY

ALL MBEANS

Call setter methods on any mbean.

MODIFY

MBEAN mbean_name

Call setter methods on named mbean.

MODIFY

MBEANS pattern

Call setter methods on any mbean matching a wildcard pattern.

SELECT

ALL MBEANS

Call getter methods on any mbean.

SELECT

MBEAN mbean_name

Call getter methods on named mbean.

SELECT

MBEANS pattern

Call getter methods on any mbean matching a wildcard pattern.

role_name: Selects a role. If the role name has capital letters or special characters enclose it in single quotes.
NORECURSIVE: Only display permissions granted to the role. By default permissions checks are recursive, and show direct and inherited permissions.

List output

The list command shows the following information:

LIST ALL PERMISSION OF role1;

Results

 role  | username | resource           | permission | granted | restricted | grantable
-------+----------+--------------------+------------+---------+------------+-----------
 role1 |    role1 | <keyspace cycling> |       DROP |   False |       True |      True
 role1 |    role1 | <keyspace cycling> |  AUTHORIZE |    True |       True |     False
 role2 |    role2 | <keyspace cycling> |     CREATE |    True |      False |     False
 role3 |    role3 | <keyspace cycling> |       DROP |   False |      False |      True
 role3 |    role3 | <keyspace cycling> |     UPDATE |    True |      False |     False

(5 rows)

Output columns

Column Description

Column	Description
`role`	The name of the role that the permission was granted or authorized on.
`username`	If the role is associated with a legacy user account the user name displays, else the role name displays.
`resource`	The resource name in angle brackets.
`permission`	The name of the permission. When `ALL PERMISSIONS` is used, each type of permission associated with the resource is granted.
`granted`	`True` - Execute commands granted by the permission on the resource. When `AUTHORIZE` is granted equals true, the users with the role can grant other permissions that have granted to them on the resource to other roles. `False` - Users cannot execute the permission commands.
`restricted`	`True` - Denies execution of the commands associated with the permission on the resource even if granted is true. If grantable is true, users with the role can still AUTHORIZE roles other than their own. `False` - Users can execute commands that have granted equal to true.
`grantable`	`True` - Allows grant or revoke of the permission on the resource to another role, other than any of their own roles. `False` - `AUTHORIZE` FOR permission has not been granted.

role

The name of the role that the permission was granted or authorized on.

username

If the role is associated with a legacy user account the user name displays, else the role name displays.

resource

The resource name in angle brackets.

permission

The name of the permission. When ALL PERMISSIONS is used, each type of permission associated with the resource is granted.

granted

True - Execute commands granted by the permission on the resource. When AUTHORIZE is granted equals true, the users with the role can grant other permissions that have granted to them on the resource to other roles.
False - Users cannot execute the permission commands.

restricted

True - Denies execution of the commands associated with the permission on the resource even if granted is true. If grantable is true, users with the role can still AUTHORIZE roles other than their own.
False - Users can execute commands that have granted equal to true.

grantable

True - Allows grant or revoke of the permission on the resource to another role, other than any of their own roles.
False - AUTHORIZE FOR permission has not been granted.

Example

All permissions for all roles and resources

List permissions given to all the roles on all resources:

LIST ALL PERMISSIONS;

Individual role permissions

List all permissions given to sam:

LIST ALL PERMISSIONS OF sam;

Results

All permissions on a resource

List all permissions on the cyclist_name table:

LIST ALL PERMISSIONS ON cycling.cyclist_name OF team_manager;

Output is:

LIST PERMISSIONS

Syntax

Parameters

Access control matrix tables

Data resources

Resource permissions

List output

Example

All permissions for all roles and resources

Individual role permissions

All permissions on a resource

Was this helpful?

Give Feedback