Object permissions

Granting or revoking privileges on database resources.

Object permissions may be assigned using the authorization mechanism for the following objects:
  • keyspace
  • table
  • function
  • aggregate
  • roles
  • MBeans
Authenticated roles with passwords stored in the database are authorized selective access. The permissions are stored in tables.

Permission is configurable for CQL commands CREATE, ALTER, DROP, SELECT, MODIFY, and DESCRIBE, which are used to interact with the database. The EXECUTE command may be used to grant permission to a role for the SELECT, INSERT, and UPDATE commands. In addition, the AUTHORIZE command may be used to grant permission for a role to GRANT, REVOKE, or AUTHORIZE another role's permissions.

Read access to these system tables is implicitly given to every authenticated user or role because the tables are used by most tools:

  • system_schema.keyspaces
  • system_schema.columns
  • system_schema.tables
  • system.local
  • system.peers