About permissions

Permissions control access to database resources.

After creating a role, use GRANT and REVOKE to control access to CQL database resources.

Available permissions

Permissions are granted on a resource to a role; grant a privilege at any level of the resource hierarchy. The full set of available privileges is:

  • ALL PERMISSIONS
  • ALTER
  • AUTHORIZE
  • CREATE
  • DESCRIBE
  • DROP
  • EXECUTE
  • MODIFY
  • PROXY.EXECUTE
  • PROXY.LOGIN
  • SEARCH.ALTER
  • SEARCH.COMMIT
  • SEARCH.CREATE
  • SEARCH.DROP
  • SEARCH.REBUILD
  • SEARCH.RELOAD
  • SELECT
  • role_name

Database resource structure

DataStax Enterprise database resources are objects to which permissions are applied, and hierarchy applies. Grant permissions on a resource higher in the chain will automatically grant that same permission on all resources lower down.

Note: Not all privileges apply to every type of resource. For instance, EXECUTE is only relevant in the context of functions, MBeans, RPC, and authentication schemes. Attempting to grant privileges on a resource that the permission is not applicable results in an error.
Available objects:
Functions
  • ALL FUNCTIONS
    • ALL FUNCTIONS IN KEYSPACE keyspace_name
      • FUNCTION keyspace_name.function_name
Data
  • ALL KEYSPACES
    • KEYSPACE keyspace_name
      • TABLE table_name
        • Rows ('filtering_data' ROWS IN table_name )
        • Indexes (other than search indexes) belong to a table but permission cannot be directly assigned. ALTER permission on a table allows users to CREATE and DROP indexes.
      • Types belong to a keyspace but permissions cannot be directly assigned. To manage types set the keyspace permissions to CREATE, DROP or ALTER which also gives the user the same permissions for tables.
Search index
  • ALL SEARCH INDICES
    • SEARCH INDICES [keyspace_name.]table_name
JMX
  • ALL MBEANS
    • MBEAN mbean_name
      • MBEANS pattern
Roles
  • ALL ROLES
    • ROLE role_name
    Note: Roles are both an assignable permission set and a database resource. GRANT role_name TO role_name gives all the permissions of the first role in the statement to the second role. Use roles to create your own hierarchical permissions structures.
Remote procedure calls (RPC)
  • ALL OBJECTS
    • OBJECT object_name
      • METHOD
Authentication schemes
  • ALL SCHEMES
    • (LDAP | KERBEROS | INTERNAL) SCHEME