Creating roles for LDAP mode

When Role Management mode is set to LDAP, the DataStax Enterprise Role Manager looks up the user in LDAP and returns a list of groups. The group lookup is configured in the ldap_options.

The following rules apply:

  • LDAP group name to role name matching is case sensitive and must exactly match the value in the group name attribute.

  • One or more of the user’s LDAP group names must match a role to allow CQL requests.

  • At least one role matching the user’s group must have LOGIN enabled.

  • Any user that is a member of an LDAP group that matches a role name is assigned a role.

  • Create a role for each LDAP group that has a distinct permission set.

DSE disables nested roles when LDAP mode is selected; using GRANT <role_name> TO <role_name> results in an error.

DSE supports looking up users whose name matches the user name filter for LDAP but authenticated with a different method such as internal or Kerberos. Typically, a Kerberos full principal name matches the user’s email address. To use Kerberos authentication with LDAP group lookup specify the user attribute that matches the Kerberos principal name in the LDAP user filter, for example mail: {0}.

All permissions granted to roles that reflect LDAP groups to which the user belongs – directly or indirectly – are inherited. The inherited permissions include login permission, scheme permissions, proxy execution permissions, and object permissions.


These instructions apply to environments that have the following settings:

  • Authenticator, authorizer, and role manager in the cassandra.yaml file:

    authenticator: com.datastax.bdp.cassandra.auth.DseAuthenticator
    authorizer: com.datastax.bdp.cassandra.auth.DseAuthorizer
    role_manager: com.datastax.bdp.cassandra.auth.DseRoleManager
  • Authentication, role management, and authorization options in the dse.yaml file:

     default_scheme: ldap
       - kerberos
       - internal
     enabled: true
     mode: ldap


  1. Create a role.

    This examples shows a role for users in the analyst LDAP group:

    CREATE ROLE analyst WITH LOGIN = true;

    Superusers can grant and revoke permissions to any role but their own.

  2. Bind the assignment to the LDAP authentication scheme:

    GRANT EXECUTE on LDAP SCHEME to analyst;

    Enclose the role name in single quotes to use uppercase, the name is case sensitive.

    Role manager only assigns the role to users that authenticated with the LDAP scheme. Only required when scheme_permissions is set to true.

  3. Allow SELECT in cycling keyspace:

    GRANT SELECT on KEYSPACE cycling to analyst;

    Any user in the analyst group can query all tables in the cycling keyspace.

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2024 DataStax | Privacy policy | Terms of use

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000,