About database objects permissions

Overview of the database resource hierarchy and the permissions.

DataStax Enterprise supports role-based access control (RBAC) to ensure only authorized users can access database resources.

After creating a role, use the following CQL commands to manage permissions:
  • GRANT allows access
  • REVOKE removes access that has been granted
  • RESTRICT explicitly denies access even if permission is granted directly or inherited
  • UNRESTRICT removes a restriction
Note: Restrict always take precedence over grant, including access that is inherited or automatically granted to a superuser role. Only superusers can restrict access.

Resource permissions

The following sections shows the relationship between privileges and resources, and describes the resulting permissions. The DataStax Enterprise database role based access control uses modelled hierarchy. Granting a privilege to a top level objects gives the role the same permission to all of the ancestors objects.

Permissions differ between object types.