Implementing separation of duties

Use the separation of duties functionality to configure administrator roles for permission management without the ability to execute other CQL commands.

Assigning permission management privileges

In order for administrators and others to use or to permissions on a resource, their role must have one of the following permissions on the object:

AUTHORIZE granted is true - Manage any permissions that has been granted on the resource; the role also allows the user to execute the CQL commands that correspond to the permission.
For example, the admin role that has both authorize and select on the all keyspaces resource.
```
GRANT AUTHORIZE, SELECT ON ALL KEYSPACES TO admin;
```
Users with the role can GRANT AND REVOKE both the AUTHORIZE and SELECT permissions to any other role, including their own:
```
LIST ALL PERMISSIONS OF admin;
```
```
role   | username | resource        | permission | granted | restricted | grantable
-------+----------+-----------------+------------+---------+------------+-----------
 admin |  dbadmin | <all keyspaces> |     SELECT |    True |      False |     False
 admin |  dbadmin | <all keyspaces> |  AUTHORIZE |    True |      False |     False
```

grantable is true for a permission - Manage only the specified permission for other roles, which are not assigned to them. The related commands are executable if granted is also true.

For example, to allow the sec_admin to GRANT and REVOKE permissions for other roles but not access the data in all keyspaces:

GRANT AUTHORIZE FOR CREATE, ALTER, DROP, SELECT, MODIFY, DESCRIBE 
ON ALL KEYSPACES
TO sec_admin;

Verify the permissions:

LIST ALL PERMISSIONS OF sec_admin;

Granted is false and grantable true.

 role      | username   | resource        | permission | granted | restricted | grantable
-----------+------------+-----------------+------------+---------+------------+-----------
 sec_admin |  sec_admin | <all keyspaces> |     CREATE |   False |      False |      True
 sec_admin |  sec_admin | <all keyspaces> |      ALTER |   False |      False |      True
 sec_admin |  sec_admin | <all keyspaces> |       DROP |   False |      False |      True
 sec_admin |  sec_admin | <all keyspaces> |     SELECT |   False |      False |      True
 sec_admin |  sec_admin | <all keyspaces> |     MODIFY |   False |      False |      True
 sec_admin |  sec_admin | <all keyspaces> |   DESCRIBE |   False |      False |      True

Tip: Roles that are granted ALL PERMISSIONS can delegate resource permission to all roles. When a user creates an object, they are automatically granted ALL PERMISSIONS.

Restriction: The following rules apply when managing roles and access to database objects:

Creating a new role requires CREATE granted on ALL ROLES.
GRANT/REVOKE requires the permission to be grantable (AUTHORIZE FOR permission_name) on the resource.
Users can not modify their own role properties LOGIN and SUPERUSER. Prevents users with ALTER permissions from making their own account a SUPERUSER or creating a role with a higher level of permission.

Authorize syntax

Use the following to allow the role to and

AUTHORIZE and any other permission that has been granted to them on the resource.

GRANT AUTHORIZE 
ON (ALL KEYSPACES | TABLE table_name | 'filter_string' ROWS IN table_name)
TO role_name;

Only the listed permissions.

GRANT AUTHORIZE FOR permission_list
ON resource_name 
TO role_name;


Type	Permissions	Resources
Data	`ALTER` `CREATE` `DESCRIBE` `DROP` `MODIFY` `SELECT`	`ALL KEYSPACES` `KEYSPACE` `keyspace_name` `TABLE table_name` `'filtering_data' ROWS IN table_name`
Functions	ALTER CREATE DROP EXECUTE	ALL FUNCTIONS ALL FUNCTIONS IN KEYSPACE `keyspace_name` FUNCTION `function_name` ( `argument_types` )
Search indexes	SEARCH.ALTER SEARCH.COMMIT SEARCH.CREATE SEARCH.DROP SEARCH.REBUILD SEARCH.RELOAD	ALL SEARCH INDICES SEARCH INDEX [`keyspace_name.`]`table_name`
Roles	ALTER CREATE DESCRIBE DROP	ALL ROLES ROLE `role_name`
Proxy role	PROXY.EXECUTE PROXY.LOGIN	ROLE `role_name`
Authentication Scheme	EXECUTE	ALL AUTHENTICATION SCHEMES LDAP SCHEME KERBEROS SCHEME INTERNAL SCHEME
MBeans	DESCRIBE, EXECUTE, MODIFY, and SELECT	ALL MBEANS > MBEANS `pattern` > MBEAN `name`
Spark applications	CREATE DESCRIBE	ANY WORKPOOL > WORKPOOL `datacenter_name`
Spark applications	MODIFY DESCRIBE	ANY SUBMISSION ANY SUBMISSION IN WORKPOOL `datacenter_name` SUBMISSION `id` IN WORKPOOL `datacenter_name`
Remote calls	EXECUTE	ALL REMOTE CALLS > REMOTE OBJECT `object_name` > REMOTE METHOD `object_name`.`method_name`

Delegating role management permissions

When the AUTHORIZE is granted to a role, the target role can delegate any permission it has on the resource to other roles (including itself).
```
GRANT AUTHORIZE ON ALL ROLES 
TO role_name;
```
The permission shows as granted when the role's permission are listed.
Tip: When ALL PERMISSIONS are granted, the role has the ability to GRANT and REVOKE all permissions to all roles, including itself.
ROLE
```
GRANT permission[, permission ...] 
ON ROLE role_name 
TO role_name;
```
where permissions ALL PERMISSIONS, ALTER, AUTHORIZE, CREATE, DESCRIBE, and DROP

Table 1. Authorization
Permission	Resource
AUTHORIZE	ALL ROLES	and the permissions the issuing role has been granted on the role.
AUTHORIZE FOR `permission_list`	ALL ROLES	and the listed permissions.
AUTHORIZE	ROLE `name`	and the permissions the issuing role has been granted on the role.
AUTHORIZE FOR `permission_list`	ROLE `name`	and the listed permissions.

Delegating resource management permissions

Authentication schemes

Delegate privileges to administrators that manage roles.
```
GRANT AUTHORIZE [FOR EXECUTE] 
ON (ALL AUTHENTICATION SCHEMES | LDAP SCHEME | KERBEROS SCHEME | INTERNAL SCHEME)
TO role_name;
```
- AUTHORIZE - Allows role to delegate the AUTHORIZE permission and if EXECUTE is also granted, the role can delegate execute permissions.
- AUTHORIZE FOR EXECUTE - Allows role to delegate which other roles can assign scheme permissions without changing their own login scheme.

Manage access

Set up roles that can manage permissions on objects.

Set up roles that can manage permissions on objects without access permission.

Procedure

Create a role. For example securty_admin.
```
CREATE ROLE security_admin;
```

Allow the role to manage roles:

GRANT ALTER, CREATE, DROP, DESCRIBE
ON ALL ROLES 
TO security_admin;

Allow authorization for all permissions with no access privileges.
- Data resources
```
GRANT AUTHORIZE FOR ALL PERMISSIONS 
ON ALL KEYSPACES 
TO security_admin;
```
  which allows the role to grant AUTHORIZE, CREATE, ALTER, DROP, SELECT, MODIFY, and DESCRIBE permission to other roles.
- Functions and aggregate resources
```
GRANT AUTHORIZE FOR ALL PERMISSIONS
ON ALL FUNCTIONS 
TO security_admin;
```
  which allows the role to grant AUTHORIZE, CREATE, ALTER, DROP, and EXECUTE permission to other roles.
- Search indexes
```
GRANT AUTHORIZE FOR ALL PERMISSIONS 
ON ALL SEARCH INDICES 
TO security_admin;
```
  which allows the role to grant AUTHORIZE, SEARCH.CREATE, SEARCH.ALTER, SEARCH.DROP, SEARCH.RELOAD, SEARCH.REBUILD, and SEARCH.COMMIT to other roles.
- Roles
```
GRANT AUTHORIZE FOR ALL PERMISSIONS 
ON ALL ROLES 
TO security_admin;
```
  which allows the role to grant AUTHORIZE, CREATE, ALTER, DROP, and DESCRIBE permission to other roles.
- Authentication scheme resources
```
GRANT AUTHORIZE FOR ALL PERMISSIONS 
ON ALL AUTHENTICATION SCHEMES 
TO security_admin;
```
  which allows the role to grant AUTHORIZE and EXECUTE permission to other roles.
- JMX resources (MBeans) for DSE utilities
```
GRANT AUTHORIZE FOR ALL PERMISSIONS 
ON ALL MBEANS 
TO security_admin;
```
  which allows the role to grant SELECT, MODIFY, AUTHORIZE, DESCRIBE, and EXECUTE permission to other roles.
- Analytic applications
  - WORKPOOLS
```
GRANT AUTHORIZE FOR ALL PERMISSIONS 
ON ANY WORKPOOL 
TO security_admin;
```
    which allows the role to grant CREATE, DESCRIBE, and AUTHORIZE permission to other roles.
  - SUBMISSIONS
```
GRANT AUTHORIZE FOR ALL PERMISSIONS 
ON ANY SUBMISSION 
TO security_admin;
```
    which allows the role to grant MODIFY, DESCRIBE, and AUTHORIZE permission to other roles.
- Remote procedure calls
```
GRANT AUTHORIZE FOR ALL PERMISSIONS
ON ALL REMOTE CALLS
TO security_admin;
```
Assign role depending on the Role Management mode:
- Internal - Use the GRANT command to assign role to a login or another group role.
```
GRANT security_admin TO login_role_name;
```
- LDAP - Create a group object with matching CN (securty_admin) and assign users as members of the group.