Data Resources

Data resources are keyspaces, types, table, and rows. Access is controlled using modelled hierarchy. Granting and revoking a privilege on a top-level object automatically allows the same permission on all ancestors.

Data resources have the following hierarchy:

cql data resources

Synopsis

Use the following syntax for data resource access control:

ALL KEYSPACES syntax:
```
GRANT <permission>[, <permission> ...]
ON **ALL KEYSPACES**
TO <role_name>;
```
Where permissions are ALL PERMISSIONS, CREATE, DESCRIBE, DROP, MODIFY, and SELECT.
KEYSPACE syntax:
```
GRANT <permission>[, <permission> ...]
ON **KEYSPACE <keyspace_name>**
TO <role_name>;
```
Where permissions are ALL PERMISSIONS, CREATE, DESCRIBE, DROP, MODIFY, and SELECT.

User-defined type access control is the same as the privilege the role has on the keyspace.

TABLE syntax:

GRANT <permission>[, <permission> ...]
ON [TABLE] **<keyspace_name>.<table_name>**
TO <role_name>;

Where privileges are ALL PERMISSIONS, DROP, MODIFY, and SELECT.

ROWS syntax:

GRANT <permission>[, <permission> ...]
ON **'<filter_text>' ROWS IN <keyspace_name>.<table_name>**
TO role_name;

Where privileges are ALL PERMISSIONS, MODIFY and SELECT.

Row-level access control (RLAC) is disabled by default. To use RLAC, set allow_row_level_security parameter to true in the dse.yaml file.

The location of this dse.yaml configuration file depends on the type of installation:

Package installations: /etc/dse/dse.yaml
Tarball installations: <installation_location>/resources/dse/conf/dse.yaml

Permission matrix

The following table describes the CQL statements enabled on the resource when a privilege is granted to a role :

Privilege type Resource names Permissions

ALL PERMISSIONS

CREATE KEYSPACE and DROP KEYSPACE, as well as all permissions on ancestor objects described in CREATE, ALTER, AUTHORIZE, DESCRIBE, DROP, MODIFY, and SELECT privilege.

ALL PERMISSIONS

ALTER, AUTHORIZE, DESCRIBE, and SELECT privileges on the keyspace and CREATE, ALTER, AUTHORIZE, DESCRIBE, DROP, and SELECT privileges on types, tables, and rows.

ALL PERMISSIONS

MODIFY, SELECT, and AUTHORIZE privileges on the table and all privileges on rows.

ALL PERMISSIONS

MODIFY and SELECT privileges on the rows that match the filtering text.

ALTER

ALTER KEYSPACE, ALTER TABLE, ALTER TYPE, RESTRICT ROWS, and UNRESTRICT ROWS.

ALTER

ALTER

ALTER TABLE, RESTRICT ROWS, and UNRESTRICT ROWS.

CREATE

CREATE KEYSPACE, CREATE TABLE and CREATE TYPE.

Note: Creating a resource automatically grants AUTHORIZE permission to the role that created it.

CREATE

CREATE TABLE and CREATE TYPE in specified keyspace.

CREATE

CREATE TABLE in specified keyspace.

DESCRIBE

DESCRIBE KEYSPACE, DESCRIBE TABLE, and DESCRIBE TYPE in any keyspace

DESCRIBE

DESCRIBE KEYSPACE, DESCRIBE TABLE, and DESCRIBE TYPE, and DESCRIBE FUNCTION, and DESCRIBE AGGREGATE in specified keyspace

DROP

DROP KEYSPACE, DROP TABLE, and DROP TYPE in any keyspace

DROP

DROP TABLE, and DROP TYPE in specified keyspace

DROP

MODIFY

INSERT, UPDATE, DELETE and TRUNCATE on all tables.

MODIFY

INSERT, UPDATE, DELETE and TRUNCATE on any table in specified keyspace.

MODIFY

INSERT, UPDATE, DELETE and TRUNCATE on specified table. See note for tables with materialized views (MVs).

MODIFY

INSERT, UPDATE, DELETE on the partition that matches the <filtering_data> for the table.

SELECT

SELECT on any table.

SELECT

SELECT on any table in specified keyspace.

SELECT

SELECT on specified table.

SELECT

SELECT on rows that exactly match the <filtering_data> in specified table.

To modify a base table that has a materialized view (MV) using an INSERT or UPDATE command if access permissions are enabled, a user must be granted MODIFY or ALL PERMISSIONS on the base table.

Was this helpful?