Controlling Access to Keyspaces and Tables

Authorize roles to access DataStax Enterprise (DSE) keyspaces and tables using CQL GRANT and REVOKE commands. Keyspaces, tables, and rows are hierarchical. Roles that have a privilege to access a top level object, such as a keyspace automatically have the permission on the child objects (table and rows).

DSE supports this CQL syntax in cqlsh to revoke permissions:

REVOKE <permission_name> ON <resource_name> FROM <role_name>;

Procedure

  • Create a role that has all permissions in all keyspaces:

    CREATE ROLE keyspace_admin;
GRANT ALL PERMISSIONS ON ALL KEYSPACES TO keyspace_admin;

  • Create an administrator role for a single keyspace:

    CREATE ROLE cycling_admin;
GRANT ALL PERMISSIONS ON KEYSPACE cycling to cycling_admin;

  • Create a role that can only make data changes, INSERT, UPDATE, DELETE, and TRUNCATE for any table in the keyspace cycling:

    GRANT MODIFY ON KEYSPACE cycling TO team_manager;

  • Create a role that can only select data and use functions in the cycling keyspace:

    CREATE ROLE cyclist_analyst;
GRANT SELECT ON KEYSPACE cycling TO cyclist_analyst;
GRANT EXECUTE ON ALL FUNCTIONS IN KEYSPACE cycling to cyclist_analyst;

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2025 DataStax | Privacy policy | Terms of use | Manage Privacy Choices

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com