Manage access
Set up roles that can manage permissions on objects without access permission.
Procedure
-
Create a role. For example
securty_admin
.CREATE ROLE security_admin;
-
Allow the role to manage roles:
GRANT ALTER, CREATE, DROP, DESCRIBE ON ALL ROLES TO <security_admin>;
-
Allow authorization for all permissions with no access privileges.
-
GRANT AUTHORIZE FOR ALL PERMISSIONS ON ALL KEYSPACES TO <security_admin>;
which allows the role to grant
AUTHORIZE
,CREATE
,ALTER
,DROP
,SELECT
,MODIFY
, andDESCRIBE
permission to other roles. -
Functions and aggregate resources
GRANT AUTHORIZE FOR ALL PERMISSIONS ON ALL FUNCTIONS TO <security_admin>;
which allows the role to grant
AUTHORIZE
,CREATE
,ALTER
,DROP
, andEXECUTE
permission to other roles. -
GRANT AUTHORIZE FOR ALL PERMISSIONS ON ALL SEARCH INDICES TO <security_admin>;
which allows the role to grant
AUTHORIZE
,SEARCH.CREATE
,SEARCH.ALTER
,SEARCH.DROP
,SEARCH.RELOAD
,SEARCH.REBUILD
, andSEARCH.COMMIT
to other roles. -
GRANT AUTHORIZE FOR ALL PERMISSIONS ON ALL ROLES TO <security_admin>;
which allows the role to grant
AUTHORIZE
,CREATE
,ALTER
,DROP
, andDESCRIBE
permission to other roles. -
Authentication scheme resources
GRANT AUTHORIZE FOR ALL PERMISSIONS ON ALL AUTHENTICATION SCHEMES TO <security_admin>;
which allows the role to grant
AUTHORIZE
andEXECUTE
permission to other roles. -
JMX resources (MBeans) for DSE utilities
GRANT AUTHORIZE FOR ALL PERMISSIONS ON ALL MBEANS TO <security_admin>;
which allows the role to grant
SELECT
,MODIFY
,AUTHORIZE
,DESCRIBE
, andEXECUTE
permission to other roles. -
-
WORKPOOLS
GRANT AUTHORIZE FOR ALL PERMISSIONS ON ANY WORKPOOL TO <security_admin>;
which allows the role to grant
CREATE
,DESCRIBE
, andAUTHORIZE
permission to other roles. -
SUBMISSIONS
GRANT AUTHORIZE FOR ALL PERMISSIONS ON ANY SUBMISSION TO <security_admin>;
which allows the role to grant
MODIFY
,DESCRIBE
, andAUTHORIZE
permission to other roles.
-
-
GRANT AUTHORIZE FOR ALL PERMISSIONS ON ALL REMOTE CALLS TO <security_admin>;
-
-
Assign role depending on the
Role Management
mode:-
Internal - Use the
GRANT
command to assign role to a login or another group role.GRANT security_admin TO <login_role_name>;
-
LDAP - Create a group object with matching Common Name (CN) (
securty_admin
) and assign users as members of the group.
-