Implementing Separation of Duties

Use the separation of duties functionality to configure administrator roles for permission management without the ability to execute other CQL commands.

Assigning permission management privileges

In order for administrators and others to use GRANT or REVOKE to permissions on a resource, their role must have one of the following permissions on the object:

AUTHORIZE granted is true - Manage any permissions that has been granted on the resource; the role also allows the user to execute the CQL commands that correspond to the permission.

For example, the admin role that has both authorize and select on the all keyspaces resource.

GRANT AUTHORIZE, SELECT ON ALL KEYSPACES TO admin;

Users with the role can GRANT AND REVOKE both the AUTHORIZE and SELECT permissions to any other role, including their own:

LIST ALL PERMISSIONS OF admin;

role   | username | resource        | permission | granted | restricted | grantable
-------+----------+-----------------+------------+---------+------------+-----------
 admin |  dbadmin | <all keyspaces> |     SELECT |    True |      False |     False
 admin |  dbadmin | <all keyspaces> |  AUTHORIZE |    True |      False |     False

grantable is true for a permission - Manage only the specified permission for other roles, which are not assigned to them. The related commands are executable if granted is also true.

For example, to allow the sec_admin to GRANT and REVOKE permissions for other roles but not access the data in all keyspaces:

GRANT AUTHORIZE FOR CREATE, ALTER, DROP, SELECT, MODIFY, DESCRIBE
ON ALL KEYSPACES
TO sec_admin;

Verify the permissions:

LIST ALL PERMISSIONS OF sec_admin;

Granted is false and grantable is true.

 role      | username   | resource        | permission | granted | restricted | grantable
-----------+------------+-----------------+------------+---------+------------+-----------
 sec_admin |  sec_admin | <all keyspaces> |     CREATE |   False |      False |      True
 sec_admin |  sec_admin | <all keyspaces> |      ALTER |   False |      False |      True
 sec_admin |  sec_admin | <all keyspaces> |       DROP |   False |      False |      True
 sec_admin |  sec_admin | <all keyspaces> |     SELECT |   False |      False |      True
 sec_admin |  sec_admin | <all keyspaces> |     MODIFY |   False |      False |      True
 sec_admin |  sec_admin | <all keyspaces> |   DESCRIBE |   False |      False |      True

Roles that are granted ALL PERMISSIONS can delegate resource permission to all roles. When a user creates an object, they are automatically granted ALL PERMISSIONS.

Restriction: The following rules apply when managing roles and access to database objects:

Creating a new role requires CREATE granted on ALL ROLES.
GRANT/REVOKE requires the permission to be grantable (AUTHORIZE FOR <permission_name>) on the resource.
Users can not modify their own role properties LOGIN and SUPERUSER. Prevents users with ALTER permissions from making their own account a SUPERUSER or creating a role with a higher level of permission.

Authorize syntax

Use the following code to allow the role to GRANT and REVOKE

AUTHORIZE and any other permission that has been granted to them on the resource.

GRANT AUTHORIZE
ON (ALL KEYSPACES | TABLE <table_name> | '<filter_string>' ROWS IN <table_name>)
TO <role_name>;

Only the listed permissions.

GRANT AUTHORIZE FOR <permission_list>
ON <resource_name>
TO <role_name>;

Type Permissions Resources

Type	Permissions	Resources
Data	`ALTER` `CREATE` `DESCRIBE` `DROP` `MODIFY` `SELECT`	`ALL KEYSPACES` `KEYSPACE` <keyspace_name> `TABLE <table_name>` `'<filtering_data>' ROWS IN <table_name>`
Functions	ALTER CREATE DROP EXECUTE	ALL FUNCTIONS ALL FUNCTIONS IN KEYSPACE <keyspace_name> FUNCTION <function_name> ( <argument_types> )
Search indexes	SEARCH.ALTER SEARCH.COMMIT SEARCH.CREATE SEARCH.DROP SEARCH.REBUILD SEARCH.RELOAD	ALL SEARCH INDICES SEARCH INDEX [<keyspace_name>.]<table_name>
Roles	ALTER CREATE DESCRIBE DROP	ALL ROLES ROLE <role_name>
Proxy role	PROXY.EXECUTE PROXY.LOGIN	ROLE <role_name>
Authentication Scheme	EXECUTE	ALL AUTHENTICATION SCHEMESLDAP SCHEME KERBEROS SCHEME INTERNAL SCHEME
MBeans	DESCRIBE, EXECUTE, MODIFY, and SELECT	ALL MBEANS > MBEANS <pattern> > MBEAN <name>
Spark applications	CREATE DESCRIBE	ANY WORKPOOL > WORKPOOL <datacenter_name>
MODIFY DESCRIBE	ANY SUBMISSION ANY SUBMISSION IN WORKPOOL <datacenter_name> SUBMISSION id IN WORKPOOL <datacenter_name>
Remote calls	EXECUTE	ALL REMOTE CALLS > REMOTE OBJECT <object_name> > REMOTE METHOD <object_name>.<method_name>

Data

ALTER

CREATE

DESCRIBE

DROP

MODIFY

SELECT

ALL KEYSPACES

KEYSPACE <keyspace_name>

TABLE <table_name>

'<filtering_data>' ROWS IN <table_name>

Functions

ALL FUNCTIONS

ALL FUNCTIONS IN KEYSPACE <keyspace_name>

FUNCTION <function_name> ( <argument_types> )

Search indexes

SEARCH.ALTER

SEARCH.COMMIT

SEARCH.CREATE

SEARCH.DROP

SEARCH.REBUILD

SEARCH.RELOAD

ALL SEARCH INDICES

SEARCH INDEX [<keyspace_name>.]<table_name>

Roles

ALTER

CREATE

DESCRIBE

DROP

ALL ROLES

ROLE <role_name>

Proxy role

PROXY.EXECUTE

PROXY.LOGIN

ROLE <role_name>

Authentication Scheme

EXECUTE

ALL AUTHENTICATION SCHEMESLDAP SCHEME

KERBEROS SCHEME

INTERNAL SCHEME

MBeans

DESCRIBE, EXECUTE, MODIFY, and SELECT

ALL MBEANS > MBEANS <pattern> > MBEAN <name>

Spark applications

CREATE

DESCRIBE

ANY WORKPOOL > WORKPOOL <datacenter_name>

MODIFY

DESCRIBE

ANY SUBMISSION

ANY SUBMISSION IN WORKPOOL <datacenter_name>

SUBMISSION id IN WORKPOOL <datacenter_name>

Remote calls

EXECUTE

ALL REMOTE CALLS > REMOTE OBJECT <object_name> > REMOTE METHOD <object_name>.<method_name>

Delegating role management permissions

When the AUTHORIZE is granted to a role, the target role can delegate any permission it has on the resource to other roles (including itself).
```
GRANT AUTHORIZE ON ALL ROLES
TO <role_name>;
```
The permission shows as granted when the role’s permission are listed.

When ALL PERMISSIONS is granted, the role has the ability to GRANT and REVOKE all permissions to all roles, including itself.
ROLE
```
GRANT <permission>[, <permission> ...]
ON ROLE <role_name>
TO <role_name>;
```
where <permission> values are ALL PERMISSIONS, ALTER, AUTHORIZE, CREATE, DESCRIBE, and DROP

Authorization
Permission	Resource
AUTHORIZE	ALL ROLES	GRANT and REVOKE the permissions the issuing role has been granted on the role.
AUTHORIZE FOR permission_list	ALL ROLES	GRANT and REVOKE the listed permissions.
AUTHORIZE	ROLE <name>	GRANT and REVOKE the permissions the issuing role has been granted on the role.
AUTHORIZE FOR permission_list	ROLE <name>	GRANT and REVOKE the listed permissions.

Delegating resource management permissions

Authentication schemes

Delegate privileges to administrators that manage roles.
```
GRANT AUTHORIZE [FOR EXECUTE]
ON (ALL AUTHENTICATION SCHEMES | LDAP SCHEME | KERBEROS SCHEME | INTERNAL SCHEME)
TO <role_name>;
```
- AUTHORIZE - Allows role to delegate the AUTHORIZE permission and if EXECUTE is also granted, the role can delegate execute permissions.
- AUTHORIZE FOR EXECUTE - Allows role to delegate which other roles can assign scheme permissions without changing their own login scheme.

Manage access

Set up roles that can manage permissions on objects without access permission.

Procedure

Create a role. For example securty_admin.
```
CREATE ROLE security_admin;
```

Allow the role to manage roles:

GRANT ALTER, CREATE, DROP, DESCRIBE
ON ALL ROLES
TO <security_admin>;

Allow authorization for all permissions with no access privileges.
- Data resources
  GRANT AUTHORIZE FOR ALL PERMISSIONS ON ALL KEYSPACES TO <security_admin>;
  which allows the role to grant AUTHORIZE, CREATE, ALTER, DROP, SELECT, MODIFY, and DESCRIBE permission to other roles.
- Functions and aggregate resources
  GRANT AUTHORIZE FOR ALL PERMISSIONS ON ALL FUNCTIONS TO <security_admin>;
  which allows the role to grant AUTHORIZE, CREATE, ALTER, DROP, and EXECUTE permission to other roles.
- Search indexes
  GRANT AUTHORIZE FOR ALL PERMISSIONS ON ALL SEARCH INDICES TO <security_admin>;
  which allows the role to grant AUTHORIZE, SEARCH.CREATE, SEARCH.ALTER, SEARCH.DROP, SEARCH.RELOAD, SEARCH.REBUILD, and SEARCH.COMMIT to other roles.
- Roles
  GRANT AUTHORIZE FOR ALL PERMISSIONS ON ALL ROLES TO <security_admin>;
  which allows the role to grant AUTHORIZE, CREATE, ALTER, DROP, and DESCRIBE permission to other roles.
- Authentication scheme resources
  GRANT AUTHORIZE FOR ALL PERMISSIONS ON ALL AUTHENTICATION SCHEMES TO <security_admin>;
  which allows the role to grant AUTHORIZE and EXECUTE permission to other roles.
- JMX resources (MBeans) for DSE utilities
  GRANT AUTHORIZE FOR ALL PERMISSIONS ON ALL MBEANS TO <security_admin>;
  which allows the role to grant SELECT, MODIFY, AUTHORIZE, DESCRIBE, and EXECUTE permission to other roles.
- Analytic applications
  - WORKPOOLS
    
    GRANT AUTHORIZE FOR ALL PERMISSIONS ON ANY WORKPOOL TO <security_admin>;
    
    which allows the role to grant CREATE, DESCRIBE, and AUTHORIZE permission to other roles.
  - SUBMISSIONS
    
    GRANT AUTHORIZE FOR ALL PERMISSIONS ON ANY SUBMISSION TO <security_admin>;
    
    which allows the role to grant MODIFY, DESCRIBE, and AUTHORIZE permission to other roles.
- Remote procedure calls
  GRANT AUTHORIZE FOR ALL PERMISSIONS ON ALL REMOTE CALLS TO <security_admin>;
Assign role depending on the Role Management mode:
- Internal - Use the GRANT command to assign role to a login or another group role.
  GRANT security_admin TO <login_role_name>;
- LDAP - Create a group object with matching Common Name (CN) (securty_admin) and assign users as members of the group.

Implementing Separation of Duties

Assigning permission management privileges

Authorize syntax

Delegating role management permissions

Delegating resource management permissions

Manage access

Procedure

Was this helpful?

Give Feedback