Add roles for Kerberos principals

When using Role Management mode internal, create a role that matches the user’s principal name. This allows them to log in and execute CQL requests.

DSE supports Kerberos authentication with LDAP role management when the principal name matches the email address attribute of the LDAP user. Configure the group lookup with the user_memberof_attribute option.

  1. Create a role that matches the principal name, including the Kerberos REALM, with login enabled:

    CREATE ROLE "<user_name@REALM>"
WITH LOGIN = true;

    • <user_name@REALM>: The complete user principal name. Always enclose the role names that include uppercase or special characters in double quotes.

    • LOGIN = true: Allows the role to access the database.

    • SUPERUSER = true (optional): Gives full access to all database objects to the user. See Adding a superuser login.

  2. Bind the assignment to an authentication scheme:

    GRANT EXECUTE
ON KERBEROS SCHEME
TO '<user_name@REALM>';

    Enclose the role name in single quotes. The name is case-sensitive.

  3. To allow another role to manage the new role:

    GRANT AUTHORIZE FOR ALTER, DROP
ON <new_role_name>
TO <management_role>;

    All superusers have AUTHORIZE permissions on all roles. The role that created the role is also granted all permissions on that role.

  4. Assign permissions to the role.

Was this helpful?

Give Feedback

How can we improve the documentation?

© Copyright IBM Corporation 2025 | Privacy policy | Terms of use Manage Privacy Choices

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: Contact IBM