Restricting Access to Data

The RESTRICT command denies permission on a resource to the role. The user is denied access even if the privilege has been granted directly to the role or if it was inherited.

However, regardless of how you use RESTRICT, an account with the superuser role has full read/write access to the database. If your goal is that certain database administrators should not be able to see or modify data, do not assign superuser to those accounts. Instead, use RESTRICT to create database administrator accounts that are able to manage database resources and roles, but are unable to see or modify data.

Use UNRESTRICT to remove any restrictions the role has on the database resource.

GRANT and REVOKE only allow access to database resources that are UNRESTRICT.

Procedure

Log in to CQLSH with a superuser role.
```
cqlsh -u <username>
```
Logging in with the default role cassandra may impact performance or fail. All requests including login are executed with consistency QUORUM.
Create an account with login enabled, but do not give this db_admin account the superuser role.
```
CREATE ROLE IF NOT EXISTS db_admin
WITH superuser = false
AND login = true
AND password = 'anypasswordwilldo';
```
A password is required for internal accounts but not for LDAP or Kerberos.

Restrict the role from accessing the data in the cycling keyspace:

RESTRICT TRUNCATE, UPDATE, SELECT
ON KEYSPACE cycling
TO db_admin;

Verify the restriction:

SELECT role, resource, restricted
FROM system_auth.role_permissions 
WHERE role = 'db_admin';

The results show the permissions denied to the role.

 role     | resource     | restricted
----------+--------------+----------------------
 db_admin | data/cycling | {'MODIFY', 'SELECT'}

(1 rows)

Restricting Access to Data

Procedure

Was this helpful?

Give Feedback