About Database Objects Permissions

DataStax Enterprise (DSE) supports Role-Based Access Control (RBAC) to ensure that only authorized users can access database resources.

After creating a role, use the following CQL commands to manage permissions:

GRANT allows access
REVOKE removes access that has been granted
RESTRICT explicitly denies access even if permission is granted directly or inherited
UNRESTRICT removes a restriction

RESTRICT always take precedence over GRANT, including access that is inherited or automatically granted to a superuser role. Only superusers can restrict access.

Resource permissions

The following sections shows the relationship between privileges and resources, and describes the resulting permissions. The DSE database Role-Based Access Control uses modeled hierarchy. Granting a privilege to a top-level object gives the role the same permission to all of the ancestors objects.

Permissions differ between object types.

Data resources: Syntax for authorizing access to keyspaces, tables, rows, and types.
Functions and aggregate resources: Syntax for authorizing access to user-defined function and aggregate.
Search indexes: Syntax for authorizing access to search indexes.
Roles: Syntax for authorizing role management.
Proxy login and execute: Syntax for authorizing proxy logins and executes.
Authentication scheme resources: Syntax for authorizing roles for an authentication scheme.
JMX resources (MBeans) for DSE utilities: Syntax for authorizing access to MBeans from DSE utilities and third-party tools.
Analytic applications: Syntax for authorizing Apache Spark™ applications.
Remote procedure calls: Syntax for authorizing remote procedure calls.

About Database Objects Permissions

Resource permissions

Was this helpful?

Give Feedback