Manage roles and permissions

Users can access databases, and applications can access them via the APIs.

To grant a user access to a database, you assign a role to a user using CQL.

About roles

A role defines the level of access that a user or application has to a database. No role other than the default cassandra superuser is set up by default. All roles that will be used to access the database must be created by the database administrator.

All roles consist of:

  • A name

  • A set of permissions

  • A set of database and keyspace scopes

For example, you could assign one role to a user that grants access to a set of databases and another role to an application that grants access to a specific set of keyspaces. This system allows you to mix and match access levels to different databases and keyspaces to satisfy your application and security requirements.

Default roles

The only default role is the cassandra superuser role. This role has full access to all databases and keyspaces in the database. It is recommended that you do not use the cassandra role for regular user access, and that you create a custom superuser immediately after creating a keyspace. Once you have created a custom superuser, you can delete the cassandra role from the keyspace.

To limit the databases a role can access, you must create a custom role.

Custom roles

Custom roles are generally managed by a superuser. You can create custom roles to grant specific permissions to roles using CQL. See Create roles for more information.

You can add permissions to both keyspaces and tables.

See Grant permissions for more information.

Alter a role

You can alter a role to change its permissions or scope. See Alter role or Revoke permissions for more information.

Delete a custom role

You can delete a role entirely. See Drop role for more information.

About permissions

Permissions define resources and actions that can be accessed in a database. Permissions are assigned to roles and determine the level of access that a user or application has to a database.

You can view the currently assigned permissions for a role using the LIST PERMISSIONS command in CQL. See List permissions for more information.

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2024 DataStax | Privacy policy | Terms of use

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000,