Add database users

A user account stored in the Hyper-Converged Database (HCD) database is a role that has a login and password or hashed password.

Enable the internal scheme in the authenticator.parameters section of the cassandra.yaml configuration file.

By default, authentication is disabled in HCD. You must enable it by setting enabled: true in the authenticator parameters before creating database users.

Create a role

  1. Create a role with login enabled and an internally stored password:

    CREATE ROLE <role_name>
WITH LOGIN = true
AND PASSWORD = '<password_string>';

    where:

    • <role_name>: The user name for authentication. Enclose the role names that include uppercase or special characters in double quotes.

    • LOGIN = true: Allows the role to access the database.

    • PASSWORD = '<default_password>': Stored internally for database managed accounts.

    • Optional: superuser = true: Gives full access to all database objects to the user. See Add a superuser login.

  2. Each user can change their own password with the ALTER ROLE command.

    1. User logs in with their role name:

      cqlsh -u <role_name> -p <default_password>

    2. Changes the password:

      ALTER ROLE <role_name>
WITH password = '<newpassword>';

Next steps

Assign permissions to the role, see Assign permissions.

Was this helpful?

Give Feedback

How can we improve the documentation?

© Copyright IBM Corporation 2026 | Privacy policy | Terms of use Manage Privacy Choices

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: Contact IBM