Manage access

Set up roles that can manage permissions on objects without access permission.

Procedure

  1. Create a role. For example securty_admin.

    CREATE ROLE security_admin;

  2. Allow the role to manage roles:

    GRANT ALTER, CREATE, DROP, DESCRIBE
ON ALL ROLES
TO <security_admin>;

  3. Allow authorization for all permissions with no access privileges.

    • Data resources

      GRANT AUTHORIZE FOR ALL PERMISSIONS
ON ALL KEYSPACES
TO <security_admin>;

      which allows the role to grant AUTHORIZE, CREATE, ALTER, DROP, SELECT, MODIFY, and DESCRIBE permission to other roles.

    • Functions and aggregate resources

      GRANT AUTHORIZE FOR ALL PERMISSIONS
ON ALL FUNCTIONS
TO <security_admin>;

      which allows the role to grant AUTHORIZE, CREATE, ALTER, DROP, and EXECUTE permission to other roles.

      GRANT AUTHORIZE FOR ALL PERMISSIONS
ON ALL SEARCH INDICES
TO <security_admin>;

      which allows the role to grant AUTHORIZE, SEARCH.CREATE, SEARCH.ALTER, SEARCH.DROP, SEARCH.RELOAD, SEARCH.REBUILD, and SEARCH.COMMIT to other roles.

    • Roles

      GRANT AUTHORIZE FOR ALL PERMISSIONS
ON ALL ROLES
TO <security_admin>;

      which allows the role to grant AUTHORIZE, CREATE, ALTER, DROP, and DESCRIBE permission to other roles.

    • Authentication scheme resources

      GRANT AUTHORIZE FOR ALL PERMISSIONS
ON ALL AUTHENTICATION SCHEMES
TO <security_admin>;

      which allows the role to grant AUTHORIZE and EXECUTE permission to other roles.

    • JMX resources (MBeans) for HCD utilities

      GRANT AUTHORIZE FOR ALL PERMISSIONS
ON ALL MBEANS
TO <security_admin>;

      which allows the role to grant SELECT, MODIFY, AUTHORIZE, DESCRIBE, and EXECUTE permission to other roles.

    • WORKPOOLS

      GRANT AUTHORIZE FOR ALL PERMISSIONS
ON ANY WORKPOOL
TO <security_admin>;

      which allows the role to grant CREATE, DESCRIBE, and AUTHORIZE permission to other roles.

      • SUBMISSIONS

        GRANT AUTHORIZE FOR ALL PERMISSIONS
ON ANY SUBMISSION
TO <security_admin>;

        which allows the role to grant MODIFY, DESCRIBE, and AUTHORIZE permission to other roles.

    • Remote procedure calls

      GRANT AUTHORIZE FOR ALL PERMISSIONS
ON ALL REMOTE CALLS
TO <security_admin>;

  4. Assign role depending on the Role Management mode:

    • Internal - Use the GRANT command to assign role to a login or another group role.

      GRANT security_admin TO <login_role_name>;

    • LDAP - Create a group object with matching Common Name (CN) (securty_admin) and assign users as members of the group.

Was this helpful?

Give Feedback

How can we improve the documentation?

© Copyright IBM Corporation 2025 | Privacy policy | Terms of use Manage Privacy Choices

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: Contact IBM