Implement separation of duties

Use the separation of duties functionality to configure administrator roles for permission management without the ability to execute other CQL commands.

Assign permission management privileges

In order for administrators and others to use GRANT or REVOKE to permissions on a resource, their role must have one of the following permissions on the object:

  • AUTHORIZE granted is true: Manage any permissions that has been granted on the resource; the role also allows the user to execute the CQL commands that correspond to the permission.

    For example, the admin role that has both authorize and select on the all keyspaces resource.

    GRANT AUTHORIZE, SELECT ON ALL KEYSPACES TO admin;

    Users with the role can GRANT AND REVOKE both the AUTHORIZE and SELECT permissions to any other role, including their own:

    LIST ALL PERMISSIONS OF admin;
    role   | username | resource        | permission | granted | restricted | grantable
    -------+----------+-----------------+------------+---------+------------+-----------
     admin |  dbadmin | <all keyspaces> |     SELECT |    True |      False |     False
     admin |  dbadmin | <all keyspaces> |  AUTHORIZE |    True |      False |     False
  • grantable is true for a permission: Manage only the specified permission for other roles, which are not assigned to them. The related commands are executable if granted is also true.

    For example, to allow the sec_admin to GRANT and REVOKE permissions for other roles but not access the data in all keyspaces:

    GRANT AUTHORIZE FOR CREATE, ALTER, DROP, SELECT, MODIFY, DESCRIBE
    ON ALL KEYSPACES
    TO sec_admin;

    Verify the permissions:

    LIST ALL PERMISSIONS OF sec_admin;

    Granted is false and grantable is true.

     role      | username   | resource        | permission | granted | restricted | grantable
    -----------+------------+-----------------+------------+---------+------------+-----------
     sec_admin |  sec_admin | <all keyspaces> |     CREATE |   False |      False |      True
     sec_admin |  sec_admin | <all keyspaces> |      ALTER |   False |      False |      True
     sec_admin |  sec_admin | <all keyspaces> |       DROP |   False |      False |      True
     sec_admin |  sec_admin | <all keyspaces> |     SELECT |   False |      False |      True
     sec_admin |  sec_admin | <all keyspaces> |     MODIFY |   False |      False |      True
     sec_admin |  sec_admin | <all keyspaces> |   DESCRIBE |   False |      False |      True

Roles that are granted ALL PERMISSIONS can delegate resource permission to all roles. When a user creates an object, they are automatically granted ALL PERMISSIONS.

Restriction: The following rules apply when managing roles and access to database objects:

  • Creating a new role requires CREATE granted on ALL ROLES.

  • GRANT/REVOKE requires the permission to be grantable (AUTHORIZE FOR <permission_name>) on the resource.

  • Users can not modify their own role properties LOGIN and SUPERUSER. Prevents users with ALTER permissions from making their own account a SUPERUSER or creating a role with a higher level of permission.

Authorize syntax

Use the following code to allow the role to GRANT and REVOKE

  • AUTHORIZE and any other permission that has been granted to them on the resource.

    GRANT AUTHORIZE
    ON (ALL KEYSPACES | TABLE <table_name> | '<filter_string>' ROWS IN <table_name>)
    TO <role_name>;
  • Only the listed permissions.

    GRANT AUTHORIZE FOR <permission_list>
    ON <resource_name>
    TO <role_name>;
Permission matrix
Type Permissions Resources

Data

ALTER

CREATE

DESCRIBE

DROP

MODIFY

SELECT

ALL KEYSPACES

KEYSPACE <keyspace_name>

TABLE <table_name>

'<filtering_data>' ROWS IN <table_name>

Functions

ALTER

CREATE

DROP

EXECUTE

ALL FUNCTIONS

ALL FUNCTIONS IN KEYSPACE <keyspace_name>

FUNCTION <function_name> ( <argument_types> )

Search indexes

SEARCH.ALTER

SEARCH.COMMIT

SEARCH.CREATE

SEARCH.DROP

SEARCH.REBUILD

SEARCH.RELOAD

ALL SEARCH INDICES

SEARCH INDEX [<keyspace_name>.]<table_name>

Roles

ALTER

CREATE

DESCRIBE

DROP

ALL ROLES

ROLE <role_name>

Proxy role

PROXY.EXECUTE

PROXY.LOGIN

ROLE <role_name>

Authentication Scheme

EXECUTE

ALL AUTHENTICATION SCHEMESLDAP SCHEME

KERBEROS SCHEME

INTERNAL SCHEME

MBeans

DESCRIBE, EXECUTE, MODIFY, and SELECT

ALL MBEANS > MBEANS <pattern> > MBEAN <name>

Spark applications

CREATE

DESCRIBE

ANY WORKPOOL > WORKPOOL <datacenter_name>

MODIFY

DESCRIBE

ANY SUBMISSION

ANY SUBMISSION IN WORKPOOL <datacenter_name>

SUBMISSION id IN WORKPOOL <datacenter_name>

Remote calls

EXECUTE

ALL REMOTE CALLS > REMOTE OBJECT <object_name> > REMOTE METHOD <object_name>.<method_name>

Delegate role management permissions

  • When the AUTHORIZE is granted to a role, the target role can delegate any permission it has on the resource to other roles (including itself).

    GRANT AUTHORIZE ON ALL ROLES
    TO <role_name>;

    The permission shows as granted when the role’s permission are listed.

    When ALL PERMISSIONS is granted, the role has the ability to GRANT and REVOKE all permissions to all roles, including itself.

  • ROLE

    GRANT <permission>[, <permission> ...]
    ON ROLE <role_name>
    TO <role_name>;

    where <permission> values are ALL PERMISSIONS, ALTER, AUTHORIZE, CREATE, DESCRIBE, and DROP

Authorization
Permission Resource

AUTHORIZE

ALL ROLES

GRANT and REVOKE the permissions the issuing role has been granted on the role.

AUTHORIZE FOR permission_list

ALL ROLES

GRANT and REVOKE the listed permissions.

AUTHORIZE

ROLE <name>

GRANT and REVOKE the permissions the issuing role has been granted on the role.

AUTHORIZE FOR permission_list

ROLE <name>

GRANT and REVOKE the listed permissions.

Delegate resource management permissions

Authentication schemes
  • Delegate privileges to administrators that manage roles.

    GRANT AUTHORIZE [FOR EXECUTE]
    ON (ALL AUTHENTICATION SCHEMES | LDAP SCHEME | KERBEROS SCHEME | INTERNAL SCHEME)
    TO <role_name>;
    • AUTHORIZE - Allows role to delegate the AUTHORIZE permission and if EXECUTE is also granted, the role can delegate execute permissions.

    • AUTHORIZE FOR EXECUTE - Allows role to delegate which other roles can assign scheme permissions without changing their own login scheme.

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2025 DataStax, an IBM Company | Privacy policy | Terms of use | Manage Privacy Choices

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com