Implement separation of duties
Use the separation of duties functionality to configure administrator roles for permission management without the ability to execute other CQL
commands.
Assign permission management privileges
In order for administrators and others to use GRANT
or REVOKE
to permissions on a resource, their role must have one of the following permissions on the object:
-
AUTHORIZE
granted is true: Manage any permissions that has been granted on the resource; the role also allows the user to execute theCQL
commands that correspond to the permission.For example, the
admin
role that has both authorize and select on theall keyspaces
resource.GRANT AUTHORIZE, SELECT ON ALL KEYSPACES TO admin;
Users with the role can
GRANT AND REVOKE
both theAUTHORIZE
andSELECT
permissions to any other role, including their own:LIST ALL PERMISSIONS OF admin;
role | username | resource | permission | granted | restricted | grantable -------+----------+-----------------+------------+---------+------------+----------- admin | dbadmin | <all keyspaces> | SELECT | True | False | False admin | dbadmin | <all keyspaces> | AUTHORIZE | True | False | False
-
grantable is true for a permission: Manage only the specified permission for other roles, which are not assigned to them. The related commands are executable if
granted
is alsotrue
.For example, to allow the
sec_admin
toGRANT
andREVOKE
permissions for other roles but not access the data in all keyspaces:GRANT AUTHORIZE FOR CREATE, ALTER, DROP, SELECT, MODIFY, DESCRIBE ON ALL KEYSPACES TO sec_admin;
Verify the permissions:
LIST ALL PERMISSIONS OF sec_admin;
Granted
isfalse
andgrantable
istrue
.role | username | resource | permission | granted | restricted | grantable -----------+------------+-----------------+------------+---------+------------+----------- sec_admin | sec_admin | <all keyspaces> | CREATE | False | False | True sec_admin | sec_admin | <all keyspaces> | ALTER | False | False | True sec_admin | sec_admin | <all keyspaces> | DROP | False | False | True sec_admin | sec_admin | <all keyspaces> | SELECT | False | False | True sec_admin | sec_admin | <all keyspaces> | MODIFY | False | False | True sec_admin | sec_admin | <all keyspaces> | DESCRIBE | False | False | True
Roles that are granted ALL PERMISSIONS can delegate resource permission to all roles. When a user creates an object, they are automatically granted ALL PERMISSIONS. |
Restriction: The following rules apply when managing roles and access to database objects:
-
Creating a new role requires CREATE granted on ALL ROLES.
-
GRANT/REVOKE requires the permission to be grantable (
AUTHORIZE FOR <permission_name>
) on the resource. -
Users can not modify their own role properties LOGIN and SUPERUSER. Prevents users with ALTER permissions from making their own account a SUPERUSER or creating a role with a higher level of permission.
Authorize syntax
-
AUTHORIZE
and any other permission that has been granted to them on the resource.GRANT AUTHORIZE ON (ALL KEYSPACES | TABLE <table_name> | '<filter_string>' ROWS IN <table_name>) TO <role_name>;
-
Only the listed permissions.
GRANT AUTHORIZE FOR <permission_list> ON <resource_name> TO <role_name>;
Type | Permissions | Resources |
---|---|---|
Data |
|
|
Functions |
ALL FUNCTIONS ALL FUNCTIONS IN KEYSPACE <keyspace_name> FUNCTION <function_name> ( <argument_types> ) |
|
Search indexes |
SEARCH.ALTER SEARCH.COMMIT SEARCH.CREATE SEARCH.DROP SEARCH.REBUILD SEARCH.RELOAD |
ALL SEARCH INDICES SEARCH INDEX [<keyspace_name>.]<table_name> |
Roles |
ALTER CREATE DESCRIBE DROP |
ALL ROLES ROLE <role_name> |
Proxy role |
PROXY.EXECUTE PROXY.LOGIN |
ROLE <role_name> |
Authentication Scheme |
EXECUTE |
ALL AUTHENTICATION SCHEMESLDAP SCHEME KERBEROS SCHEME INTERNAL SCHEME |
MBeans |
ALL MBEANS > MBEANS <pattern> > MBEAN <name> |
|
Spark applications |
CREATE DESCRIBE |
ANY WORKPOOL > WORKPOOL <datacenter_name> |
MODIFY DESCRIBE |
ANY SUBMISSION ANY SUBMISSION IN WORKPOOL <datacenter_name> SUBMISSION id IN WORKPOOL <datacenter_name> |
|
Remote calls |
EXECUTE |
ALL REMOTE CALLS > REMOTE OBJECT <object_name> > REMOTE METHOD <object_name>.<method_name> |
Delegate role management permissions
-
When the AUTHORIZE is granted to a role, the target role can delegate any permission it has on the resource to other roles (including itself).
GRANT AUTHORIZE ON ALL ROLES TO <role_name>;
The permission shows as granted when the role’s permission are listed.
When
ALL PERMISSIONS
is granted, the role has the ability toGRANT
andREVOKE
all permissions to all roles, including itself. -
ROLE
GRANT <permission>[, <permission> ...] ON ROLE <role_name> TO <role_name>;
where
<permission>
values areALL PERMISSIONS
,ALTER
,AUTHORIZE
,CREATE
,DESCRIBE
, andDROP
Permission | Resource | |
---|---|---|
AUTHORIZE |
ALL ROLES |
GRANT and REVOKE the permissions the issuing role has been granted on the role. |
AUTHORIZE FOR permission_list |
ALL ROLES |
|
AUTHORIZE |
ROLE <name> |
GRANT and REVOKE the permissions the issuing role has been granted on the role. |
AUTHORIZE FOR permission_list |
ROLE <name> |
Delegate resource management permissions
- Authentication schemes
-
-
Delegate privileges to administrators that manage roles.
GRANT AUTHORIZE [FOR EXECUTE] ON (ALL AUTHENTICATION SCHEMES | LDAP SCHEME | KERBEROS SCHEME | INTERNAL SCHEME) TO <role_name>;
-
AUTHORIZE
- Allows role to delegate the AUTHORIZE permission and if EXECUTE is also granted, the role can delegate execute permissions. -
AUTHORIZE FOR EXECUTE
- Allows role to delegate which other roles can assign scheme permissions without changing their own login scheme.
-
-