OpsCenter access roles overview

OpsCenter provides the ability to define custom, fine-grained access roles for users.

DataStax Enterprise customers have the ability to define custom, fine-grained access roles for their users. OpsCenter can be configured to require users to log in using OpsCenter authentication. Permissions to perform certain operations can be granted to each role, and a role can be assigned to users. A user can only be assigned one role. A role can be applied per cluster.

Note: Authenticating with LDAP in OpsCenter requires defining roles for LDAP users.

Admin role privileges 

The admin role is built-in to OpsCenter and cannot be edited or removed. By default, the admin role is the only role created automatically when authentication is enabled. Only users with the admin role can manage users and roles, add new clusters, or manually update definition files.
Important: Changing the default admin password is strongly recommended the first time you log in.

Custom user role privileges 

Only those assigned an admin role can define custom roles for users. The permissions of the custom user roles are applied per cluster. Any functionality in OpsCenter that a user does not have permission for appears as gray and unavailable to that logged in user.
Note: Adding a cluster does not automatically add permissions for any existing roles. After adding a cluster, apply the permissions to the cluster for each role as appropriate for your organization.

Role permissions 

When defining custom roles, each role can have specific permissions enabled for that role. Role permissions are applied per cluster.

Role permissions
Permission Description
Core functionality
View Cluster Allows users to view a cluster in the Clusters area of the OpsCenter Monitoring UI.
Install Agents Allows users to install or upgrade agents automatically or manually.
Edit Connection Settings Allows users to edit the cluster connection settings for a DSE cluster monitored in OpsCenter.
Manage Alerts Allows users to add alerts for monitoring conditions in DSE clusters.
Cluster Configuration Allows users to configure the Performance Service.
Backup Service Allows users to perform backups and restores.
Best Practice Service Allows users to configure and schedule Best Practice Service rules for managing DSE clusters.
Repair Service Allows users to start, stop, and configure the Repair Service for running repairs on DSE clusters.
NodeSync Service Allows authorized users to access status and configure settings for the NodeSync Service.
Performance Service Configuration Allows users to configure the Performance Service.
Performance Service CQL Tracing Allows users to trace slow CQL queries when troubleshooting query issues.
Node Operations
Start and Stop Allows users to start and stop DSE nodes. Start and stop nodes from the Other Actions menu options available in the List view, or from the Actions menu in the Node Details view.
Cleanup Allows users to run a cleanup on one or more keyspaces.
Compact Allows users to run compaction on a keyspaces and their tables. Major compactions are not recommended unless there is a compelling reason to do so.
Drain Allows users to drain a node. The Drain option is available from the Actions menu in the Node Details dialog view, and also available when restarting DSE on a node.
Flush Allows users to flush a keyspace and its tables. Flushing a keyspace might affect system performance when there are many live, large memtables.
Garbage Collection Allows users to perform garbage collection on nodes. Running GC causes a spike in latency.
Repair Allows users to manually run an ad hoc repair operation on selected nodes in the List view.
View Schema Allows users to view the CQL statements for the schema in the Data workspace of OpsCenter Monitoring. Users must have the View Schema permission to view Tables, View UDT, View UDF, and View UDA. Those users without view schema permission are shown a message explaining they must have the role permission for viewing anything in the Data workspace, and to contact their OpsCenter administrator to obtain access privileges.
Modify Schema Allows users to edit keyspace settings, delete keyspaces, or delete tables in the Data workspace of OpsCenter.
Truncate Data Allows users to truncate data from a table. The Truncate link appears as gray and unavailable for users who do not have this permission granted for their role.
Cluster Topology
Add Nodes Deprecated. Now users add nodes to an existing DSE cluster using Lifecycle Manager. Anyone assigned an admin role can use any feature of LCM.
Rebalance Cluster (non-vnode) Allows users to rebalance a non-vnode cluster. Not applicable to vnodes.
Move Allows users to move a node, enter a new token, and assign the new token to the node. During a move node operation, the node is unavailable and cluster performance might be affected. Not applicable to vnodes. Access the Move option from the Other Actions menu available in the List view, or from the Actions menu in the Node Details dialog view.
Decommission Allows users to decommission a node from the Actions menu in the Node Details dialog view.
Remove Tokens Allows removing tokens using the APIs.