About permissions
Permissions control access to database resources.
After creating a role, use GRANT and REVOKE to control access to CQL database resources.
Available permissions
Permissions are granted on a resource to a role; grant a privilege at any level of the resource hierarchy. The full set of available privileges is:
- ALL PERMISSIONS
- ALTER
- AUTHORIZE
- CREATE
- DESCRIBE
- DROP
- EXECUTE
- MODIFY
- PROXY.EXECUTE
- PROXY.LOGIN
- SEARCH.ALTER
- SEARCH.COMMIT
- SEARCH.CREATE
- SEARCH.DROP
- SEARCH.REBUILD
- SEARCH.RELOAD
- SELECT
- role_name
Database resource structure
DataStax Enterprise database resources are objects to which permissions are applied, and hierarchy applies. Grant permissions on a resource higher in the chain will automatically grant that same permission on all resources lower down.
Note: Not all privileges apply to every type of resource. For instance,
EXECUTE
is only relevant in the context of functions, MBeans, RPC, and authentication schemes.
Attempting to grant privileges on a resource that the permission is not applicable results in
an error. Available objects:
- Functions
-
- ALL FUNCTIONS
- ALL FUNCTIONS IN KEYSPACE keyspace_name
- FUNCTION keyspace_name.function_name
- ALL FUNCTIONS IN KEYSPACE keyspace_name
- ALL FUNCTIONS
- Data
-
- ALL KEYSPACES
- KEYSPACE keyspace_name
- TABLE table_name
- Rows ('filtering_data' ROWS IN table_name )
- Indexes (other than search indexes) belong to a table but permission cannot be directly assigned. ALTER permission on a table allows users to CREATE and DROP indexes.
- Types belong to a keyspace but permissions cannot be directly assigned. To manage types set the keyspace permissions to CREATE, DROP or ALTER which also gives the user the same permissions for tables.
- TABLE table_name
- KEYSPACE keyspace_name
- ALL KEYSPACES
- Search index
-
- ALL SEARCH INDICES
- SEARCH INDICES [keyspace_name.]table_name
- ALL SEARCH INDICES
- JMX
-
- ALL MBEANS
- MBEAN mbean_name
- MBEANS pattern
- MBEAN mbean_name
- ALL MBEANS
- Roles
-
- ALL ROLES
- ROLE role_name
Note: Roles are both an assignable permission set and a database resource.GRANT role_name TO role_namegives all the permissions of the first role in the statement to the second role. Use roles to create your own hierarchical permissions structures.
- ALL ROLES
- Remote procedure calls (RPC)
-
- ALL OBJECTS
- OBJECT object_name
- METHOD
- OBJECT object_name
- ALL OBJECTS
- Authentication schemes
-
- ALL SCHEMES
- (LDAP | KERBEROS | INTERNAL) SCHEME
- ALL SCHEMES