Data resources

dse.yaml

The location of the dse.yaml file depends on the type of installation:

Package installations	/etc/dse/dse.yaml
Tarball installations	`installation_location`/resources/dse/conf/dse.yaml

Data resources are keyspaces, types, table, and rows. Access is controlled using modelled hierarchy. Granting and revoking a privilege on a top level object automatically allows the same permission on all ancestors.

Data resources have the following hierarchy:

Synopsis

Use the following syntax for data resource access control:

ALL KEYSPACES syntax:
```
GRANT permission[, permission ...]  
ON ALL KEYSPACES 
TO role_name;
```
Where permissions are ALL PERMISSIONS, CREATE, DESCRIBE, DROP, MODIFY, and SELECT.
KEYSPACE syntax:
```
GRANT permission[, permission ...]  
ON KEYSPACE keyspace_name 
TO role_name;
```
Where permissions are ALL PERMISSIONS, CREATE, DESCRIBE, DROP, MODIFY, and SELECT.
Note: User-defined type access control is the same as the privilege the role has on the keyspace.
TABLE syntax:
```
GRANT permission[, permission ...]  
ON [TABLE] keyspace_name.table_name 
TO role_name;
```
Where privileges are ALL PERMISSIONS, DROP, MODIFY, and SELECT.
ROWS syntax:
```
GRANT permission[, permission ...]  
ON 'filter_text' ROWS IN keyspace_name.table_name 
TO role_name;
```
Where privileges are ALL PERMISSIONS, MODIFY and SELECT.
Note: Row-level access control (RLAC) is disabled by default. To use RLAC, set allow_row_level_security parameter to true in the dse.yaml.

Permission matrix

The following table describes the CQL statements enabled on the resource when a privilege is granted to a role :


Privilege type	Resource names	Permissions
ALL PERMISSIONS	ALL KEYSPACES	CREATE KEYSPACE and DROP KEYSPACE, as well as all permissions on ancestor objects described in CREATE, ALTER, AUTHORIZE, DESCRIBE, DROP, MODIFY, and SELECT privilege.
ALL PERMISSIONS	KEYSPACE	ALTER, AUTHORIZE, DESCRIBE, and SELECT privileges on the keyspace and CREATE, ALTER, AUTHORIZE, DESCRIBE, DROP, and SELECT privileges on types, tables, and rows.
ALL PERMISSIONS	TABLE	MODIFY, SELECT, and AUTHORIZE privileges on the table and all privileges on rows.
ALL PERMISSIONS	ROWS	MODIFY and SELECT privileges on the rows that match the filtering text.
ALTER	ALL KEYSPACES	ALTER KEYSPACE, ALTER TABLE, ALTER TYPE, RESTRICT ROWS, and UNRESTRICT ROWS.
ALTER	KEYSPACE
ALTER	TABLE	ALTER TABLE, RESTRICT ROWS, and UNRESTRICT ROWS.
CREATE	ALL KEYSPACES	CREATE KEYSPACE, CREATE TABLE and CREATE TYPE. Note: Creating a resource automatically grants AUTHORIZE permission to the role that created it.
CREATE	KEYSPACE	CREATE TABLE and CREATE TYPE in specified keyspace.
CREATE	TABLE	CREATE TABLE in specified keyspace.
DESCRIBE	ALL KEYSPACES	DESCRIBE KEYSPACE, DESCRIBE TABLE, and DESCRIBE TYPE in any keyspace
DESCRIBE	KEYSPACE	DESCRIBE KEYSPACE, DESCRIBE TABLE, and DESCRIBE TYPE, and DESCRIBE FUNCTION, and DESCRIBE AGGREGATE in specified keyspace
DROP	ALL KEYSPACES	DROP KEYSPACE, DROP TABLE, and DROP TYPE in any keyspace
DROP	KEYSPACE	DROP TABLE, and DROP TYPE in specified keyspace
DROP	TABLE	DROP TABLE
MODIFY	ALL KEYSPACES	INSERT, UPDATE, DELETE and TRUNCATE on all tables.
MODIFY	KEYSPACE	INSERT, UPDATE, DELETE and TRUNCATE on any table in specified keyspace.
MODIFY	TABLE	INSERT, UPDATE, DELETE and TRUNCATE on specified table. See note for tables with materialized views (MVs).
MODIFY	ROWS	INSERT, UPDATE, DELETE on the partition that matches the '`filtering_data`' for the table.
SELECT	ALL KEYSPACES	SELECT on any table.
SELECT	KEYSPACE	SELECT on any table in specified keyspace.
SELECT	TABLE	SELECT on specified table.
SELECT	ROWS	SELECT on rows that exactly match the '`filtering_data`' in specified table.

Note: To modify a base table that has a materialized view (MV) using an INSERT or UPDATE command if access permissions are enabled, a user must be granted MODIFY or ALL PERMISSIONS on the base table.