Manage Astra Streaming roles and permissions

You manage role-based access control (RBAC) for Astra Streaming through your Astra organization. For information about Astra RBAC, including default roles, custom roles, permissions, and user management, see Manage roles and permissions.

Astra Streaming permissions

Permissions specific to Astra Streaming include the following:

  • Manage Streaming (org-stream-manage): View, add, edit, or remove Astra Streaming configurations.

Default roles for Astra Streaming

There are no default Astra roles specifically scoped to Astra Streaming. However, the following default roles have the Manage Streaming permission:

  • Organization Administrator

  • Administrator Service Account

  • API Administrator Service Account

  • API Administrator User

For information about permissions assigned to default roles, see Manage roles and permissions.

Custom roles for Astra Streaming

If you create custom roles for Astra Streaming, those roles must have the following permissions, at minimum:

  • Manage Streaming (org-stream-manage): View and manage Astra Streaming in the Astra Portal.

  • View DB (org-db-view): View the Astra Portal in general.

Additional permissions might be required, depending on the tasks the role needs to perform.

To control access to specific streaming tenants, you can set granular resource scopes on custom roles.

Authentication and authorization in Apache Pulsar™ and Astra

Pulsar has the concept of clients with role tokens. In Pulsar, authentication is the process of verifying a provided token (JWT), and authorization is the process of determining if the role claimed in that token is allowed to complete the requested action.

Astra Streaming uses the DataStax version of Apache Pulsar (Luna Streaming). The Luna project is an open fork of the Pulsar project that maintains feature parity with OSS Pulsar. Astra Streaming, as a managed service, abstracts some features/options of Pulsar to ensure continuous, reliable service.

On a shared cluster, your Astra organization has one or more tenants on a shared Pulsar cluster. Each of your tenants is secured by Pulsar authentication and authorization models, as well as your Astra organization’s authentication and authorization (Astra RBAC).

Astra Streaming shared clusters are created and administered by Astra Streaming administrators. Each tenant is assigned a custom role and permissions limited to that tenant only. All tokens created within a tenant are assigned roles similar to the assigning tenant.

For programmatic access, you use Astra application tokens or Pulsar JWT, depending on the operation you need to perform. For more information, see Manage tokens.

See also

Was this helpful?

Edit this page

Give Feedback

How can we improve the documentation?

© 2025 DataStax | Privacy policy | Terms of use | Manage Privacy Choices

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com