OpsCenter access roles overview

OpsCenter provides the ability to define custom, fine-grained access roles for users.

DataStax Enterprise (DSE) customers have the ability to define custom, fine-grained access roles for their users. OpsCenter can be configured to require users to log in using OpsCenter authentication. Permissions to perform certain operations can be granted to each role, and a role can be assigned to users. A user can only be assigned one role, and each role applies to all clusters.

Note: Authenticating with LDAP in OpsCenter requires defining roles for LDAP users. If using LDAP authentication, users can have multiple roles. Upon logging in, all permissions for each role a user is assigned to are merged.

Admin role privileges

The admin role is built-in to OpsCenter and cannot be edited or removed. By default, the admin role is the only role created automatically when authentication is enabled. Only users with the admin role can manage users and roles, add new clusters, or manually update definition files.
Important: Changing the default admin password is strongly recommended the first time you log in.

Custom user role privileges

Only those assigned an admin role can manage roles. Each role represents permissions for all clusters managed by OpsCenter. Any functionality in OpsCenter that a user does not have permission for appears as gray and unavailable to that logged in user.

If using the OpsCenter API, users without sufficient permissions will receive an HTTP 401, Unauthorized response from the API.
Note: Adding a cluster does not automatically add permissions for any existing roles. After adding a cluster, apply the permissions to the cluster for each role as appropriate for your organization.
Important: In OpsCenter 6.5.3 and later, you must update custom scripts and applications that use the OpsCenter API if you want to use multiple user roles with LDAP authentication. If a custom script or application that uses the OpsCenter API did not account for multiple user roles, and a user has multiple roles, the script or application will fail because the role attribute cannot be found. The single role attribute will be provided for users that have only one role. If your application or script has users with only one role, then updates are not required for continued use.

Role permissions

When defining custom roles, each role can have specific permissions enabled for that role. Each user can only be assigned a single role, which contains permissions for all clusters managed by OpsCenter. If using LDAP authentication, users can have multiple roles. Use the Cluster menu to view permissions for each cluster for a selected role. To hide a cluster for users within a selected role, uncheck all permissions.

Table 1. Role permissions
Permission Description
Core functionality
View Cluster Allows users to view a cluster in the Clusters area of the OpsCenter Monitoring UI.
Installing DataStax Agents Allows users to install or upgrade agents automatically or manually.
Edit Connection Settings Allows users to edit the cluster connection settings for a DSE cluster monitored in OpsCenter.
Manage Alerts Allows users to add alerts for monitoring conditions in DSE clusters.
Cluster Configuration Allows users to configure the Performance Service.
Services
Backup Service Allows users to perform backups and restores.
Best Practice Service Allows users to configure and schedule Best Practice Service rules for managing DSE clusters.
Repair Service Allows users to start, stop, and configure the Repair Service for running repairs on DSE clusters.
NodeSync Service Allows authorized users to access status and configure settings for the NodeSync Service.
Performance Service Configuration Allows users to configure the Performance Service.
Performance Service CQL Tracing Allows users to trace slow CQL queries when troubleshooting query issues.
Node Operations
Start and Stop Allows users to start and stop DSE nodes. Start and stop nodes from the Other Actions menu options available in the List view, or from the Actions menu in the Node Details view.
Cleanup Allows users to run a cleanup on one or more keyspaces.
Compact Allows users to run compaction on a keyspaces and their tables. Major compactions are not recommended unless there is a compelling reason to do so.
Drain Allows users to drain a node. The Drain option is available from the Actions menu in the Node Details dialog view, and also available when restarting DSE on a node.
Flush Allows users to flush a keyspace and its tables. Flushing a keyspace might affect system performance when there are many live, large memtables.
Garbage Collection Allows users to perform garbage collection on nodes. Running GC causes a spike in latency.
Repair Allows users to manually run an ad hoc repair operation on selected nodes in the List view.
Data
View Schema Allows users to view the CQL statements for the schema in the Data workspace of OpsCenter Monitoring. Users must have the View Schema permission to view Tables, View UDT, View UDF, and View UDA. Those users without view schema permission are shown a message explaining they must have the role permission for viewing anything in the Data workspace, and to contact their OpsCenter administrator to obtain access privileges.
Modify Schema Allows users to edit keyspace settings, delete keyspaces, or delete tables in the Data workspace of OpsCenter.
Truncate Data Allows users to truncate data from a table. The Truncate link appears as gray and unavailable for users who do not have this permission granted for their role.
Cluster Topology
Add Nodes Deprecated. Now users add nodes to an existing DSE cluster using Lifecycle Manager. Anyone assigned an admin role can use any feature of LCM.
Rebalance Cluster (non-vnode) Allows users to rebalance a non-vnode cluster. Not applicable to vnodes.
Move Allows users to move a node, enter a new token, and assign the new token to the node. During a move node operation, the node is unavailable and cluster performance might be affected. Not applicable to vnodes. Access the Move option from the Other Actions menu available in the List view, or from the Actions menu in the Node Details dialog view.
Decommission Allows users to decommission a node from the Actions menu in the Node Details dialog view.
Remove Tokens Allows removing tokens using the APIs.