Managing your Astra DB organization

As an administrator, you can manage your database and organization. This includes the following tasks:

Add organizations in Astra DB

Creating multiple organizations in DataStax Astra DB is useful for segmenting groups of users and creating various environments.

From any page in Astra DB, select the Organizations dropdown.
In the main dropdown, select Manage Organizations.
Select Add Organization. The Add Organization window opens.
- Enter the name and email address for your new organization.
- Select Add to add the new organization.

The organization is added to the list. An email is sent to the email address entered for the organization owner.

Invite users to an organization

Invite users to join your organization and provide them with access based on the selected role.

From any page in Astra DB, select the Organizations dropdown.
In the main dropdown, select Organization Settings.
From User Management, select Invite User.
Enter the email address for the user you want to invite for the specific user role. If adding multiple users, separate the email addresses with commas, spaces, or line breaks.
Select the user role(s) for the user(s) you are inviting. Multiple roles are available within each group of roles for Organization Access, Database, Keyspace, or Table Access, and API Access.
Select Invite Users to send email invitations to the users at their email address.

Invited users are listed as pending until they accept the invitation to join your organization.

Manage user permissions

Default and custom roles allow admins to manage unique permissions for users based on your organization and database requirements.

You can manage roles using the DataStax Astra DB user interface or the DevOps API.

Which default roles are available?

Default Operational Roles

The default roles address four types of operational users and three levels of access.

This matrix show how the four types of operational users with each of the three levels of access:

	User	API User	User Service Account	API Service Account
Admin	Administrator User	API Administrator User	Administrator Svc Acct	API Administrator Svc Acct
Read Only	RO User	API RO User	RO Svc Acct	API RO Svc Acct
Read/Write	R/W User	API R/W User	R/W Svc Acct	API R/W Svc Acct

User

API User

User Service Account

API Service Account

Admin

Administrator User

API Administrator User

Administrator Svc Acct

API Administrator Svc Acct

Read Only

RO User

API RO User

RO Svc Acct

API RO Svc Acct

Read/Write

R/W User

API R/W User

R/W Svc Acct

API R/W Svc Acct

Service Account Roles are limited from listing users and databases. API Roles limit CQL access.

Default Special Roles

In addition to the operational roles, four special default roles exist:

Organization Administrator: Super User
Database Administrator: Full access to CRUD organizations and databases
UI View Only: Read only access to view organizations and databases
Billing Admin: Billing only access

Operational Roles Detail

User Roles

Role name	Console name	DevOps API Parameters
Admin User	Create All Keyspace, Describe All Keyspaces, Access GraphQL API, Access CQL, Alter Keyspace, Authorize Keyspace, Create Keyspace, Describe Keyspace, Drop Keyspace, Grant Keyspace, Modify Keyspace, Manage Private Endpoint, Manage Region, Access REST, Alter Table, Authorize Table, Create Table, Describe Table, Drop Table, Grant Table, Modify Table, Select Table, Read Billing, Write Billing, Add Peering, Create DB, Expand DB, Manage Migrator Proxy, Reset Password, Suspend DB, Terminate DB, View DB, Read Organization, Read User, Write User	db-all-keyspace-create, db-all-keyspace-describe, db-graphql, db-cql, db-keyspace-alter, db-keyspace-authorize, db-keyspace-create, db-keyspace-describe, db-keyspace-drop, db-keyspace-grant, db-keyspace-modify, db-manage-privateendpoint, db-manage-region, db-rest, db-table-alter, db-table-authorize, db-table-create, db-table-describe, db-table-drop, db-table-grant, db-table-modify, db-table-select, org-billing-read, org-billing-write, org-db-addpeering, org-db-create, org-db-expand, org-db-managemigratorproxy, org-db-passwordreset, org-db-suspend, org-db-terminate, org-db-view, org-read, org-user-read, org-user-write
RO User	Read IP Access List, Describe All Keyspaces, Access GraphQL API, Access CQL, Describe Keyspace, Access REST, Describe Table, Select Table, View DB, Read User	accesslist-read, db-all-keyspace-describe, db-graphql, db-cql, db-keyspace-describe, db-rest, db-table-describe, db-table-select, org-db-view, org-user-read
R/W User	Read IP Access List, Describe All Keyspaces, Access GraphQL API, Access CQL, Describe Keyspace, Access REST, Describe Table, Modify Table, Select Table, View DB, Read User	accesslist-read, db-all-keyspace-describe, db-graphql, db-cql, db-keyspace-describe, db-rest, db-table-describe, db-table-modify, db-table-select, org-db-view, org-user-read

Role name

Console name

DevOps API Parameters

Admin User

Create All Keyspace,
Describe All Keyspaces,
Access GraphQL API,
Access CQL,
Alter Keyspace,
Authorize Keyspace,
Create Keyspace,
Describe Keyspace,
Drop Keyspace,
Grant Keyspace,
Modify Keyspace,
Manage Private Endpoint,
Manage Region,
Access REST,
Alter Table,
Authorize Table,
Create Table,
Describe Table,
Drop Table,
Grant Table,
Modify Table,
Select Table,
Read Billing,
Write Billing,
Add Peering,
Create DB,
Expand DB,
Manage Migrator Proxy,
Reset Password,
Suspend DB,
Terminate DB,
View DB,
Read Organization,
Read User,
Write User

db-all-keyspace-create,
db-all-keyspace-describe,
db-graphql,
db-cql,
db-keyspace-alter,
db-keyspace-authorize,
db-keyspace-create,
db-keyspace-describe,
db-keyspace-drop,
db-keyspace-grant,
db-keyspace-modify,
db-manage-privateendpoint,
db-manage-region,
db-rest,
db-table-alter,
db-table-authorize,
db-table-create,
db-table-describe,
db-table-drop,
db-table-grant,
db-table-modify,
db-table-select,
org-billing-read,
org-billing-write,
org-db-addpeering,
org-db-create,
org-db-expand,
org-db-managemigratorproxy,
org-db-passwordreset,
org-db-suspend,
org-db-terminate,
org-db-view,
org-read,
org-user-read,
org-user-write

RO User

Read IP Access List,
Describe All Keyspaces,
Access GraphQL API,
Access CQL,
Describe Keyspace,
Access REST,
Describe Table,
Select Table,
View DB,
Read User

accesslist-read,
db-all-keyspace-describe,
db-graphql,
db-cql,
db-keyspace-describe,
db-rest,
db-table-describe,
db-table-select,
org-db-view,
org-user-read

R/W User

Read IP Access List,
Describe All Keyspaces,
Access GraphQL API,
Access CQL,
Describe Keyspace,
Access REST,
Describe Table,
Modify Table,
Select Table,
View DB,
Read User

accesslist-read,
db-all-keyspace-describe,
db-graphql,
db-cql,
db-keyspace-describe,
db-rest,
db-table-describe,
db-table-modify,
db-table-select,
org-db-view,
org-user-read

API User Roles

Role name	Console name	DevOps API Parameters
API Admin User	Read IP Access List, Create All Keyspace, Describe All Keyspaces, Access GraphQL API, Alter Keyspace, Authorize Keyspace, Create Keyspace, Describe Keyspace, Drop Keyspace, Grant Keyspace, Modify Keyspace, Manage Private Endpoint, Manage Region, Access REST, Alter Table, Authorize Table, Create Table, Describe Table, Drop Table, Grant Table, Modify Table, Select Table, Read Billing, Write Billing, Add Peering, Create DB, Expand DB, Manage Migrator Proxy, Reset Password, Suspend DB, Terminate DB, View DB, Read User, Write User	accesslist-read, db-all-keyspace-create, db-all-keyspace-describe, db-graphql, db-keyspace-alter, db-keyspace-authorize, db-keyspace-create, db-keyspace-describe, db-keyspace-drop, db-keyspace-grant, db-keyspace-modify, db-manage-privateendpoint, db-manage-region, db-rest, db-table-alter, db-table-authorize, db-table-create, db-table-describe, db-table-drop, db-table-grant, db-table-modify, db-table-select, org-billing-read, org-billing-write, org-db-addpeering, org-db-create, org-db-expand, org-db-managemigratorproxy, org-db-passwordreset, org-db-suspend, org-db-terminate, org-db-view, org-user-read, org-user-write
API RO User	Read IP Access List, Describe All Keyspaces, Access GraphQL API, Describe Keyspace, Access REST, Describe Table, Select Table, View DB, Read User	accesslist-read, db-all-keyspace-describe, db-graphql, db-keyspace-describe, db-rest, db-table-describe, db-table-select, org-db-view, org-user-read
API R/W User	Read IP Access List, Describe All Keyspaces, Access GraphQL API, Describe Keyspace, Access REST, Describe Table, Modify Table, Select Table, View DB, Read User	accesslist-read, db-all-keyspace-describe, db-graphql, db-keyspace-describe, db-rest, db-table-describe, db-table-modify, db-table-select, org-db-view, org-user-read

Role name

Console name

DevOps API Parameters

API Admin User

Read IP Access List,
Create All Keyspace,
Describe All Keyspaces,
Access GraphQL API,
Alter Keyspace,
Authorize Keyspace,
Create Keyspace,
Describe Keyspace,
Drop Keyspace,
Grant Keyspace,
Modify Keyspace,
Manage Private Endpoint,
Manage Region,
Access REST,
Alter Table,
Authorize Table,
Create Table,
Describe Table,
Drop Table,
Grant Table,
Modify Table,
Select Table,
Read Billing,
Write Billing,
Add Peering,
Create DB,
Expand DB,
Manage Migrator Proxy,
Reset Password,
Suspend DB,
Terminate DB,
View DB,
Read User,
Write User

accesslist-read,
db-all-keyspace-create,
db-all-keyspace-describe,
db-graphql,
db-keyspace-alter,
db-keyspace-authorize,
db-keyspace-create,
db-keyspace-describe,
db-keyspace-drop,
db-keyspace-grant,
db-keyspace-modify,
db-manage-privateendpoint,
db-manage-region,
db-rest,
db-table-alter,
db-table-authorize,
db-table-create,
db-table-describe,
db-table-drop,
db-table-grant,
db-table-modify,
db-table-select,
org-billing-read,
org-billing-write,
org-db-addpeering,
org-db-create,
org-db-expand,
org-db-managemigratorproxy,
org-db-passwordreset,
org-db-suspend,
org-db-terminate,
org-db-view,
org-user-read,
org-user-write

API RO User

Read IP Access List,
Describe All Keyspaces,
Access GraphQL API,
Describe Keyspace,
Access REST,
Describe Table,
Select Table,
View DB,
Read User

accesslist-read,
db-all-keyspace-describe,
db-graphql,
db-keyspace-describe,
db-rest,
db-table-describe,
db-table-select,
org-db-view,
org-user-read

API R/W User

Read IP Access List,
Describe All Keyspaces,
Access GraphQL API,
Describe Keyspace,
Access REST,
Describe Table,
Modify Table,
Select Table,
View DB,
Read User

accesslist-read,
db-all-keyspace-describe,
db-graphql,
db-keyspace-describe,
db-rest,
db-table-describe,
db-table-modify,
db-table-select,
org-db-view,
org-user-read

User Service Account Roles

Role name	Console name	DevOps API Parameters
Admin Svc Acct	Create All Keyspace, Describe All Keyspaces, Access GraphQL API, Access CQL, Alter Keyspace, Authorize Keyspace, Create Keyspace, Describe Keyspace, Drop Keyspace, Grant Keyspace, Modify Keyspace, Manage Private Endpoint, Manage Region, Access REST, Alter Table, Authorize Table, Create Table, Describe Table, Drop Table, Grant Table, Modify Table, Select Table, Read Billing, Write Billing, Add Peering, Create DB, Expand DB, Manage Migrator Proxy, Reset Password, Suspend DB, Terminate DB, View DB, Read User, Write User	db-all-keyspace-create, db-all-keyspace-describe, db-graphql, db-cql, db-keyspace-alter, db-keyspace-authorize, db-keyspace-create, db-keyspace-describe, db-keyspace-drop, db-keyspace-grant, db-keyspace-modify, db-manage-privateendpoint, db-manage-region, db-rest, db-table-alter, db-table-authorize, db-table-create, db-table-describe, db-table-drop, db-table-grant, db-table-modify, db-table-select, org-billing-read, org-billing-write, org-db-addpeering, org-db-create, org-db-expand, org-db-managemigratorproxy, org-db-passwordreset, org-db-suspend, org-db-terminate, org-db-view, org-user-read, org-user-write
RO Svc Acct	Read IP Access List, Describe All Keyspaces, Access GraphQL API, Access CQL, Describe Keyspace, Access REST, Describe Table, Select Table	accesslist-read, db-all-keyspace-describe, db-graphql, db-cql, db-keyspace-describe, db-rest, db-table-describe, db-table-select
R/W Svc Acct	Read IP Access List, Describe All Keyspaces, Access GraphQL API, Access CQL, Describe Keyspace, Access REST, Describe Table, Modify Table, Select Table	accesslist-read, db-all-keyspace-describe, db-graphql, db-cql, db-keyspace-describe, db-rest, db-table-describe, db-table-modify, db-table-select

Role name

Console name

DevOps API Parameters

Admin Svc Acct

RO Svc Acct

Read IP Access List,
Describe All Keyspaces,
Access GraphQL API,
Access CQL,
Describe Keyspace,
Access REST,
Describe Table,
Select Table

accesslist-read,
db-all-keyspace-describe,
db-graphql,
db-cql,
db-keyspace-describe,
db-rest,
db-table-describe,
db-table-select

R/W Svc Acct

Read IP Access List,
Describe All Keyspaces,
Access GraphQL API,
Access CQL,
Describe Keyspace,
Access REST,
Describe Table,
Modify Table,
Select Table

accesslist-read,
db-all-keyspace-describe,
db-graphql,
db-cql,
db-keyspace-describe,
db-rest,
db-table-describe,
db-table-modify,
db-table-select

API Service Account Roles

Role name	Console name	DevOps API Parameters
API Admin Svc Acct	Create All Keyspace, Describe All Keyspaces, Access GraphQL API, Access CQL, Alter Keyspace, Authorize Keyspace, Create Keyspace, Describe Keyspace, Drop Keyspace, Grant Keyspace, Modify Keyspace, Manage Private Endpoint, Manage Region, Access REST, Alter Table, Authorize Table, Create Table, Describe Table, Drop Table, Grant Table, Modify Table, Select Table, Read Billing, Write Billing, Add Peering, Create DB, Expand DB, Manage Migrator Proxy, Reset Password, Suspend DB, Terminate DB, View DB, Read User, Write User	db-all-keyspace-create, db-all-keyspace-describe, db-graphql, db-cql, db-keyspace-alter, db-keyspace-authorize, db-keyspace-create, db-keyspace-describe, db-keyspace-drop, db-keyspace-grant, db-keyspace-modify, db-manage-privateendpoint, db-manage-region, db-rest, db-table-alter, db-table-authorize, db-table-create, db-table-describe, db-table-drop, db-table-grant, db-table-modify, db-table-select, org-billing-read, org-billing-write, org-db-addpeering, org-db-create, org-db-expand, org-db-managemigratorproxy, org-db-passwordreset, org-db-suspend, org-db-terminate, org-db-view, org-user-read, org-user-write
API RO Svc Acct	Read IP Access List, Describe All Keyspaces, Access GraphQL API, Describe Keyspace, Access REST, Describe Table, Select Table	accesslist-read, db-all-keyspace-describe, db-graphql, db-keyspace-describe, db-rest, db-table-describe, db-table-select
API R/W Svc Acct	Read IP Access List, Describe All Keyspaces, Access GraphQL API, Describe Keyspace, Access REST, Describe Table, Modify Table, Select Table	accesslist-read, db-all-keyspace-describe, db-graphql, db-keyspace-describe, db-rest, db-table-describe, db-table-modify, db-table-select

Role name

Console name

DevOps API Parameters

API Admin Svc Acct

API RO Svc Acct

Read IP Access List,
Describe All Keyspaces,
Access GraphQL API,
Describe Keyspace,
Access REST,
Describe Table,
Select Table

accesslist-read,
db-all-keyspace-describe,
db-graphql,
db-keyspace-describe,
db-rest,
db-table-describe,
db-table-select

API R/W Svc Acct

Read IP Access List,
Describe All Keyspaces,
Access GraphQL API,
Describe Keyspace,
Access REST,
Describe Table,
Modify Table,
Select Table

accesslist-read,
db-all-keyspace-describe,
db-graphql,
db-keyspace-describe,
db-rest,
db-table-describe,
db-table-modify,
db-table-select

Special Roles Detail

Billing Admin

The Billing Admin role provides only access to view the billing information for Astra DB services. This role has no management capabilities nor access to data.

Console name	DevOps API Parameters
Read Billing, Write Billing, View DB, Read User	org-billing-read, org-billing-write, org-db-view, org-user-read

Console name

DevOps API Parameters

Read Billing,
Write Billing,
View DB,
Read User

org-billing-read,
org-billing-write,
org-db-view,
org-user-read

Database Administrator

The Database Administrator role is designed to effectively manage organizations and the databases using CRUD. This role does not have the ability to view billing, mange role-based access control (RBAC), or manage users.

Console name	DevOps API Parameters
Read IP Access List, Write IP Access List, Create All Keyspace, Describe All Keyspaces, Access GraphQL API, Access CQL, Alter Keyspace, Authorize Keyspace, Create Keyspace, Describe Keyspace, Drop Keyspace, Grant Keyspace, Modify Keyspace, Manage Private Endpoint, Manage Region, Access REST, Alter Table, Authorize Table, Create Table, Describe Table, Drop Table, Grant Table, Modify Table, Select Table, Add Peering, Create DB, Expand DB, Manage Migrator Proxy, Reset Password, Suspend DB, Terminate DB, View DB, Read Token, Write Token, Read User	accesslist-read, accesslist-write, db-all-keyspace-create, db-all-keyspace-describe, db-graphql, db-cql, db-keyspace-alter, db-keyspace-authorize, db-keyspace-create, db-keyspace-describe, db-keyspace-drop, db-keyspace-grant, db-keyspace-modify, db-manage-privateendpoint, db-manage-region, db-rest, db-table-alter, db-table-authorize, db-table-create, db-table-describe, db-table-drop, db-table-grant, db-table-modify, db-table-select, org-db-addpeering, org-db-create, org-db-expand, org-db-managemigratorproxy, org-db-passwordreset, org-db-suspend, org-db-terminate, org-db-view, org-token-read, org-token-write, org-user-read

Console name

DevOps API Parameters

Read IP Access List,
Write IP Access List,
Create All Keyspace,
Describe All Keyspaces,
Access GraphQL API,
Access CQL,
Alter Keyspace,
Authorize Keyspace,
Create Keyspace,
Describe Keyspace,
Drop Keyspace,
Grant Keyspace,
Modify Keyspace,
Manage Private Endpoint,
Manage Region,
Access REST,
Alter Table,
Authorize Table,
Create Table,
Describe Table,
Drop Table,
Grant Table,
Modify Table,
Select Table,
Add Peering,
Create DB,
Expand DB,
Manage Migrator Proxy,
Reset Password,
Suspend DB,
Terminate DB,
View DB,
Read Token,
Write Token,
Read User

accesslist-read,
accesslist-write,
db-all-keyspace-create,
db-all-keyspace-describe,
db-graphql,
db-cql,
db-keyspace-alter,
db-keyspace-authorize,
db-keyspace-create,
db-keyspace-describe,
db-keyspace-drop,
db-keyspace-grant,
db-keyspace-modify,
db-manage-privateendpoint,
db-manage-region,
db-rest,
db-table-alter,
db-table-authorize,
db-table-create,
db-table-describe,
db-table-drop,
db-table-grant,
db-table-modify,
db-table-select,
org-db-addpeering,
org-db-create,
org-db-expand,
org-db-managemigratorproxy,
org-db-passwordreset,
org-db-suspend,
org-db-terminate,
org-db-view,
org-token-read,
org-token-write,
org-user-read

Organization Administrator

The Organization Administrator role is the most permissive default role.

Console name	DevOps API Parameters
Read IP Access List, Write IP Access List, Create All Keyspace, Describe All Keyspaces, Access GraphQL API, Access CQL, Alter Keyspace, Authorize Keyspace, Create Keyspace, Describe Keyspace, Drop Keyspace, Grant Keyspace, Modify Keyspace, Manage Private Endpoint, Manage Region, Access REST, Alter Table, Authorize Table, Create Table, Describe Table, Drop Table, Grant Table, Modify Table, Select Table, Read Audits, Read Billing, Write Billing, Add Peering, Create DB, Expand DB, Manage Migrator Proxy, Reset Password, Suspend DB, Terminate DB, View DB, Read External Auth, Write External Auth, Notification Write, Read Organization, Delete Custom Role, Read Custom Role, Write Custom Role, Read Token, Write Token, Read User, Write User, Write Organization	accesslist-read, accesslist-write, db-all-keyspace-create, db-all-keyspace-describe, db-graphql, db-cql, db-keyspace-alter, db-keyspace-authorize, db-keyspace-create, db-keyspace-describe, db-keyspace-drop, db-keyspace-grant, db-keyspace-modify, db-manage-privateendpoint, db-manage-region, db-rest, db-table-alter, db-table-authorize, db-table-create, db-table-describe, db-table-drop, db-table-grant, db-table-modify, db-table-select, org-audits-read, org-billing-read, org-billing-write, org-db-addpeering, org-db-create, org-db-expand, org-db-managemigratorproxy, org-db-passwordreset, org-db-suspend, org-db-terminate, org-db-view, org-external-auth-read, org-external-auth-write, org-notification-write, org-read, org-role-delete, org-role-read, org-role-write, org-token-read, org-token-write, org-user-read, org-user-write, org-write

Console name

DevOps API Parameters

Read IP Access List,
Write IP Access List,
Create All Keyspace,
Describe All Keyspaces,
Access GraphQL API,
Access CQL,
Alter Keyspace,
Authorize Keyspace,
Create Keyspace,
Describe Keyspace,
Drop Keyspace,
Grant Keyspace,
Modify Keyspace,
Manage Private Endpoint,
Manage Region,
Access REST,
Alter Table,
Authorize Table,
Create Table,
Describe Table,
Drop Table,
Grant Table,
Modify Table,
Select Table,
Read Audits,
Read Billing,
Write Billing,
Add Peering,
Create DB,
Expand DB,
Manage Migrator Proxy,
Reset Password,
Suspend DB,
Terminate DB,
View DB,
Read External Auth,
Write External Auth,
Notification Write,
Read Organization,
Delete Custom Role,
Read Custom Role,
Write Custom Role,
Read Token,
Write Token,
Read User,
Write User,
Write Organization

accesslist-read,
accesslist-write,
db-all-keyspace-create,
db-all-keyspace-describe,
db-graphql,
db-cql,
db-keyspace-alter,
db-keyspace-authorize,
db-keyspace-create,
db-keyspace-describe,
db-keyspace-drop,
db-keyspace-grant,
db-keyspace-modify,
db-manage-privateendpoint,
db-manage-region,
db-rest,
db-table-alter,
db-table-authorize,
db-table-create,
db-table-describe,
db-table-drop,
db-table-grant,
db-table-modify,
db-table-select,
org-audits-read,
org-billing-read,
org-billing-write,
org-db-addpeering,
org-db-create,
org-db-expand,
org-db-managemigratorproxy,
org-db-passwordreset,
org-db-suspend,
org-db-terminate,
org-db-view,
org-external-auth-read,
org-external-auth-write,
org-notification-write,
org-read,
org-role-delete,
org-role-read,
org-role-write,
org-token-read,
org-token-write,
org-user-read,
org-user-write,
org-write

UI View Only

The UI View Only role is a highly limited role that is only able to list users, databases, and access lists.

Console name	DevOps API Parameters
Read IP Access List, View DB, Read User	accesslist-read, org-db-view, org-user-read

Console name

DevOps API Parameters

Read IP Access List,
View DB,
Read User

accesslist-read,
org-db-view,
org-user-read

Custom permissions

The tables below contain detailed descriptions of each of the permissions available in Astra DB and can be used to get more detail on the permissions assigned to the roles above.

Organization permissions

Console name	Description	DevOps API parameter
View DB	See a database in a list of databases or Astra Portal.	org-db-view
Create DB	Create a database using the DevOps API or Astra Portal.	org-db-create
Terminate DB	Permanently delete a database and all of of its data using the DevOps API or Astra Portal.	org-db-terminate
Reset Password	Reset the password for a classic database.	org-db-passwordreset
Manage Migrator Proxy	Add and remove the migrator proxy from a db.	org-db-managemigratorproxy
Read Audits	Enables read and download audits.	org-audits-read
Write Billing	Enables links and ability to add or edit billing payment info.	org-billing-write
Write IP Access List	Create or modify an access list using the DevOps API or Astra Portal.	accesslist-write
Manage Region	Add, create, or remove a region using the DevOps API or Astra Portal.	db-manage-region
Write User	Add, create, or remove a user using the DevOps API or Astra Portal.	org-user-write
Write Organization	Create new organizations or delete an existing organization. Hides manage org and org settings.	org-write
Write Custom Role	Create custom role.	org-role-write
Write External Auth	Update security settings related to external auth providers.	org-external-auth-write
Write Token	Create application token.	org-token-write
Read Billing	Enables links and access to billing details page.	org-billing-read
Read IP Access List	Enables links and access to acess list page.	accesslist-read
Read User	Access to viewing users of an organization.	org-user-read
Read Organization	View organization in Astra Portal.	org-read
Read Custom Role	See a custom role and its associated permissions.	org-role-read
Read External Auth	See security settings related to external authentication providers.	org-external-auth-read
Read Token	Read token details.	org-token-read
Delete Custom Role	Delete of custom role.	org-role-delete
Add Peering	Create of VPC peering connection.	org-db-addpeering
Notification Write	Enable or disable notifications in organization notification settings.	org-notification-write
Suspend DB	Park/unpark classic databases and suspend/unsuspend serverless databases.	org-db-suspend

Console name

Description

DevOps API parameter

View DB

See a database in a list of databases or Astra Portal.

org-db-view

Create DB

Create a database using the DevOps API or Astra Portal.

org-db-create

Terminate DB

Permanently delete a database and all of of its data using the DevOps API or Astra Portal.

org-db-terminate

Reset Password

Reset the password for a classic database.

org-db-passwordreset

Manage Migrator Proxy

Add and remove the migrator proxy from a db.

org-db-managemigratorproxy

Read Audits

Enables read and download audits.

org-audits-read

Write Billing

Enables links and ability to add or edit billing payment info.

org-billing-write

Write IP Access List

Create or modify an access list using the DevOps API or Astra Portal.

accesslist-write

Manage Region

Add, create, or remove a region using the DevOps API or Astra Portal.

db-manage-region

Write User

Add, create, or remove a user using the DevOps API or Astra Portal.

org-user-write

Write Organization

Create new organizations or delete an existing organization. Hides manage org and org settings.

org-write

Write Custom Role

Create custom role.

org-role-write

Write External Auth

Update security settings related to external auth providers.

org-external-auth-write

Write Token

Create application token.

org-token-write

Read Billing

Enables links and access to billing details page.

org-billing-read

Read IP Access List

Enables links and access to acess list page.

accesslist-read

Read User

Access to viewing users of an organization.

org-user-read

Read Organization

View organization in Astra Portal.

org-read

Read Custom Role

See a custom role and its associated permissions.

org-role-read

Read External Auth

See security settings related to external authentication providers.

org-external-auth-read

Read Token

Read token details.

org-token-read

Delete Custom Role

Delete of custom role.

org-role-delete

Add Peering

Create of VPC peering connection.

org-db-addpeering

Notification Write

Enable or disable notifications in organization notification settings.

org-notification-write

Suspend DB

Park/unpark classic databases and suspend/unsuspend serverless databases.

org-db-suspend

Keyspace permissions

Console name	Description	DevOps API parameter
Alter Keyspace	Make changes to a specified keyspace.	db-keyspace-alter
Describe Keyspace	Get a list of tables within a specified keyspace.	db-keyspace-describe
Modify Keyspace	Access or modify a keyspace.	db-keyspace-modify
Authorize Keyspace	Give access to specified keyspace.	db-keyspace-authorize
Drop Keyspace	Remove keyspace. Available in only Astra Portal.	db-keyspace-drop
Create Keyspace	Create keyspace. Available in only Astra Portal.	db-keyspace-create
Grant Keyspace	Grant specific permissions for specified keyspace.	db-keyspace-grant

Console name

Description

DevOps API parameter

Alter Keyspace

Make changes to a specified keyspace.

db-keyspace-alter

Describe Keyspace

Get a list of tables within a specified keyspace.

db-keyspace-describe

Modify Keyspace

Access or modify a keyspace.

db-keyspace-modify

Authorize Keyspace

Give access to specified keyspace.

db-keyspace-authorize

Drop Keyspace

Remove keyspace. Available in only Astra Portal.

db-keyspace-drop

Create Keyspace

Create keyspace. Available in only Astra Portal.

db-keyspace-create

Grant Keyspace

Grant specific permissions for specified keyspace.

db-keyspace-grant

API access permissions

Console name	Description	DevOps API parameter
Access GraphQL API	Connect to database via GraphQL API.	db-graphql
Access REST	Connect to database via REST API.	db-rest
Access CQL	Connect to database via CQL.	db-cql

Console name

Description

DevOps API parameter

Access GraphQL API

Connect to database via GraphQL API.

db-graphql

Access REST

Connect to database via REST API.

db-rest

Access CQL

Connect to database via CQL.

db-cql

Which role should I assign a user?

Database Access Method	Roles
Astra User Interface access	Organization Administrator Database Administrator Billing Administrator UI View Only Developer Administrator Developer Read/Write Developer Read Only Administrator Service Account Read/Write Service Account Read Only Service Account
GraphQL, REST, and Document API access based on database access permissions	Organization Administrator Database Administrator Billing Administrator UI View Only Administrator User Read/Write User Read Only User Administrator Service Account Read/Write Service Account Read Only Service Account API Administrator User API Read/Write User API Read Only User API Administrator Service Account API Read/Write Service Account API Read Only Service Account
Data Loader access based on database access permissions	Administrator User Read/Write User Read Only User Administrator Service Account Read/Write Service Account Read Only Service Account
dsbulk access based on database access permissions	Read/Write Service Account Read Only Service Account
DevOps API access based on database access permissions	Organization Administrator Database Administrator
Drivers based on database access permissions	Administrator User Read/Write User Read Only User Administrator Service Account Read/Write Service Account Read Only Service Account
Manage access list for IP addresses and CIDR	Organization Administrator Database Administrator

Database Access Method

Roles

Astra User Interface access

Organization Administrator
Database Administrator
Billing Administrator
UI View Only
Developer Administrator
Developer Read/Write
Developer Read Only
Administrator Service Account
Read/Write Service Account
Read Only Service Account

GraphQL, REST, and Document API access based on database access permissions

Organization Administrator
Database Administrator
Billing Administrator
UI View Only
Administrator User
Read/Write User
Read Only User
Administrator Service Account
Read/Write Service Account
Read Only Service Account
API Administrator User
API Read/Write User
API Read Only User
API Administrator Service Account
API Read/Write Service Account
API Read Only Service Account

Data Loader access based on database access permissions

Administrator User
Read/Write User
Read Only User
Administrator Service Account
Read/Write Service Account
Read Only Service Account

dsbulk access based on database access permissions

Read/Write Service Account
Read Only Service Account

DevOps API access based on database access permissions

Organization Administrator
Database Administrator

Drivers based on database access permissions

Administrator User
Read/Write User
Read Only User
Administrator Service Account
Read/Write Service Account
Read Only Service Account

Manage access list for IP addresses and CIDR

Organization Administrator
Database Administrator

Manage application tokens

Application tokens allow you to connect to your database from your application using the Document, REST, and GraphQL APIs for DataStax Astra DB.
As of 4 March 2021, your Astra DB username and password will not work for your database. You will need to use an application token to connect to your database.

Create application token

You can also create an application token using the DevOps API.

From any page in Astra DB, select the Organizations dropdown.
In the main dropdown, select Organization Settings.
From your Organization page, select Token Management.
Select the role you want to attach to your token. The permissions for your selected role will be displayed.
Select Generate Token. Astra DB will generate your token and display the Client ID, Client Secret, and Token.
Download your Client ID, Client Secret, and Token.

After you navigate away from the page, you won’t be able to download your Client ID, Client Secret, and Token again. These tokens do not automatically expire, but can be destroyed in case they are compromised or no longer needed.

You can now use your token to connect to the Astra DB APIs. See more about the available APIs:

You can use your Client ID and Client Secret to connect to your database. See more about the available connection options:

Set environment variables

In your command-line interface associated with your environment, paste the following environment variables copied for your Astra DB database:

export ASTRA_DB_ID=<database_id>
export ASTRA_DB_REGION=<database_region>
export ASTRA_DB_KEYSPACE=<keyspace_name>
export ASTRA_DB_APPLICATION_TOKEN=<app_token>

Delete application token

If you need to limit access to your database, you can delete an application token.

Select the overflow menu for the application token you want to delete.
Select Delete to delete that application token.
If necessary, generate a new application token for the same user role.