Managing your Astra DB organization
As an administrator, you can manage your database and organization. This includes the following tasks:
Add organizations in Astra DB
Creating multiple organizations in DataStax Astra DB is useful for segmenting groups of users and creating various environments.
-
From any page in Astra DB, select the Organizations dropdown.
-
In the main dropdown, select Manage Organizations.
-
Select Add Organization. The Add Organization window opens.
-
Enter the name and email address for your new organization.
-
Select Add to add the new organization.
-
The organization is added to the list. An email is sent to the email address entered for the organization owner.
Invite users to an organization
Invite users to join your organization and provide them with access based on the selected role.
-
From any page in Astra DB, select the Organizations dropdown.
-
In the main dropdown, select Organization Settings.
-
From the Users tab, select Invite User.
-
Enter the email address for the user you want to invite for the specific user role. If adding multiple users, separate the email addresses with commas, spaces, or line breaks.
-
Select the user role(s) for the user(s) you are inviting. Multiple roles are available within each group of roles for Organization Access, Database, Keyspace, or Table Access, and API Access.
-
Select Invite Users to send email invitations to the users at their email address.
Invited users are listed as pending until they accept the invitation to join your organization.
Manage user permissions
Default and custom roles allow admins to manage unique permissions for users based on your organization and database requirements.
You can manage roles using the DataStax Astra DB user interface or the DevOps API.
Default Operational Roles
The default roles address four types of operational users and three levels of access.
This matrix show how the four types of operational users with each of the three levels of access:
| User | API User | User Service Account | API Service Account | |
|---|---|---|---|---|
Admin |
Administrator User |
API Administrator User |
Administrator Svc Acct |
API Administrator Svc Acct |
Read Only |
RO User |
API RO User |
RO Svc Acct |
API RO Svc Acct |
Read/Write |
R/W User |
API R/W User |
R/W Svc Acct |
API R/W Svc Acct |
Service Account Roles are limited from listing users and databases. API Roles limit CQL access.
Default Special Roles
In addition to the operational roles, four special default roles exist:
-
Organization Administrator: Super User
-
Database Administrator: Full access to CRUD organizations and databases
-
UI View Only: Read only access to view organizations and databases
-
Billing Admin: Billing only access
Operational Roles Detail
User Roles
| Role name | Console name | DevOps API Parameters |
|---|---|---|
Admin User |
Create All Keyspaces, |
db-all-keyspace-create, |
RO User |
Read IP Access List, |
accesslist-read, |
R/W User |
Read IP Access List, |
accesslist-read, |
API User Roles
| Role name | Console name | DevOps API Parameters |
|---|---|---|
API Admin User |
Read IP Access List, |
accesslist-read, |
API RO User |
Read IP Access List, |
accesslist-read, |
API R/W User |
Read IP Access List, |
accesslist-read, |
User Service Account Roles
| Role name | Console name | DevOps API Parameters |
|---|---|---|
Admin Svc Acct |
Create All Keyspaces, |
db-all-keyspace-create, |
RO Svc Acct |
Read IP Access List, |
accesslist-read, |
R/W Svc Acct |
Read IP Access List, |
accesslist-read, |
API Service Account Roles
| Role name | Console name | DevOps API Parameters |
|---|---|---|
API Admin Svc Acct |
Create All Keyspaces, |
db-all-keyspace-create, |
API RO Svc Acct |
Read IP Access List, |
accesslist-read, |
API R/W Svc Acct |
Read IP Access List, |
accesslist-read, |
Special Roles Detail
Billing Admin
The Billing Admin role provides only access to view the billing information for Astra DB services. This role has no management capabilities nor access to data.
| Console name | DevOps API Parameters |
|---|---|
Read Billing, |
org-billing-read, |
Database Administrator
The Database Administrator role is designed to effectively manage organizations and the databases using CRUD. This role does not have the ability to view billing, mange role-based access control (RBAC), or manage users.
| Console name | DevOps API Parameters |
|---|---|
Read IP Access List, |
accesslist-read, |
Organization Administrator
The Organization Administrator role is the most permissive default role.
| Console name | DevOps API Parameters |
|---|---|
Read IP Access List, |
accesslist-read, |
UI View Only
The UI View Only role is a highly limited role that is only able to list users, databases, and access lists.
| Console name | DevOps API Parameters |
|---|---|
Read IP Access List, |
accesslist-read, |
Custom permissions
The tables below contain detailed descriptions of each of the permissions available in Astra DB and can be used to get more detail on the permissions assigned to the roles above.
Organization permissions
| Console name | Description | DevOps API parameter |
|---|---|---|
View DB |
See a database in a list of databases or Astra Portal. |
org-db-view |
Create DB |
Create a database using the DevOps API or Astra Portal. |
org-db-create |
Terminate DB |
Permanently delete a database and all of of its data using the DevOps API or Astra Portal. |
org-db-terminate |
Reset Password |
Reset the password for a classic database. |
org-db-passwordreset |
Manage Migrator Proxy |
Add and remove the migrator proxy from a db. |
org-db-managemigratorproxy |
Read Audits |
Enables read and download audits. |
org-audits-read |
Write Billing |
Enables links and ability to add or edit billing payment info. |
org-billing-write |
Write IP Access List |
Create or modify an access list using the DevOps API or Astra Portal. |
accesslist-write |
Manage Region |
Add, create, or remove a region using the DevOps API or Astra Portal. |
db-manage-region |
Write User |
Add, create, or remove a user using the DevOps API or Astra Portal. |
org-user-write |
Write Organization |
Create new organizations or delete an existing organization. Hides manage org and org settings. |
org-write |
Write Custom Role |
Create custom role. |
org-role-write |
Write External Auth |
Update security settings related to external auth providers. |
org-external-auth-write |
Write Token |
Create application token. |
org-token-write |
Read Billing |
Enables links and access to billing details page. |
org-billing-read |
Read IP Access List |
Enables links and access to acess list page. |
accesslist-read |
Read User |
Access to viewing users of an organization. |
org-user-read |
Read Organization |
View organization in Astra Portal. |
org-read |
Read Custom Role |
See a custom role and its associated permissions. |
org-role-read |
Read External Auth |
See security settings related to external authentication providers. |
org-external-auth-read |
Read Token |
Read token details. |
org-token-read |
Delete Custom Role |
Delete of custom role. |
org-role-delete |
Add Peering |
Create of VPC peering connection. |
org-db-addpeering |
Notification Write |
Enable or disable notifications in organization notification settings. |
org-notification-write |
Suspend DB |
Park/unpark classic databases and suspend/unsuspend serverless databases. |
org-db-suspend |
Keyspace permissions
| Console name | Description | DevOps API parameter |
|---|---|---|
Alter Keyspace |
Make changes to a specified keyspace. |
db-keyspace-alter |
Describe Keyspace |
Get a list of tables within a specified keyspace. |
db-keyspace-describe |
Modify Keyspace |
Access or modify a keyspace. |
db-keyspace-modify |
Authorize Keyspace |
Give access to specified keyspace. |
db-keyspace-authorize |
Drop Keyspace |
Remove keyspace. Available in only Astra Portal. |
db-keyspace-drop |
Create Keyspace |
Create keyspace. Available in only Astra Portal. |
db-keyspace-create |
Grant Keyspace |
Grant specific permissions for specified keyspace. |
db-keyspace-grant |
API access permissions
| Console name | Description | DevOps API parameter |
|---|---|---|
Access GraphQL API |
Connect to database via GraphQL API. |
db-graphql |
Access REST |
Connect to database via REST API. |
db-rest |
Access CQL |
Connect to database via CQL. |
db-cql |
Which role should I assign a user?
| Database Access Method | Roles |
|---|---|
Astra User Interface access |
|
GraphQL, REST, and Document API access based on database access permissions |
|
Data Loader access based on database access permissions |
|
dsbulk access based on database access permissions |
|
DevOps API access based on database access permissions |
|
Drivers based on database access permissions |
|
Manage access list for IP addresses and CIDR |
|
Manage application tokens
Application tokens allow you to connect to your database from your application using the Document, REST, and GraphQL APIs for DataStax Astra DB.
As of 4 March 2021, your Astra DB username and password will not work for your database. You will need to use an application token to connect to your database.
Create application token
|
You can also create an application token using the DevOps API. |
-
From any page in Astra DB, select the Organizations dropdown.
-
In the main dropdown, select Organization Settings.
-
From your Organization page, select the Tokens tab.
-
Select the role you want to attach to your token. The permissions for your selected role will be displayed.
-
Select Generate Token. Astra DB will generate your token and display the Client ID, Client Secret, and Token.
-
Download your Client ID, Client Secret, and Token.
|
After you navigate away from the page, you won’t be able to download your Client ID, Client Secret, and Token again. These tokens do not automatically expire, but can be destroyed in case they are compromised or no longer needed. |
You can now use your token to connect to the Astra DB APIs. See more about the available APIs:
You can use your Client ID and Client Secret to connect to your database. See more about the available connection options:
Set environment variables
In your command-line interface associated with your environment, paste the following environment variables copied for your Astra DB database:
export ASTRA_DB_ID=<database_id>
export ASTRA_DB_REGION=<database_region>
export ASTRA_DB_KEYSPACE=<keyspace_name>
export ASTRA_DB_APPLICATION_TOKEN=<app_token>Delete application token
If you need to limit access to your database, you can delete an application token.
-
Select the overflow menu for the application token you want to delete.
-
Select Delete to delete that application token.
-
If necessary, generate a new application token for the same user role.
Manage custom roles
Within Role Management, you can see the permissions for a specific role by hovering over the number in the Permissions column of the table. This will show the permissions granted to the role.
If the default roles don’t meet your requirements, you can use custom roles that meet your organizational needs.
Create custom role
|
You can also create custom roles using the DevOps API. |
-
In Astra Portal, select the organization in the left navigation to add a custom role.
-
Select Settings.
-
Select Role Management and then Add Custom Role.
-
Enter the name you want to use for your custom role. This name should help you easily identify when you want to assign this role to users.
-
Select the Organization, Keyspace, Table, and API permissions you want to assign to your custom role.
If you want users with this role to be able to see the Astra DB user interface, make sure you select Read User and View DB permissions.
-
To apply your selected permissions to specific databases or keyspaces, toggle the switch to not apply the permissions to all databases in an organization. Then select the specific databases or keyspaces to which you want to apply the permissions.
-
Once you have selected your permissions, select Create Role.
To see your custom roles, select Role Management within your Organization. You can now invite users using your new custom role.
Edit user roles
-
From your Organization page, select Role Management.
-
Select Edit Role from the overflow menu for the custom role you want to update.
-
When editing the role, you can edit the name, permissions, database, and keyspace.
-
Once you have updated your permissions, select Edit Role.
Your updated custom role will show up in Role Management within your Organization.
Bring Your Own Key
Encryption is a widely accepted mechanism to secure data against breaches. By default, DataStax Astra DB encrypts data, and cloud providers such as AWS and Google Cloud offer encryption solutions. However, you may want to further limit data access, because cloud providers have access to the keys and ultimately to the data.
To address this security concern, Astra DB allows you to associate a Customer Managed Key (one per region) that you defined in the cloud provider’s Key Management Service with a Customer Key that you create in Astra DB.
We call this organization-scoped Astra DB feature Bring Your Own Key (BYOK).
|
This BYOK feature:
|
For related details, see the Customer Keys API reference.
Pricing and billing
Learn about the pricing model and billing structure for DataStax Astra DB serverless and databases.
Serverless pricing
There are three primary factors that affect the pricing:
-
plan selection
-
units of measure
-
cloud provider and region
Plan selection
DataStax allows you to choose your commitment, and thus your savings. To get an accurate cost for your database, select a cloud provider/region and create your first database. To get started for free without entering credit card details, select the Free plan and receive a $25 credit. This credit is good for up to 80GB storage and 20 million Read/Write operations.
Units of measure
The following units of measure affect the pricing of your database:
-
Read requests (per 1M): the unit of measure for billing database reads. This unit is based on the amount of data retrieved to satisfy the query. A read request that returns up to 4KB of data is considered one Read Request Unit (RRU). If the request returns more than 4KB of data, additional read requests are required. If a read request involves server-side filtering or aggregation of data, the data is measured before the filtering or aggregation takes place. Some examples of queries where this can happen are:
-
Queries that use the ALLOW FILTERING clause.
-
Queries that use the COUNT function.
-
Queries that use the GROUP BY clause.
-
Queries that do not request all columns from a row be returned.
-
-
Write requests (per 1M): the unit of measure for billing database writes. This unit is based on the payload size of each write request. A write request with up to 1KB of data is considered one Write Request Unit (WRU). If the request has more than 1KB of data, additional writes are required.
-
Insert/Update/Upsert: each option is treated as a write operation and is calculated as part of the Write Request Unit (WRU).
-
Logged and Unlogged are the two types of batched writes. Logged batched writes have an additional WRU consumed.
For example, a single-partition unlogged batch write operation with 10 rows, each row containing 1.2KB of data has 12 WRUs (Total size of the single-partition rows divided by 1KB. That is, [(10 rows * 1.2KB)/1KB = 12 WRUs]). A 2-partition logged batch with 2 rows (one row for each partition), each row containing 1.2KB of data has 5 WRUs ([ (2 * 1.2KB) /1KB + 2 = 5 WRU]). This calculation depends on the size per table in the batch. In this case, the size of the table (2 * 1.2KB) results in 3 WRUs and 2 additional WRUs for logged batch operation.
-
The write index SAI is treated the same as a write, but has an additional cost.
-
The write index SAI size is based on the size of each indexed column (not the size of the index), regardless of the column type. For example, the SAI index for a column with a value of 2KB in size results in 2 WRUs.
-
-
One delete operation is considered one write request regardless of the size. This is calculated as part of the WRU.
-
There is no charge for the TTL delete operation, DROP statements or TRUNCATE statements.
-
-
Lightweight Transactions (LWT) are treated as a combination of a read and write event. LWTs do a read, evaluate a condition, and a write if the condition is true. For LWT, there are both WRU and additional RRU costs. The number of RRUs is always one regardless of the size.
-
User-defined Types UDT: there are no additional charges for UDTs. The column data size is counted regardless of the type.
-
-
Data storage (GB/month): all data stored in the database (including the actual data, indexes, and metadata). You are not billed extra for standard backups of your data. It is included in the base storage costs.
-
Data Transfer (GB): the transfer of customer data out of the database, including data transferred between the replicas to meet the replication factor for the data. Billable units and pricing vary depending on whether the Data Transfer occurs within the same region of a cloud provider network ("Data Transfer - Same Region"), across regions within the same cloud provider network ("Data Transfer - Cross Region within Cloud Provider Network"), or leaves the cloud provider network over the internet ("Data Transfer - Internet").
-
Premium charges are applied for:
-
Dimensions used in Query: based on database dimensions and average dimensions per query.
-
Aggregated count of the number of dimensions searched with vector search ANN queries. Separate from Counter in case we decide to add a scaling factor in the future.
-
Aggregated count of the number of dimensions searched with vector search ANN queries.
-
Aggregated count of the number of dimensions written to.
-
-
Index Storage Size: estimate storage size per month, methods of procedure (MOP) per month, and either 3 or 1 Avaliability Zones (AZ).
-
Private endpoints
Private endpoints are charged per endpoint per region at $0.01/hour.
Additionally, you are billed for ingress and egress data at $0.01/GB for all data that uses the private endpoint. If you exceed your monthly credit and you do not have a payment method in Astra DB, your database is not available for use until you add a payment method.
|
Data transfer charges for private endpoints is in addition to your regular data transfer charges. |
REST and JSON API
These are the additional points to consider for REST and JSON APIs:
-
For the REST API, there is a one-to-one mapping between REST operations and CQL requests.
-
For the JSON API, each write operation creates just one row in the collection.
-
For each non-null value column, there is also an index. The DataStax Storage-Attached Indexing (SAI) cost is computed as the size of each indexed column, regardless of the column type.
|
JSON API is available as a public preview release. See Developing with JSON API. |
Cloud providers and regions
You can select AWS, Google Cloud, or Azure as your cloud provider. Each cloud provider offers different database regions. See each offering by region. The cloud provider and region you select affects the price of each unit of measure for your database.
Multiple regions
|
Multiple regions is available on only pay as you go and annual plans. |
If you are using multiple regions for your serverless database:
-
Write requests are replicated in all regions and charged at the respective rates for each region.
-
Read requests are performed at the region level and charged at the region-specific rate.
Data Storage is calculated based on actual disk consumption per region at the region-specific rate.
CDC for Astra Streaming
Enabling CDC for Astra Streaming results in increased usage costs based on your Astra Streaming usage.
Free plans
For free plans, your remaining credits are displayed. These credits include the $25 credit that is renewed every month.
Pay as you go plans
For pay as you go plans, you must have a billing method for your account. Any remaining credits are displayed. Any usage amount appears in the Estimated Bill, which is auto-drafted monthly based on Greenwich Mean Time (GMT), also known as Coordinated Universal Time (UTC).
Annual plans
For the annual plan, you are committing to the minimum monthly spend for 12 months. Your remaining credits display the balance of any unused credits you have, along with the committed monthly minimum that is billed in arrears at the end of the month. If you exceed your credit and committed monthly minimum, the overages are charged at your discounted rate. This amount shows up in the Estimated Bill, which is auto-drafted monthly based on Greenwich Mean Time (GMT), also known as Coordinated Universal Time (UTC).
Cloud providers and regions
You can select AWS, Google Cloud, or Azure as your cloud provider. Each cloud provider offers Standard, Premium and Premium+ regions. The cloud provider and region you select affects the price of each unit of measure for your database.
|
Effective July 1, 2022, there is no separate premium pricing for Astra Classic Multi-region. All Astra Classic customers are charged additional data transfer cost. Data Transfer pricing is the same as Astra Serverless pricing. For more details on the definitions of "Multi-Region" and "Data Transfer" as well as respective pricing, please visit the Astra Serverless pricing page. |
Billing
Astra DB handles billing through an integration with Stripe, and displays all related billing information in the Billing & Payments section of your Organization.
In Billing & Payments, you can see your plan and payment method, along with when the plan was created. You can also select Manage to change your plan.
You can also update your payment method in the Billing & Payments section. Your Billing & Payments also displays each database included in your server, allowing you to see what your total cost is per database.
Managing payment methods
Optionally, update your payment method in the Billing & Payments section. Your Billing & Payments also displays each database included in your server, allowing you to see your total cost per database.
Update the payment method you entered when creating your DataStax Astra DB database. Before your monthly credit runs out, you must enter your credit card number and associated billing information to ensure your database remains accessible.
Enter updated credit card information and associated billing details, or delete the existing payment method.
Astra DB supports one payment method for each organization.
Updating your payment information
-
From any page in Astra DB, select the Organizations dropdown.
-
In the main dropdown, select Organization Settings.
-
From Billing & Payment, select Invite User.
-
From your Astra Dashboard, select Add Payment Method or Update beside the existing payment method.
-
In the Update Payment Method menu, confirm that you want to Update your payment method.
-
Enter the new billing information and Save.
-
Your payment method is updated. All future billing will use the new payment entered.
Removing a Payment Method
Use this section to remove any payment method associated with Astra DB serverless and Astra Streaming.
There are two selections to consider before removing your payment method: any outstanding balance for your organization and any premium features added to this plan. A premium feature, such as multi-region or private endpoints, is optionally applied to a resource.
To remove your payment method, open your Astra DB account and go to Billing. Your organization’s dashboard of billing services and payments made is available for viewing. Click Remove.
Prerequisites
Ensure your organization meets the following requirements to remove your payment method:
-
With no outstanding balance and no premium features, you can remove your payment method at any time. A dialog box appears to confirm you want to remove the payment method; select Remove Payment Method.
A message appears that you have successfully removed the payment method. An email is also sent for your records.
-
If you have no outstanding balance and premium features, you must remove all of these features before you can proceed. Click the link for each premium feature (as shown below) to remove them.
-
If you have an outstanding balance and no premium features, you must wait until the next billing cycle to settle this account.
-
If you have an outstanding balance and premium features, you must remove your premium features before you can remove your payment method. You must wait until the next billing cycle to settle this account.
Removing premium features
Each premium feature is unique and has specific instructions for removal. The following links offer instructions on removing the following premium features: