Manage roles and permissions

Organization users can access databases via the Astra Portal, and applications can access them via the API.

To grant a user access to a database in the Astra Portal, you assign a role to the user’s account in your organization. To grant your application access to a database, you assign a role to the application token that your application uses to authenticate with the Astra API.

About roles

A role defines the level of access that a user or application has to a database. A role can be either a default role or a custom role.

All roles consist of:

  • A name

  • A set of permissions

  • A set of database and keyspace scopes

For example, you could assign one role to an organization user that grants access to a set of databases and another role to an application token that grants access to a specific set of keyspaces within a single database. This system allows you to mix and match access levels to different databases and keyspaces to satisfy your application and security requirements.

Default roles

Astra provides a set of default roles that you can assign to organization users and application tokens. These roles are designed to cover the most common use cases for accessing databases and other Astra resources.

Default roles are permitted to access all databases in an organization. If you assign a default role to an application token, then any application using that token is granted the privileges of that role on any of your databases. To limit the databases an application token can access, you must create a custom role.

Default roles available in Astra
Role name Role permissions

Organization Administrator

Grants all permissions.

Administrator Service Account

Administrator User

Billing Administrator

UI View Only

Database Administrator

Read Only Service Account

Read/Write Service Account

Read Only User

Read/Write User

API Administrator Service Account

API Read/Write Service Account

API Read Only Service Account

API Read Only User

API Administrator User

API Read/Write User

Custom roles

If none of the default roles meet your specific security requirements, you can create a custom role.

Manage custom roles

In the Astra Portal, you can view all custom roles in your organization by going to Settings > Roles.

To manage custom roles, you must have one of the following roles:

Create a custom role

  1. In the Astra Portal, go to Settings > Roles.

  2. Click Add Custom Role.

  3. Enter a name for the role in the Role Name field.

  4. In the Add Permissions section, use the checkboxes to add permissions to the role.

    You can add permissions from the following categories:

  5. In the Add Databases section, select the specific databases and respective keyspaces you want the role scoped to. Or you can use the Apply permissions to all databases in this organization toggle to scope the role to all current and future databases.

  6. Click Create Role.

The new role appears in the Roles tab. You can assign the role to an organization user or application token.

Edit a custom role

  1. In the Astra Portal, go to Settings > Roles.

  2. Find the role you want to edit and click the overflow menu icon (three dots). Select Edit Role.

  3. You can modify all of the same settings that you can when creating a custom role.

  4. When you’re done, click Edit Role.

Delete a custom role

  1. In the Astra Portal, go to Settings > Roles.

  2. Find the role you want to delete and click the overflow menu icon (three dots). Select Delete Role.

  3. In the confirmation dialog, click Delete Role.

Deleting a custom role removes it from all organization users and application tokens it is currently assigned to. Before deleting a custom role, reassign users to new roles and generate new application tokens to ensure continuity of access.

About permissions

Permissions define resources and actions that can be accessed in a database. Permissions are assigned to roles and determine the level of access that a user or application has to a database.

Organization permissions

Permission name DevOps API parameter Description

Add Peering

org-db-addpeering

Create a VPC peering connection.

Create DB

org-db-create

Create a database using the DevOps API or Astra Portal.

Delete Custom Role

org-role-delete

Delete a custom role.

Expand DB

org-db-expand

Astra DB Classic only. Use the DevOps API or Astra Portal to add more capacity units.

Manage Metrics

db-manage-thirdpartymetrics

Manage Private Endpoint

db-manage-privateendpoint

Manage Region

db-manage-region

Add, create, or remove a region using the DevOps API or Astra Portal.

Manage Streaming

Read Audits

org-audits-read

Enables read and download audits.

Read Billing

org-billing-read

Enables links and access to billing details page.

Read CMK Key

org-cmk-read

Read Custom Role

org-role-read

See a custom role and its associated permissions.

Read External Auth

org-external-auth-read

See security settings related to external authentication providers.

Read IP Access List

accesslist-read

Enables links and access to acess list page.

Read Organization

org-read

View organization in Astra Portal.

Read Token

org-token-read

Read token details.

Read User

org-user-read

Access to viewing users of an organization.

Terminate DB

org-db-terminate

Permanently delete a database and all of of its data.

View DB

org-db-view

See a database in a list of databases or Astra Portal.

Write Billing

org-billing-write

Enables links and ability to add or edit billing payment info.

Write CMK Key

org-cmk-write

Write Custom Role

org-role-write

Create custom role.

Write External Auth

org-external-auth-write

Update security settings related to external auth providers.

Write IP Access List

accesslist-write

Create or modify an access list using the DevOps API or Astra Portal.

Write Organization

org-write

Create new organizations or delete an existing organization.

Write Token

org-token-write

Create application token.

Write User

org-user-write

Add, create, or remove a user using the DevOps API or Astra Portal.

Keyspace permissions

Permission name DevOps API parameter Description

Alter Keyspace

db-keyspace-alter

Make changes to a specified keyspace.

Authorize Keyspace

db-keyspace-authorize

Give access to specified keyspace.

Create All Keyspaces

db-all-keyspace-create

Create Keyspace

db-keyspace-create

Create keyspace. Available in only Astra Portal.

Describe All Keyspaces

db-all-keyspace-describe

Describe Keyspace

db-keyspace-describe

Get a list of tables within a specified keyspace.

Drop Keyspace

db-keyspace-drop

Remove keyspace. Available in only Astra Portal.

Grant Keyspace

db-keyspace-grant

Grant specific permissions for specified keyspace.

Modify Keyspace

db-keyspace-modify

Access or modify a keyspace.

Table permissions

Applies to all tables in the selected keyspace(s).

Permission name DevOps API parameter Description

Alter Table

db-table-alter

Authorize Table

db-table-authorize

Create Table

db-table-create

Describe Table

db-table-describe

Drop Table

db-table-drop

Grant Table

db-table-grant

Modify Table

db-table-modify

Select Table

db-table-select

API access permissions

Permission name DevOps API parameter Description

Access CQL

db-cql

Connect to database via CQL.

Access GraphQL

db-graphql

Connect to database via GraphQL API.

Access REST

db-rest

Connect to database via REST API.

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2024 DataStax | Privacy policy | Terms of use

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com