Manage user permissions
Default and custom roles allow admins to manage unique permissions for users based on your organization and database requirements.
You can manage roles using the DataStax Astra DB user interface or the DevOps API.
Default Operational Roles
The default roles address four types of operational users and three levels of access.
This matrix show how the four types of operational users with each of the three levels of access:
User | API User | User Service Account | API Service Account | |
---|---|---|---|---|
Admin |
Administrator User |
API Administrator User |
Administrator Svc Acct |
API Administrator Svc Acct |
Read Only |
RO User |
API RO User |
RO Svc Acct |
API RO Svc Acct |
Read/Write |
R/W User |
API R/W User |
R/W Svc Acct |
API R/W Svc Acct |
Service Account Roles are limited from listing users and databases. API Roles limit CQL access.
Default Special Roles
In addition to the operational roles, four special default roles exist:
-
Organization Administrator: Super User
-
Database Administrator: Full access to CRUD organizations and databases
-
UI View Only: Read only access to view organizations and databases
-
Billing Admin: Billing only access
Operational Roles Detail
User Roles
Role name | Console name | DevOps API Parameters |
---|---|---|
Admin User |
Create All Keyspaces, |
db-all-keyspace-create, |
RO User |
Read IP Access List, |
accesslist-read, |
R/W User |
Read IP Access List, |
accesslist-read, |
API User Roles
Role name | Console name | DevOps API Parameters |
---|---|---|
API Admin User |
Read IP Access List, |
accesslist-read, |
API RO User |
Read IP Access List, |
accesslist-read, |
API R/W User |
Read IP Access List, |
accesslist-read, |
User Service Account Roles
Role name | Console name | DevOps API Parameters |
---|---|---|
Admin Svc Acct |
Create All Keyspaces, |
db-all-keyspace-create, |
RO Svc Acct |
Read IP Access List, |
accesslist-read, |
R/W Svc Acct |
Read IP Access List, |
accesslist-read, |
API Service Account Roles
Role name | Console name | DevOps API Parameters |
---|---|---|
API Admin Svc Acct |
Create All Keyspaces, |
db-all-keyspace-create, |
API RO Svc Acct |
Read IP Access List, |
accesslist-read, |
API R/W Svc Acct |
Read IP Access List, |
accesslist-read, |
Special Roles Detail
Billing Admin
The Billing Admin role provides only access to view the billing information for Astra DB services. This role has no management capabilities nor access to data.
Console name | DevOps API Parameters |
---|---|
Read Billing, |
org-billing-read, |
Database Administrator
The Database Administrator role is designed to effectively manage organizations and the databases using CRUD. This role does not have the ability to view billing, mange role-based access control (RBAC), or manage users.
Console name | DevOps API Parameters |
---|---|
Read IP Access List, |
accesslist-read, |
Organization Administrator
The Organization Administrator role is the most permissive default role.
Console name | DevOps API Parameters |
---|---|
Read IP Access List, |
accesslist-read, |
UI View Only
The UI View Only role is a highly limited role that is only able to list users, databases, and access lists.
Console name | DevOps API Parameters |
---|---|
Read IP Access List, |
accesslist-read, |
Custom permissions
The tables below contain detailed descriptions of each of the permissions available in Astra DB and can be used to get more detail on the permissions assigned to the roles above.
Organization permissions
Console name | Description | DevOps API parameter |
---|---|---|
View DB |
See a database in a list of databases or Astra Portal. |
org-db-view |
Create DB |
Create a database using the DevOps API or Astra Portal. |
org-db-create |
Terminate DB |
Permanently delete a database and all of of its data using the DevOps API or Astra Portal. |
org-db-terminate |
Reset Password |
Reset the password for a classic database. |
org-db-passwordreset |
Manage Migrator Proxy |
Add and remove the migrator proxy from a db. |
org-db-managemigratorproxy |
Read Audits |
Enables read and download audits. |
org-audits-read |
Write Billing |
Enables links and ability to add or edit billing payment info. |
org-billing-write |
Write IP Access List |
Create or modify an access list using the DevOps API or Astra Portal. |
accesslist-write |
Manage Region |
Add, create, or remove a region using the DevOps API or Astra Portal. |
db-manage-region |
Write User |
Add, create, or remove a user using the DevOps API or Astra Portal. |
org-user-write |
Write Organization |
Create new organizations or delete an existing organization. Hides manage org and org settings. |
org-write |
Write Custom Role |
Create custom role. |
org-role-write |
Write External Auth |
Update security settings related to external auth providers. |
org-external-auth-write |
Write Token |
Create application token. |
org-token-write |
Read Billing |
Enables links and access to billing details page. |
org-billing-read |
Read IP Access List |
Enables links and access to acess list page. |
accesslist-read |
Read User |
Access to viewing users of an organization. |
org-user-read |
Read Organization |
View organization in Astra Portal. |
org-read |
Read Custom Role |
See a custom role and its associated permissions. |
org-role-read |
Read External Auth |
See security settings related to external authentication providers. |
org-external-auth-read |
Read Token |
Read token details. |
org-token-read |
Delete Custom Role |
Delete of custom role. |
org-role-delete |
Add Peering |
Create of VPC peering connection. |
org-db-addpeering |
Notification Write |
Enable or disable notifications in organization notification settings. |
org-notification-write |
Suspend DB |
Park/unpark classic databases and suspend/unsuspend serverless databases. |
org-db-suspend |
Keyspace permissions
Console name | Description | DevOps API parameter |
---|---|---|
Alter Keyspace |
Make changes to a specified keyspace. |
db-keyspace-alter |
Describe Keyspace |
Get a list of tables within a specified keyspace. |
db-keyspace-describe |
Modify Keyspace |
Access or modify a keyspace. |
db-keyspace-modify |
Authorize Keyspace |
Give access to specified keyspace. |
db-keyspace-authorize |
Drop Keyspace |
Remove keyspace. Available in only Astra Portal. |
db-keyspace-drop |
Create Keyspace |
Create keyspace. Available in only Astra Portal. |
db-keyspace-create |
Grant Keyspace |
Grant specific permissions for specified keyspace. |
db-keyspace-grant |
API access permissions
Console name | Description | DevOps API parameter |
---|---|---|
Access GraphQL API |
Connect to database via GraphQL API. |
db-graphql |
Access REST |
Connect to database via REST API. |
db-rest |
Access CQL |
Connect to database via CQL. |
db-cql |
Which role should I assign a user?
Database Access Method | Roles |
---|---|
Astra User Interface access |
|
GraphQL, REST, and Document API access based on database access permissions |
|
Data Loader access based on database access permissions |
|
dsbulk access based on database access permissions |
|
DevOps API access based on database access permissions |
|
Drivers based on database access permissions |
|
Manage access list for IP addresses and CIDR |
|