GRANT

Allow access to database resources.

Assigns privileges to roles on database resources, such as keyspaces, tables, and functions.

Important: Permissions apply immediately, even to active client sessions.

Restriction: Enable authentication and authorization to control access to database resources. See Enabling DSE Unified Authentication.

Note: To modify a base table that has a materialized view (MV) using an INSERT or UPDATE command if access permissions are enabled, a user must be granted MODIFY or ALL PERMISSIONS on the base table.

Synopsis

GRANT permission
  ON object
  TO role_name ;

Table 1. Legend
Syntax conventions	Description
UPPERCASE	Literal keyword.
Lowercase	Not literal.
`Italics`	Variable value. Replace with a user-defined value.
`[]`	Optional. Square brackets ( `[]` ) surround optional command arguments. Do not type the square brackets.
`( )`	Group. Parentheses ( `( )` ) identify a group to choose from. Do not type the parentheses.
`\|`	Or. A vertical bar ( `\|` ) separates alternative elements. Type any one of the elements. Do not type the vertical bar.
`...`	Repeatable. An ellipsis ( `...` ) indicates that you can repeat the syntax element as often as required.
`'Literal string'`	Single quotation ( `'` ) marks must surround literal strings in CQL statements. Use single quotation marks to preserve upper case.
`{ key : value }`	Map collection. Braces ( `{ }` ) enclose map collections or key value pairs. A colon separates the key and the value.
`<datatype1,datatype2>`	Set, list, map, or tuple. Angle brackets ( `< >` ) enclose data types in a set, list, map, or tuple. Separate the data types with a comma.
`cql_statement;`	End CQL statement. A semicolon ( `;` ) terminates all CQL statements.
`[--]`	Separate the command line options from the command arguments with two hyphens ( `--` ). This syntax is useful when arguments might be mistaken for command line options.
`' <schema> ... </schema> '`	Search CQL only: Single quotation marks ( `'` ) surround an entire XML schema declaration.
`@xml_entity='xml_entity_type'`	Search CQL only: Identify the entity and literal value to overwrite the XML element in the schema and solrConfig files.

permission

Type of access a role has on a database resource. Use ALL PERMISSIONS or a comma separated list of permissions.

Permissions are resource specific as follows:

Data - ALL PERMISSIONS or ALTER, AUTHORIZE [FOR permission_list], CREATE, DESCRIBE, DROP, MODIFY, and SELECT
Functions (and aggregates) - ALL PERMISSIONS or ALTER, AUTHORIZE [FOR permission_list], CREATE, and DROP
Search indexes - AUTHORIZE [FOR permission_list], SEARCH.ALTER, SEARCH.COMMIT, SEARCH.CREATE, SEARCH.DROP, SEARCH.REBUILD, and SEARCH.RELOAD
Roles - ALL PERMISSIONS or ALTER, AUTHORIZE [FOR permission_list], CREATE, DESCRIBE, DROP, PROXY.EXECUTE, and PROXY.LOGIN
JMX (MBeans) - ALL PERMISSIONS or AUTHORIZE [FOR permission_list], DESCRIBE, EXECUTE, MODIFY, and SELECT
Remote procedure calls (RPC) - ALL PERMISSIONS or AUTHORIZE [FOR permission_list], EXECUTE, MODIFY, and SELECT
Authentication schemes - ALL PERMISSIONS or AUTHORIZE [FOR permission_list] and EXECUTE
Spark workpools - ALL PERMISSIONS or AUTHORIZE [FOR permission_list], CREATE, and DESCRIBE
Spark submissions - ALL PERMISSIONS or AUTHORIZE [FOR permission_list], DESCRIBE, and MODIFY

Note: To manage access control the role must have authorize permission on the resource for the type of permission. When AUTHORIZE is granted without specifying FOR permission, the role can manage all permissions on the object.

resource_name

DataStax Enterprise database objects on which permissions are applied. Database resources have modelled hierarchy, the permission on a top level object gives the role the same permission on the objects ancestors. Identify the resource using the following keywords:

Data - ALL KEYSPACES > KEYSPACE keyspace_name > TABLE table_name > 'filtering_data' ROWS IN table_name
Function (including aggegrates) - ALL FUNCTIONS, ALL FUNCTIONS IN KEYSPACE keyspace_name, and FUNCTION keyspace_name.function_name( argument_types)
Search indexes - ALL SEARCH INDICES > SEARCH KEYSPACE keyspace_name > SEARCH INDICES [keyspace_name.]table_name
JMX MBeans - ALL MBEANS > MBEAN mbean_name and MBEANS pattern
Remote procedure calls (RPC) - ALL REMOTE CALLS > REMOTE METHOD name | REMOTE OBJECT name
Roles - ALL ROLES > ROLE role_name
Authentication schemes - ALL SCHEMES > LDAP | KERBEROS | INTERNAL
Analytic applications
- Workpools - ANY WORKPOOL > WORKPOOL 'dc_name.*' > WORKPOOL 'dc_name.workpool_name'
- Submissions - ANY SUBMISSION > ANY SUBMISSION IN WORKPOOL 'datacenter_name.*' > 'datacenter_name.workpool_name' > SUBMISSION ID

Examples

In most environments, user authentication is handled by a plug-in that verifies the user credentials against an external directory service such as LDAP. For simplicity, the following examples use internal users.

Manage object permissions

Use AUTHORIZE to allow a role to manage access control of specific resources.

Allow role to grant any permission type, including AUTHORIZE, on all objects in the cycling keyspace:
```
GRANT AUTHORIZE ON KEYSPACE cycling TO cycling_admin;
```
Warning: This makes the role a superuser in the cycling keyspace because roles can modify their own permissions as well as roles that they inherit permissions from.
Allow the sam role to assign permission to run queries and change data in the cycling keyspace:
```
GRANT AUTHORIZE FOR SELECT, MODIFY ON KEYSPACE cycling TO sam;
```
Tip: The sam role cannot grant other permissions such as AUTHORIZE, AUTHORIZE FOR ..., ALTER, CREATE, DESCRIBE, and DROP to another role.

Access to data resources

Use the data resource permissions to manage access to keyspaces, tables, rows, and types.

Give the role cycling_admin all permissions to the cycling keyspace:

GRANT ALL PERMISSIONS ON KEYSPACE cycling TO cycling_admin;

Give the role coach permission to perform SELECT statements and modify data on all tables in the cycling keyspace:

GRANT SELECT, MODIFY ON KEYSPACE cycling TO coach;

Give the role coach permission to perform

ALTER
            KEYSPACE

statements on the cycling keyspace, and also

ALTER
            TABLE

, CREATE INDEX and DROP INDEX statements on all tables in cycling keyspace:

GRANT ALTER ON KEYSPACE cycling TO coach;

Give the role martin permission to perform SELECT statements on rows that contain 'Sprint' in cycling.cyclist_category table:

GRANT SELECT ON 'Sprint' ROWS IN cycling.cyclist_category TO martin;

Note: The filtering_data string is case-sensitive.

To view permissions see LIST PERMISSIONS.