RESTRICT
Denies the permission on a resource, even if the role is directly granted or inherits permissions.
Use RESTRICT to deny access to a role on a data resource, that is a keyspace or table.
Restrict denies access even if permission to access the resource has been granted or
inherited.
Attention: However, regardless of how you use
RESTRICT
, an account with the superuser
role has full
read/write access to the database. If your goal is that certain database administrators
should not be able to see or modify data, do not assign superuser
to
those accounts. Instead, use RESTRICT
to create database administrator
accounts that are able to manage database resources and roles, but are unable to see or
modify data. See also Restricting access to data.Synopsis
RESTRICT permission ON [keyspace_name.]table_name TO role_name ;
Syntax conventions | Description |
---|---|
UPPERCASE | Literal keyword. |
Lowercase | Not literal. |
Italics |
Variable value. Replace with a user-defined value. |
[] |
Optional. Square brackets ( [] ) surround
optional command arguments. Do not type the square brackets. |
( ) |
Group. Parentheses ( ( ) ) identify a group to
choose from. Do not type the parentheses. |
| |
Or. A vertical bar ( | ) separates alternative
elements. Type any one of the elements. Do not type the vertical
bar. |
... |
Repeatable. An ellipsis ( ... ) indicates that
you can repeat the syntax element as often as required. |
'Literal string' |
Single quotation ( ' ) marks must surround
literal strings in CQL statements. Use single quotation marks to
preserve upper case. |
{ key : value
} |
Map collection. Braces ( { } ) enclose map
collections or key value pairs. A colon separates the key and the
value. |
<datatype1,datatype2> |
Set, list, map, or tuple. Angle brackets ( <
> ) enclose data types in a set, list, map, or tuple.
Separate the data types with a comma. |
cql_statement; |
End CQL statement. A semicolon ( ; ) terminates
all CQL statements. |
[--] |
Separate the command line options from the command arguments with
two hyphens ( -- ). This syntax is useful when
arguments might be mistaken for command line options. |
' <schema> ... </schema>
' |
Search CQL only: Single quotation marks ( ' )
surround an entire XML schema declaration. |
@xml_entity='xml_entity_type' |
Search CQL only: Identify the entity and literal value to overwrite the XML element in the schema and solrConfig files. |
- permission
- A comma separated list of permissions that the role is prevented from using on the
resources even if the permissions is granted. Where the permission types are:
ALL PERMISSIONS
orALTER
,AUTHORIZE [FOR permission_list]
,CREATE
,DESCRIBE
,DROP
,MODIFY
, andSELECT
. - resource
- Database object to which the permission is denied. Restriction is applied using
modeled hierarchy as follows:
ALL KEYSPACES
- restricts access to every keyspace and table.KEYSPACE keyspace_name
- restricts access on the keyspace and any table it containsTABLE table_name
- restricts access on the table and all the data it contains
Examples
Prevent the role admin from seeing any data in the cycling
keyspace:
RESTRICT MODIFY, SELECT ON KEYSPACE cycling TO role_admin;