Denying Permission

RESTRICT a privilege on a resource to deny access to user with the role. The user is denied access even if the role is a superuser, privilege has been granted directly to the role or was inherited. Use UNRESTRICT to remove any restrictions the role has on the database resource.

An account with the superuser role has full read/write access to the database. If your goal is that certain database administrators should not be able to see or modify data, then do not assign superuser to those accounts. Instead, use RESTRICT to create database administrator accounts that are able to manage database resources and roles, but are unable to see or modify data.

GRANT and REVOKE only allow access to database resources that are UNRESTRICT.

Procedure

  1. Log in to CQLSH with a superuser role.

    cqlsh -u <username>

    Logging in with the default role cassandra may impact performance or may fail. All requests including login are executed with consistency QUORUM.

  2. Create an account with login enabled, but as highlighted in the Tip above, intentionally do not give this db_admin account the superuser role.

    CREATE ROLE IF NOT EXISTS db_admin
WITH superuser = false
AND login = true
AND password = 'anypasswordwilldo';

    A password is required for internal accounts but not for LDAP or Kerberos. See CREATE ROLE.

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2025 DataStax, an IBM Company | Privacy policy | Terms of use | Manage Privacy Choices

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com