ScyllaDB University LIVE, FREE Virtual Training Event | March 21
Register for Free
ScyllaDB Documentation Logo Documentation
  • Server
  • Cloud
  • Tools
    • ScyllaDB Manager
    • ScyllaDB Monitoring Stack
    • ScyllaDB Operator
  • Drivers
    • CQL Drivers
    • DynamoDB Drivers
  • Resources
    • ScyllaDB University
    • Community Forum
    • Tutorials
Download
ScyllaDB Docs ScyllaDB Open Source ScyllaDB for Administrators Security Role Based Access Control (RBAC)

Caution

You're viewing documentation for a previous version. Switch to the latest stable version.

Role Based Access Control (RBAC)¶

Role Based Access Control (RBAC) is a method of reducing lists of authorized users to a few roles assigned to multiple users. RBAC is sometimes referred to as role-based security.

Roles vs Users¶

Roles supersede users and generalize them. In addition to doing with roles everything that you could previously do with users in older versions of ScyllaDB, roles can be granted to other roles. If a role developer is granted to a role manager, then all permissions of the developer are granted to the manager.

In order to distinguish roles which correspond uniquely to an individual person and roles which are representative of a group, any role that can login is a user. Within that framework, you can conclude that all users are roles, but not all roles are users.

For example, there is an organization with a role-based hierarchy. The organization has roles such as Guest, who is not a member of the organization, has the least amount of privileges. The DB Administrator role has the most. Engineer and QA roles have similar privileges but do not have permission to modify each other’s keyspace. Creating a structure like this is quite useful when you have permissions granted to representative roles instead of individual users. Using RBAC allows you to add and remove permissions with ease without affecting other users. Suppose there is a new engineer who joined the organization. This is not a problem! All you would do is create a user for that engineer with the engineer role. Once the role is assigned to the user, the user inherits all of the permissions for that role. In the same manner, should someone leave the organization, all you would have to do is assign that user to a non-employee role (Guest, for example). Should someone change positions at the company, just assign the new employee to the new role and revoke roles no longer required for the new position.

To build an RBAC environment, you need to create the roles and their associated permissions and then assign or grant the roles to the individual users. Roles inherit the permissions of any other roles that they are granted. The hierarchy of roles can be either simple or extremely complex. This gives great flexibility to database administrators, where they can create specific permission conditions without incurring a huge administrative burden. In addition to standard roles, ScyllaDB Enterprise users can implement Workload Prioritization, which allows you to attach roles to Service Levels, thus granting resources to roles as the role demands.

Granting roles and permissions¶

When creating a role, you grant it permissions and resources. The permission is what the role is permitted to do, and the resource is the scope over which the permission is granted. The format of the permission granting is:

GRANT (permission | "ALL PERMISSIONS") ON resource TO role where:

  • Where permission is CREATE, DESCRIBE, etc.

  • A resource is one of
    • “<ks>.<tab>”

    • “KEYSPACE <ks>”

    • “ALL KEYSPACES”

    • “ROLE <role>”

    • “ALL ROLES”

    • Note that An unqualified table name assumes the current keyspace

Use case¶

This is a use case that is given as an example. You should modify the commands to your organization’s requirements. A health club has opened, and they have an application that supports their clients, which is using ScyllaDB as the database backend. The following groups would need to be given permissions: The office staff can add new customers and can cancel subscriptions, view all customer data, and can change classes for the trainers as well as view the trainers’ data. Trainers can only view their schedule and can view customer data. Customers view the class schedule. There is also a database administrator who manages the database.

In this case, four roles would be created: staff, customer, trainer, and administrator. Permissions could be any of the following. It may be helpful to make a table as follows, listing the roles and the tables or keyspaces you are granting permission on. In the table cell, list the permission to be granted, leaving a blank space for no permission.

Role/on

customer.info

schedule.cust

schedule.train

customer keyspace

schedule keyspace

DBA

superuser

superuser

superuser

superuser

superuser

staff

MODIFY

MODIFY

MODIFY

SELECT

SELECT

trainer

SELECT

SELECT

SELECT

customer

SELECT

Before you begin

You need to login to cqlsh as a user with authentication and authorization. You must enable authentication and authorization if you have not already done so. In addition, the user you create for yourself must have login privileges, a user name, and a password.

Warning

It is highly recommended to set a password when creating a role with login privileges. If you are using password authentication and you create a role with LOGIN privileges and a blank PASSWORD or no password, the user assigned to this role will not be able to login to the database.

If you proceed with the following example without authentication enabled, or login without using an authenticated user, you will see this error: Unauthorized: Error from server: code=2100 [Unauthorized] message="You have to be logged in and not anonymous to perform this request"

If you proceed with the following example without authorization, you will see this error: InvalidRequest: Error from server: code=2200 [Invalid query] message="GRANT operation is not supported by AllowAllAuthorizer"

Procedure

  1. Create all keyspaces and tables needed.

CREATE KEYSPACE IF NOT EXISTS customer WITH REPLICATION = { 'class' : 'NetworkTopologyStrategy', 'replication_factor' : 3 };
CREATE TABLE IF NOT EXISTS customer.info (ssid UUID, name text, DOB text, telephone text, email text, memberid text, PRIMARY KEY (ssid,  name, memberid));
CREATE KEYSPACE IF NOT EXISTS schedule WITH REPLICATION = { 'class' : 'NetworkTopologyStrategy', 'replication_factor' : 3 };
CREATE TABLE IF NOT EXISTS schedule.cust (memberid UUID, ssid text, class text, meeting_day text, meeting_time text, PRIMARY KEY (memberid, ssid));
CREATE TABLE IF NOT EXISTS schedule.train (trainerid UUID, class text, meeting_day text, meeting_time text, PRIMARY KEY (trainerid));
  1. Create the Customer role. It is best to start your hierarchy from the bottom. Creating the Customer role first allows you to grant it to the Trainer, which you will do in a later step.

CREATE ROLE customer;
  1. Set the permission settings for customer. According to our list above, the customer role would be granted permissions by running the following commands:

GRANT SELECT ON schedule.cust TO customer;
  1. Create the trainer role.

CREATE ROLE trainer;
  1. Assign the Customer role to the Trainer role. In this way, the Trainer role inherits the Customer role’s permissions.

GRANT customer TO trainer;
  1. With the trainer role created and granted the basic customer permission settings, give the trainer the additional permissions that the role requires.

GRANT SELECT ON customer.info TO trainer;
GRANT SELECT ON schedule.train TO trainer;
  1. Create the office staff role.

CREATE ROLE staff;
  1. Assign the staff the additional permissions that the role requires. As staff will have more scope, there is no need to look at the individual tables. It is easier to grant permission on the entire keyspace.

GRANT SELECT ON KEYSPACE schedule TO staff;
GRANT SELECT ON KEYSPACE customer TO staff;
GRANT MODIFY ON schedule.cust TO staff;
GRANT MODIFY ON customer.info TO staff;
GRANT MODIFY ON schedule.train TO staff;
  1. Now create the database administrator role.

CREATE ROLE administrator WITH SUPERUSER = true;

Note

This role already has complete read and write permissions on all tables and keyspaces and does not need to be granted anything else. The superuser permission setting is by default, disabled. Only for the administrator does it need to be enabled.

  1. Create users and assign the roles to them. This is done in the same fashion as the role, but the password and login information is added. In this example, Lisa is a customer, Mary is the trainer, and Dennis is the office staff. Tim is the Admin.

CREATE ROLE lisa WITH PASSWORD = 'password' AND LOGIN = true;
CREATE ROLE mary WITH PASSWORD = 'password' AND LOGIN = true;
CREATE ROLE dennis WITH PASSWORD = 'password' AND LOGIN = true;
CREATE ROLE tim WITH PASSWORD = 'password' AND LOGIN = true;
  1. Assign the roles to the users.

GRANT administrator TO tim;
GRANT staff TO dennis;
GRANT trainer TO mary;
GRANT customer TO lisa;

12. Check that each user has the privileges they should have. For example, if we list Mary’s permissions, we’ll see they represent what we granted to her role. Remember that the trainer role inherited the customer role.

LIST ALL PERMISSIONS OF mary;

╭─────────┬──────────┬────────────────────────┬────────────╮
│role     │ username │ resource               │ permission │
├─────────┼──────────┼────────────────────────┼────────────┤
│customer │ customer │ <table schedule.cust>  │ SELECT     │
├─────────┼──────────┼────────────────────────┼────────────┤
│trainer  │ trainer  │ <table customer.info>  │ SELECT     │
├─────────┼──────────┼────────────────────────┼────────────┤
│trainer  │ trainer  │ <table schedule.train> │ SELECT     │
╰─────────┴──────────┴────────────────────────┴────────────╯

Likewise, we can ask which roles Mary has been assigned.

LIST ROLES OF mary;
╭─────────┬─────────┬──────────────────────┬────────────╮
│role     │ super   │ login                │ options    │
├─────────┼─────────┼──────────────────────┼────────────┤
│customer │ False   │ False                │ {}         │
├─────────┼─────────┼──────────────────────┼────────────┤
│trainer  │ False   │ False                │ {}         │
├─────────┼─────────┼──────────────────────┼────────────┤
│mary     │ False   │ True                 │ {}         │
╰─────────┴─────────┴──────────────────────┴────────────╯

Additional References¶

  • Authorization

  • CQLSh the CQL shell

  • Workload Prioritization - to attach a service level to a role. Only available in ScyllaDB Enterprise.

Was this page helpful?

PREVIOUS
Certificate-based Authentication
NEXT
Encryption: Data in Transit Client to Node
  • Create an issue
  • Edit this page

On this page

  • Role Based Access Control (RBAC)
    • Roles vs Users
    • Granting roles and permissions
    • Use case
    • Additional References
ScyllaDB Open Source
  • 6.2
    • master
    • 6.2
    • 6.1
    • 6.0
    • 5.4
    • 5.2
    • 5.1
  • Getting Started
    • Install ScyllaDB
      • Launch ScyllaDB on AWS
      • Launch ScyllaDB on GCP
      • Launch ScyllaDB on Azure
      • ScyllaDB Web Installer for Linux
      • Install ScyllaDB Linux Packages
      • Install scylla-jmx Package
      • Run ScyllaDB in Docker
      • Install ScyllaDB Without root Privileges
      • Air-gapped Server Installation
      • ScyllaDB Housekeeping and how to disable it
      • ScyllaDB Developer Mode
    • Configure ScyllaDB
    • ScyllaDB Configuration Reference
    • ScyllaDB Requirements
      • System Requirements
      • OS Support by Linux Distributions and Version
      • Cloud Instance Recommendations
      • ScyllaDB in a Shared Environment
    • Migrate to ScyllaDB
      • Migration Process from Cassandra to ScyllaDB
      • ScyllaDB and Apache Cassandra Compatibility
      • Migration Tools Overview
    • Integration Solutions
      • Integrate ScyllaDB with Spark
      • Integrate ScyllaDB with KairosDB
      • Integrate ScyllaDB with Presto
      • Integrate ScyllaDB with Elasticsearch
      • Integrate ScyllaDB with Kubernetes
      • Integrate ScyllaDB with the JanusGraph Graph Data System
      • Integrate ScyllaDB with DataDog
      • Integrate ScyllaDB with Kafka
      • Integrate ScyllaDB with IOTA Chronicle
      • Integrate ScyllaDB with Spring
      • Shard-Aware Kafka Connector for ScyllaDB
      • Install ScyllaDB with Ansible
      • Integrate ScyllaDB with Databricks
      • Integrate ScyllaDB with Jaeger Server
      • Integrate ScyllaDB with MindsDB
    • Tutorials
  • ScyllaDB for Administrators
    • Administration Guide
    • Procedures
      • Cluster Management
      • Backup & Restore
      • Change Configuration
      • Maintenance
      • Best Practices
      • Benchmarking ScyllaDB
      • Migrate from Cassandra to ScyllaDB
      • Disable Housekeeping
    • Security
      • ScyllaDB Security Checklist
      • Enable Authentication
      • Enable and Disable Authentication Without Downtime
      • Creating a Custom Superuser
      • Generate a cqlshrc File
      • Reset Authenticator Password
      • Enable Authorization
      • Grant Authorization CQL Reference
      • Certificate-based Authentication
      • Role Based Access Control (RBAC)
      • Encryption: Data in Transit Client to Node
      • Encryption: Data in Transit Node to Node
      • Generating a self-signed Certificate Chain Using openssl
      • Configure SaslauthdAuthenticator
    • Admin Tools
      • Nodetool Reference
      • CQLSh
      • Admin REST API
      • Tracing
      • ScyllaDB SStable
      • ScyllaDB Types
      • SSTableLoader
      • cassandra-stress
      • SSTabledump
      • SSTableMetadata
      • ScyllaDB Logs
      • Seastar Perftune
      • Virtual Tables
      • Reading mutation fragments
      • Maintenance socket
      • Maintenance mode
      • Task manager
    • ScyllaDB Monitoring Stack
    • ScyllaDB Operator
    • ScyllaDB Manager
    • Upgrade Procedures
      • ScyllaDB Versioning
      • ScyllaDB Open Source Upgrade
      • ScyllaDB Open Source to ScyllaDB Enterprise Upgrade
      • ScyllaDB Image
      • ScyllaDB Enterprise
    • System Configuration
      • System Configuration Guide
      • scylla.yaml
      • ScyllaDB Snitches
    • Benchmarking ScyllaDB
    • ScyllaDB Diagnostic Tools
  • ScyllaDB for Developers
    • Develop with ScyllaDB
    • Tutorials and Example Projects
    • Learn to Use ScyllaDB
    • ScyllaDB Alternator
    • ScyllaDB Drivers
      • ScyllaDB CQL Drivers
      • ScyllaDB DynamoDB Drivers
  • CQL Reference
    • CQLSh: the CQL shell
    • Appendices
    • Compaction
    • Consistency Levels
    • Consistency Level Calculator
    • Data Definition
    • Data Manipulation
      • SELECT
      • INSERT
      • UPDATE
      • DELETE
      • BATCH
    • Data Types
    • Definitions
    • Global Secondary Indexes
    • Expiring Data with Time to Live (TTL)
    • Functions
    • Wasm support for user-defined functions
    • JSON Support
    • Materialized Views
    • Non-Reserved CQL Keywords
    • Reserved CQL Keywords
    • Service Levels
    • ScyllaDB CQL Extensions
  • Alternator: DynamoDB API in Scylla
    • Getting Started With ScyllaDB Alternator
    • ScyllaDB Alternator for DynamoDB users
  • Features
    • Lightweight Transactions
    • Global Secondary Indexes
    • Local Secondary Indexes
    • Materialized Views
    • Counters
    • Change Data Capture
      • CDC Overview
      • The CDC Log Table
      • Basic operations in CDC
      • CDC Streams
      • CDC Stream Generations
      • Querying CDC Streams
      • Advanced column types
      • Preimages and postimages
      • Data Consistency in CDC
    • Workload Attributes
  • ScyllaDB Architecture
    • Data Distribution with Tablets
    • ScyllaDB Ring Architecture
    • ScyllaDB Fault Tolerance
    • Consistency Level Console Demo
    • ScyllaDB Anti-Entropy
      • ScyllaDB Hinted Handoff
      • ScyllaDB Read Repair
      • ScyllaDB Repair
    • SSTable
      • ScyllaDB SSTable - 2.x
      • ScyllaDB SSTable - 3.x
    • Compaction Strategies
    • Raft Consensus Algorithm in ScyllaDB
    • Zero-token Nodes
  • Troubleshooting ScyllaDB
    • Errors and Support
      • Report a ScyllaDB problem
      • Error Messages
      • Change Log Level
    • ScyllaDB Startup
      • Ownership Problems
      • ScyllaDB will not Start
      • ScyllaDB Python Script broken
    • Upgrade
      • Inaccessible configuration files after ScyllaDB upgrade
    • Cluster and Node
      • Handling Node Failures
      • Failure to Add, Remove, or Replace a Node
      • Failed Decommission Problem
      • Cluster Timeouts
      • Node Joined With No Data
      • NullPointerException
      • Failed Schema Sync
    • Data Modeling
      • ScyllaDB Large Partitions Table
      • ScyllaDB Large Rows and Cells Table
      • Large Partitions Hunting
      • Failure to Update the Schema
    • Data Storage and SSTables
      • Space Utilization Increasing
      • Disk Space is not Reclaimed
      • SSTable Corruption Problem
      • Pointless Compactions
      • Limiting Compaction
    • CQL
      • Time Range Query Fails
      • COPY FROM Fails
      • CQL Connection Table
    • ScyllaDB Monitor and Manager
      • Manager and Monitoring integration
      • Manager lists healthy nodes as down
    • Installation and Removal
      • Removing ScyllaDB on Ubuntu breaks system packages
  • Knowledge Base
    • Upgrading from experimental CDC
    • Compaction
    • Consistency in ScyllaDB
    • Counting all rows in a table is slow
    • CQL Query Does Not Display Entire Result Set
    • When CQLSh query returns partial results with followed by “More”
    • Run ScyllaDB and supporting services as a custom user:group
    • Customizing CPUSET
    • Decoding Stack Traces
    • Snapshots and Disk Utilization
    • DPDK mode
    • Debug your database with Flame Graphs
    • How to Change gc_grace_seconds for a Table
    • Gossip in ScyllaDB
    • Increase Permission Cache to Avoid Non-paged Queries
    • How does ScyllaDB LWT Differ from Apache Cassandra ?
    • Map CPUs to ScyllaDB Shards
    • ScyllaDB Memory Usage
    • NTP Configuration for ScyllaDB
    • Updating the Mode in perftune.yaml After a ScyllaDB Upgrade
    • POSIX networking for ScyllaDB
    • ScyllaDB consistency quiz for administrators
    • Recreate RAID devices
    • How to Safely Increase the Replication Factor
    • ScyllaDB and Spark integration
    • Increase ScyllaDB resource limits over systemd
    • ScyllaDB Seed Nodes
    • How to Set up a Swap Space
    • ScyllaDB Snapshots
    • ScyllaDB payload sent duplicated static columns
    • Stopping a local repair
    • System Limits
    • How to flush old tombstones from a table
    • Time to Live (TTL) and Compaction
    • ScyllaDB Nodes are Unresponsive
    • Update a Primary Key
    • Using the perf utility with ScyllaDB
    • Configure ScyllaDB Networking with Multiple NIC/IP Combinations
  • Reference
    • AWS Images
    • Azure Images
    • GCP Images
    • Configuration Parameters
    • Glossary
    • Limits
    • API Reference (BETA)
    • Metrics (BETA)
  • ScyllaDB FAQ
  • Contribute to ScyllaDB
Docs Tutorials University Contact Us About Us
© 2025, ScyllaDB. All rights reserved. | Terms of Service | Privacy Policy | ScyllaDB, and ScyllaDB Cloud, are registered trademarks of ScyllaDB, Inc.
Last updated on 08 May 2025.
Powered by Sphinx 7.4.7 & ScyllaDB Theme 1.8.6