Default and custom roles allow admins to manage unique permissions for users based on your organization and database requirements.
You can manage roles using the DataStax Astra DB user interface or the DevOps API.
Default Operational Roles
The default roles address four types of operational users and three levels of access.
This matrix show how the four types of operational users with each of the three levels of access:
| User | API User | User Service Account | API Service Account | |
|---|---|---|---|---|
| Admin | Administrator User | API Administrator User | Administrator Svc Acct | API Administrator Svc Acct |
| Read Only | RO User | API RO User | RO Svc Acct | API RO Svc Acct |
| *Read/Write* | R/W User | API R/W User | R/W Svc Acct | API R/W Svc Acct |
Service Account Roles are limited from listing users and databases. API Roles limit CQL access.
Default Special Roles
In addition to the operational roles, four special default roles exist:
- *Organization Administrator:* Super User
- *Database Administrator:* Full access to CRUD organizations and databases
- *UI View Only:* Read only access to view organizations and databases
- *Billing Admin:* Billing only access
Operational Roles Detail
User Roles
| Role name | Console name | DevOps API Parameters |
|---|---|---|
| Admin User | Create All Keyspace, +Describe All Keyspaces, +Access GraphQL API, +Access CQL, +Alter Keyspace, +Authorize Keyspace, +Create Keyspace, +Describe Keyspace, +Drop Keyspace, +Grant Keyspace, +Modify Keyspace, +Manage Private Endpoint, +Manage Region, +Access REST, +Alter Table, +Authorize Table, +Create Table, +Describe Table, +Drop Table, +Grant Table, +Modify Table, +Select Table, +Read Billing, +Write Billing, +Add Peering, +Create DB, +Expand DB, +Manage Migrator Proxy, +Reset Password, +Suspend DB, +Terminate DB, +View DB, +Read Organization, +Read User, +Write User | db-all-keyspace-create, +db-all-keyspace-describe, +db-graphql, +db-cql, +db-keyspace-alter, +db-keyspace-authorize, +db-keyspace-create, +db-keyspace-describe, +db-keyspace-drop, +db-keyspace-grant, +db-keyspace-modify, +db-manage-privateendpoint, +db-manage-region, +db-rest, +db-table-alter, +db-table-authorize, +db-table-create, +db-table-describe, +db-table-drop, +db-table-grant, +db-table-modify, +db-table-select, +org-billing-read, +org-billing-write, +org-db-addpeering, +org-db-create, +org-db-expand, +org-db-managemigratorproxy, +org-db-passwordreset, +org-db-suspend, +org-db-terminate, +org-db-view, +org-read, +org-user-read, +org-user-write |
| RO User | Read IP Access List, +Describe All Keyspaces, +Access GraphQL API, +Access CQL, +Describe Keyspace, +Access REST, +Describe Table, +Select Table, +View DB, +Read User | accesslist-read, +db-all-keyspace-describe, +db-graphql, +db-cql, +db-keyspace-describe, +db-rest, +db-table-describe, +db-table-select, +org-db-view, +org-user-read |
| R/W User | Read IP Access List, +Describe All Keyspaces, +Access GraphQL API, +Access CQL, +Describe Keyspace, +Access REST, +Describe Table, +Modify Table, +Select Table, +View DB, +Read User | accesslist-read, +db-all-keyspace-describe, +db-graphql, +db-cql, +db-keyspace-describe, +db-rest, +db-table-describe, +db-table-modify, +db-table-select, +org-db-view, +org-user-read |
API User Roles
| Role name | Console name | DevOps API Parameters |
|---|---|---|
| API Admin User | Read IP Access List, +Create All Keyspace, +Describe All Keyspaces, +Access GraphQL API, +Alter Keyspace, +Authorize Keyspace, +Create Keyspace, +Describe Keyspace, +Drop Keyspace, +Grant Keyspace, +Modify Keyspace, +Manage Private Endpoint, +Manage Region, +Access REST, +Alter Table, +Authorize Table, +Create Table, +Describe Table, +Drop Table, +Grant Table, +Modify Table, +Select Table, +Read Billing, +Write Billing, +Add Peering, +Create DB, +Expand DB, +Manage Migrator Proxy, +Reset Password, +Suspend DB, +Terminate DB, +View DB, +Read User, +Write User | accesslist-read, +db-all-keyspace-create, +db-all-keyspace-describe, +db-graphql, +db-keyspace-alter, +db-keyspace-authorize, +db-keyspace-create, +db-keyspace-describe, +db-keyspace-drop, +db-keyspace-grant, +db-keyspace-modify, +db-manage-privateendpoint, +db-manage-region, +db-rest, +db-table-alter, +db-table-authorize, +db-table-create, +db-table-describe, +db-table-drop, +db-table-grant, +db-table-modify, +db-table-select, +org-billing-read, +org-billing-write, +org-db-addpeering, +org-db-create, +org-db-expand, +org-db-managemigratorproxy, +org-db-passwordreset, +org-db-suspend, +org-db-terminate, +org-db-view, +org-user-read, +org-user-write |
| API RO User | Read IP Access List, +Describe All Keyspaces, +Access GraphQL API, +Describe Keyspace, +Access REST, +Describe Table, +Select Table, +View DB, +Read User | accesslist-read, +db-all-keyspace-describe, +db-graphql, +db-keyspace-describe, +db-rest, +db-table-describe, +db-table-select, +org-db-view, +org-user-read |
| API R/W User | Read IP Access List, +Describe All Keyspaces, +Access GraphQL API, +Describe Keyspace, +Access REST, +Describe Table, +Modify Table, +Select Table, +View DB, +Read User | accesslist-read, +db-all-keyspace-describe, +db-graphql, +db-keyspace-describe, +db-rest, +db-table-describe, +db-table-modify, +db-table-select, +org-db-view, +org-user-read |
User Service Account Roles
| Role name | Console name | DevOps API Parameters |
|---|---|---|
| Admin Svc Acct | Create All Keyspace, +Describe All Keyspaces, +Access GraphQL API, +Access CQL, +Alter Keyspace, +Authorize Keyspace, +Create Keyspace, +Describe Keyspace, +Drop Keyspace, +Grant Keyspace, +Modify Keyspace, +Manage Private Endpoint, +Manage Region, +Access REST, +Alter Table, +Authorize Table, +Create Table, +Describe Table, +Drop Table, +Grant Table, +Modify Table, +Select Table, +Read Billing, +Write Billing, +Add Peering, +Create DB, +Expand DB, +Manage Migrator Proxy, +Reset Password, +Suspend DB, +Terminate DB, +View DB, +Read User, +Write User | db-all-keyspace-create, +db-all-keyspace-describe, +db-graphql, +db-cql, +db-keyspace-alter, +db-keyspace-authorize, +db-keyspace-create, +db-keyspace-describe, +db-keyspace-drop, +db-keyspace-grant, +db-keyspace-modify, +db-manage-privateendpoint, +db-manage-region, +db-rest, +db-table-alter, +db-table-authorize, +db-table-create, +db-table-describe, +db-table-drop, +db-table-grant, +db-table-modify, +db-table-select, +org-billing-read, +org-billing-write, +org-db-addpeering, +org-db-create, +org-db-expand, +org-db-managemigratorproxy, +org-db-passwordreset, +org-db-suspend, +org-db-terminate, +org-db-view, +org-user-read, +org-user-write |
| RO Svc Acct | Read IP Access List, +Describe All Keyspaces, +Access GraphQL API, +Access CQL, +Describe Keyspace, +Access REST, +Describe Table, +Select Table | accesslist-read, +db-all-keyspace-describe, +db-graphql, +db-cql, +db-keyspace-describe, +db-rest, +db-table-describe, +db-table-select |
| R/W Svc Acct | Read IP Access List, +Describe All Keyspaces, +Access GraphQL API, +Access CQL, +Describe Keyspace, +Access REST, +Describe Table, +Modify Table, +Select Table | accesslist-read, +db-all-keyspace-describe, +db-graphql, +db-cql, +db-keyspace-describe, +db-rest, +db-table-describe, +db-table-modify, +db-table-select |
API Service Account Roles
| Role name | Console name | DevOps API Parameters |
|---|---|---|
| API Admin Svc Acct | Create All Keyspace, +Describe All Keyspaces, +Access GraphQL API, +Access CQL, +Alter Keyspace, +Authorize Keyspace, +Create Keyspace, +Describe Keyspace, +Drop Keyspace, +Grant Keyspace, +Modify Keyspace, +Manage Private Endpoint, +Manage Region, +Access REST, +Alter Table, +Authorize Table, +Create Table, +Describe Table, +Drop Table, +Grant Table, +Modify Table, +Select Table, +Read Billing, +Write Billing, +Add Peering, +Create DB, +Expand DB, +Manage Migrator Proxy, +Reset Password, +Suspend DB, +Terminate DB, +View DB, +Read User, +Write User | db-all-keyspace-create, +db-all-keyspace-describe, +db-graphql, +db-cql, +db-keyspace-alter, +db-keyspace-authorize, +db-keyspace-create, +db-keyspace-describe, +db-keyspace-drop, +db-keyspace-grant, +db-keyspace-modify, +db-manage-privateendpoint, +db-manage-region, +db-rest, +db-table-alter, +db-table-authorize, +db-table-create, +db-table-describe, +db-table-drop, +db-table-grant, +db-table-modify, +db-table-select, +org-billing-read, +org-billing-write, +org-db-addpeering, +org-db-create, +org-db-expand, +org-db-managemigratorproxy, +org-db-passwordreset, +org-db-suspend, +org-db-terminate, +org-db-view, +org-user-read, +org-user-write |
| API RO Svc Acct | Read IP Access List, +Describe All Keyspaces, +Access GraphQL API, +Describe Keyspace, +Access REST, +Describe Table, +Select Table | accesslist-read, +db-all-keyspace-describe, +db-graphql, +db-keyspace-describe, +db-rest, +db-table-describe, +db-table-select |
| API R/W Svc Acct | Read IP Access List, +Describe All Keyspaces, +Access GraphQL API, +Describe Keyspace, +Access REST, +Describe Table, +Modify Table, +Select Table | accesslist-read, +db-all-keyspace-describe, +db-graphql, +db-keyspace-describe, +db-rest, +db-table-describe, +db-table-modify, +db-table-select |
Special Roles Detail
Billing Admin
The Billing Admin role provides only access to view the billing information for Astra DB services. This role has no management capabilities nor access to data.
| Console name | DevOps API Parameters |
|---|---|
| Read Billing, +Write Billing, +View DB, +Read User | org-billing-read, +org-billing-write, +org-db-view, +org-user-read |
Database Administrator
The Database Administrator role is designed to effectively manage organizations and the databases using CRUD. This role does not have the ability to view billing, mange role-based access control (RBAC), or manage users.
| Console name | DevOps API Parameters |
|---|---|
| Read IP Access List, +Write IP Access List, +Create All Keyspace, +Describe All Keyspaces, +Access GraphQL API, +Access CQL, +Alter Keyspace, +Authorize Keyspace, +Create Keyspace, +Describe Keyspace, +Drop Keyspace, +Grant Keyspace, +Modify Keyspace, +Manage Private Endpoint, +Manage Region, +Access REST, +Alter Table, +Authorize Table, +Create Table, +Describe Table, +Drop Table, +Grant Table, +Modify Table, +Select Table, +Add Peering, +Create DB, +Expand DB, +Manage Migrator Proxy, +Reset Password, +Suspend DB, +Terminate DB, +View DB, +Read Token, +Write Token, +Read User | accesslist-read, +accesslist-write, +db-all-keyspace-create, +db-all-keyspace-describe, +db-graphql, +db-cql, +db-keyspace-alter, +db-keyspace-authorize, +db-keyspace-create, +db-keyspace-describe, +db-keyspace-drop, +db-keyspace-grant, +db-keyspace-modify, +db-manage-privateendpoint, +db-manage-region, +db-rest, +db-table-alter, +db-table-authorize, +db-table-create, +db-table-describe, +db-table-drop, +db-table-grant, +db-table-modify, +db-table-select, +org-db-addpeering, +org-db-create, +org-db-expand, +org-db-managemigratorproxy, +org-db-passwordreset, +org-db-suspend, +org-db-terminate, +org-db-view, +org-token-read, +org-token-write, +org-user-read |
Organization Administrator
The Organization Administrator role is the most permissive default role.
| Console name | DevOps API Parameters |
|---|---|
| Read IP Access List, +Write IP Access List, +Create All Keyspace, +Describe All Keyspaces, +Access GraphQL API, +Access CQL, +Alter Keyspace, +Authorize Keyspace, +Create Keyspace, +Describe Keyspace, +Drop Keyspace, +Grant Keyspace, +Modify Keyspace, +Manage Private Endpoint, +Manage Region, +Access REST, +Alter Table, +Authorize Table, +Create Table, +Describe Table, +Drop Table, +Grant Table, +Modify Table, +Select Table, +Read Audits, +Read Billing, +Write Billing, +Add Peering, +Create DB, +Expand DB, +Manage Migrator Proxy, +Reset Password, +Suspend DB, +Terminate DB, +View DB, +Read External Auth, +Write External Auth, +Notification Write, +Read Organization, +Delete Custom Role, +Read Custom Role, +Write Custom Role, +Read Token, +Write Token, +Read User, +Write User, +Write Organization | accesslist-read, +accesslist-write, +db-all-keyspace-create, +db-all-keyspace-describe, +db-graphql, +db-cql, +db-keyspace-alter, +db-keyspace-authorize, +db-keyspace-create, +db-keyspace-describe, +db-keyspace-drop, +db-keyspace-grant, +db-keyspace-modify, +db-manage-privateendpoint, +db-manage-region, +db-rest, +db-table-alter, +db-table-authorize, +db-table-create, +db-table-describe, +db-table-drop, +db-table-grant, +db-table-modify, +db-table-select, +org-audits-read, +org-billing-read, +org-billing-write, +org-db-addpeering, +org-db-create, +org-db-expand, +org-db-managemigratorproxy, +org-db-passwordreset, +org-db-suspend, +org-db-terminate, +org-db-view, +org-external-auth-read, +org-external-auth-write, +org-notification-write, +org-read, +org-role-delete, +org-role-read, +org-role-write, +org-token-read, +org-token-write, +org-user-read, +org-user-write, +org-write |
UI View Only
The UI View Only role is a highly limited role that is only able to list users, databases, and access lists.
| Console name | DevOps API Parameters |
|---|---|
| Read IP Access List, +View DB, +Read User | accesslist-read, +org-db-view, +org-user-read |
The tables below contain detailed descriptions of each of the permissions available in Astra DB and can be used to get more detail on the permissions assigned to the roles above.
Organization permissions
| Console name | Description | DevOps API parameter |
|---|---|---|
| View DB | See a database in a list of databases or the Astra DB console. | org-db-view |
| Create DB | Create a database using the DevOps API or the Astra DB console. | org-db-create |
| Terminate DB | Permanently delete a database and all of of its data using the DevOps API or the Astra DB console. | org-db-terminate |
| Expand DB | Classic only: Resize a database using the DevOps API or the Astra DB console to add more capacity units. | org-db-expand |
| Reset Password | Reset the password for a classic database. | org-db-passwordreset |
| Manage Migrator Proxy | Add and remove the migrator proxy from a db. | org-db-managemigratorproxy |
| Read Audits | Enables read and download audits. | org-audits-read |
| Write Billing | Enables links and ability to add or edit billing payment info. | org-billing-write |
| Write IP Access List | Create or modify an access list using the DevOps API or the Astra DB console. | accesslist-write |
| Manage Region | Add, create, or remove a region using the DevOps API or the Astra DB console. | db-manage-region |
| Write User | Add, create, or remove a user using the DevOps API or the Astra DB console. | org-user-write |
| Write Organization | Create new organizations or delete an existing organization. Hides manage org and org settings. | org-write |
| Write Custom Role | Create custom role. | org-role-write |
| Write External Auth | Update security settings related to external auth providers. | org-external-auth-write |
| Write Token | Create application token. | org-token-write |
| Read Billing | Enables links and access to billing details page. | org-billing-read |
| Read IP Access List | Enables links and access to acess list page. | accesslist-read |
| Read User | Access to viewing users of an organization. | org-user-read |
| Read Organization | View organization in the Astra DB console. | org-read |
| Read Custom Role | See a custom role and its associated permissions. | org-role-read |
| Read External Auth | See security settings related to external authentication providers. | org-external-auth-read |
| Read Token | Read token details. | org-token-read |
| Delete Custom Role | Delete of custom role. | org-role-delete |
| Add Peering | Create of VPC peering connection. | org-db-addpeering |
| Notification Write | Enable or disable notifications in organization notification settings. | org-notification-write |
| Suspend DB | Park/unpark classic databases and suspend/unsuspend serverless databases. | org-db-suspend |
Keyspace permissions
| Console name | Description | DevOps API parameter |
|---|---|---|
| Alter Keyspace | Make changes to a specified keyspace. | db-keyspace-alter |
| Describe Keyspace | Get a list of tables within a specified keyspace. | db-keyspace-describe |
| Modify Keyspace | Access or modify a keyspace. | db-keyspace-modify |
| Authorize Keyspace | Give access to specified keyspace. | db-keyspace-authorize |
| Drop Keyspace | Remove keyspace. Available in only the Astra DB console. | db-keyspace-drop |
| Create Keyspace | Create keyspace. Available in only the Astra DB console. | db-keyspace-create |
| Grant Keyspace | Grant specific permissions for specified keyspace. | db-keyspace-grant |
API access permissions
| Console name | Description | DevOps API parameter |
|---|---|---|
| Access GraphQL API | Connect to database via GraphQL API. | db-graphql |
| Access REST | Connect to database via REST API. | db-rest |
| Access CQL | Connect to database via CQL. | db-cql |
Which role should I assign a user?
| Database Access Method | Roles |
|---|---|
| Astra User Interface access | Organization Administrator Database Administrator Billing Administrator UI View Only Developer Administrator Developer Read/Write Developer Read Only Administrator Service Account* Read/Write Service Account* Read Only Service Account |
| GraphQL, REST, and Document API access based on database access permissions | Organization Administrator Database Administrator Billing Administrator UI View Only Administrator User Read/Write User Read Only User Administrator Service Account* Read/Write Service Account Read Only Service Account API Administrator User* API Read/Write User API Read Only User API Administrator Service Account* API Read/Write Service Account* API Read Only Service Account |
| Data Loader access based on database access permissions | Administrator User Read/Write User Read Only User Administrator Service Account* Read/Write Service Account* Read Only Service Account |
| dsbulk access based on database access permissions | * Read/Write Service Account* Read Only Service Account |
| DevOps API access based on database access permissions | Organization Administrator Database Administrator |
| Drivers based on database access permissions | Administrator User Read/Write User Read Only User Administrator Service Account* Read/Write Service Account* Read Only Service Account |
| Manage access list for IP addresses and CIDR | Organization Administrator Database Administrator |