• Glossary
  • Support
  • Downloads
  • DataStax Home
Get Live Help
Expand All
Collapse All

DataStax Astra DB Serverless Documentation

    • Overview
      • Release notes
      • Astra DB FAQs
      • Astra DB glossary
      • Get support
    • Getting Started
      • Grant a user access
      • Load and retrieve data
        • Use DSBulk to load data
        • Use Data Loader in Astra Portal
      • Connect a driver
      • Build sample apps
      • Use integrations
    • Planning
      • Plan options
      • Database regions
    • Securing
      • Security highlights
      • Security guidelines
      • Default user permissions
      • Change your password
      • Reset your password
      • Authentication and Authorization
      • Astra DB Plugin for HashiCorp Vault
    • Connecting
      • Connecting private endpoints
        • AWS Private Link
        • Azure Private Link
        • GCP Private Endpoints
        • Connecting custom DNS
      • Connecting Change Data Capture (CDC)
      • Connecting CQL console
      • Connect the Spark Cassandra Connector to Astra
      • Drivers for Astra DB
        • Connecting C++ driver
        • Connecting C# driver
        • Connecting Java driver
        • Connecting Node.js driver
        • Connecting Python driver
        • Drivers retry policies
      • Connecting Legacy drivers
      • Get Secure Connect Bundle
    • Migrating
      • Components
      • FAQs
      • Preliminary steps
        • Feasibility checks
        • Deployment and infrastructure considerations
        • Create target environment for migration
        • Understand rollback options
      • Phase 1: Deploy ZDM Proxy and connect client applications
        • Set up the ZDM Proxy Automation with ZDM Utility
        • Deploy the ZDM Proxy and monitoring
        • Configure Transport Layer Security
        • Connect client applications to ZDM Proxy
        • Leverage metrics provided by ZDM Proxy
        • Manage your ZDM Proxy instances
      • Phase 2: Migrate and validate data
      • Phase 3: Enable asynchronous dual reads
      • Phase 4: Change read routing to Target
      • Phase 5: Connect client applications directly to Target
      • Troubleshooting
        • Troubleshooting tips
        • Troubleshooting scenarios
      • Glossary
      • Contribution guidelines
      • Release Notes
    • Managing
      • Managing your organization
        • User permissions
        • Pricing and billing
        • Audit Logs
        • Bring Your Own Key
          • BYOK AWS Astra DB console
          • BYOK GCP Astra DB console
          • BYOK AWS DevOps API
          • BYOK GCP DevOps API
        • Configuring SSO
          • Configure SSO for Microsoft Azure AD
          • Configure SSO for Okta
          • Configure SSO for OneLogin
      • Managing your database
        • Create your database
        • View your databases
        • Database statuses
        • Use DSBulk to load data
        • Use Data Loader in Astra Portal
        • Monitor your databases
        • Export metrics to third party
          • Export metrics via Astra Portal
          • Export metrics via DevOps API
        • Manage access lists
        • Manage multiple keyspaces
        • Using multiple regions
        • Terminate your database
      • Managing with DevOps API
        • Managing database lifecycle
        • Managing roles
        • Managing users
        • Managing tokens
        • Managing BYOK AWS
        • Managing BYOK GCP
        • Managing access list
        • Managing multiple regions
        • Get private endpoints
        • AWS PrivateLink
        • Azure PrivateLink
        • GCP Private Service
    • Astra CLI
    • Astra Block
      • Quickstart
      • FAQ
      • Data model
      • About NFTs
    • Developing with Stargate APIs
      • Develop with REST
      • Develop with Document
      • Develop with GraphQL
        • Develop with GraphQL (CQL-first)
        • Develop with GraphQL (Schema-first)
      • Develop with gRPC
        • gRPC Rust client
        • gRPC Go client
        • gRPC Node.js client
        • gRPC Java client
      • Develop with CQL
      • Tooling Resources
      • Node.js Document API client
      • Node.js REST API client
    • Stargate QuickStarts
      • Document API QuickStart
      • REST API QuickStart
      • GraphQL API CQL-first QuickStart
    • API References
      • DevOps REST API v2
      • Stargate Document API v2
      • Stargate REST API v2
  • DataStax Astra DB Serverless Documentation
  • Manage user permissions

Manage user permissions

Default and custom roles allow admins to manage unique permissions for users based on your organization and database requirements.

You can manage roles using the DataStax Astra DB user interface or the DevOps API.

Which default roles are available?

Default Operational Roles

The default roles address four types of operational users and three levels of access.

This matrix show how the four types of operational users with each of the three levels of access:

User API User User Service Account API Service Account

Admin

Administrator User

API Administrator User

Administrator Svc Acct

API Administrator Svc Acct

Read Only

RO User

API RO User

RO Svc Acct

API RO Svc Acct

Read/Write

R/W User

API R/W User

R/W Svc Acct

API R/W Svc Acct

Service Account Roles are limited from listing users and databases. API Roles limit CQL access.

Default Special Roles

In addition to the operational roles, four special default roles exist:

  • Organization Administrator: Super User

  • Database Administrator: Full access to CRUD organizations and databases

  • UI View Only: Read only access to view organizations and databases

  • Billing Admin: Billing only access

Operational Roles Detail

User Roles

Role name Console name DevOps API Parameters

Admin User

Create All Keyspaces,
Describe All Keyspaces,
Access GraphQL API,
Access CQL,
Alter Keyspace,
Authorize Keyspace,
Create Keyspace,
Describe Keyspace,
Drop Keyspace,
Grant Keyspace,
Modify Keyspace,
Manage Private Endpoint,
Manage Region,
Access REST,
Alter Table,
Authorize Table,
Create Table,
Describe Table,
Drop Table,
Grant Table,
Modify Table,
Select Table,
Read Billing,
Write Billing,
Add Peering,
Create DB,
Expand DB,
Manage Migrator Proxy,
Reset Password,
Suspend DB,
Terminate DB,
View DB,
Read Organization,
Read User,
Write User

db-all-keyspace-create,
db-all-keyspace-describe,
db-graphql,
db-cql,
db-keyspace-alter,
db-keyspace-authorize,
db-keyspace-create,
db-keyspace-describe,
db-keyspace-drop,
db-keyspace-grant,
db-keyspace-modify,
db-manage-privateendpoint,
db-manage-region,
db-rest,
db-table-alter,
db-table-authorize,
db-table-create,
db-table-describe,
db-table-drop,
db-table-grant,
db-table-modify,
db-table-select,
org-billing-read,
org-billing-write,
org-db-addpeering,
org-db-create,
org-db-expand,
org-db-managemigratorproxy,
org-db-passwordreset,
org-db-suspend,
org-db-terminate,
org-db-view,
org-read,
org-user-read,
org-user-write

RO User

Read IP Access List,
Describe All Keyspaces,
Access GraphQL API,
Access CQL,
Describe Keyspace,
Access REST,
Describe Table,
Select Table,
View DB,
Read User

accesslist-read,
db-all-keyspace-describe,
db-graphql,
db-cql,
db-keyspace-describe,
db-rest,
db-table-describe,
db-table-select,
org-db-view,
org-user-read

R/W User

Read IP Access List,
Describe All Keyspaces,
Access GraphQL API,
Access CQL,
Describe Keyspace,
Access REST,
Describe Table,
Modify Table,
Select Table,
View DB,
Read User

accesslist-read,
db-all-keyspace-describe,
db-graphql,
db-cql,
db-keyspace-describe,
db-rest,
db-table-describe,
db-table-modify,
db-table-select,
org-db-view,
org-user-read

API User Roles

Role name Console name DevOps API Parameters

API Admin User

Read IP Access List,
Create All Keyspaces,
Describe All Keyspaces,
Access GraphQL API,
Alter Keyspace,
Authorize Keyspace,
Create Keyspace,
Describe Keyspace,
Drop Keyspace,
Grant Keyspace,
Modify Keyspace,
Manage Private Endpoint,
Manage Region,
Access REST,
Alter Table,
Authorize Table,
Create Table,
Describe Table,
Drop Table,
Grant Table,
Modify Table,
Select Table,
Read Billing,
Write Billing,
Add Peering,
Create DB,
Expand DB,
Manage Migrator Proxy,
Reset Password,
Suspend DB,
Terminate DB,
View DB,
Read User,
Write User

accesslist-read,
db-all-keyspace-create,
db-all-keyspace-describe,
db-graphql,
db-keyspace-alter,
db-keyspace-authorize,
db-keyspace-create,
db-keyspace-describe,
db-keyspace-drop,
db-keyspace-grant,
db-keyspace-modify,
db-manage-privateendpoint,
db-manage-region,
db-rest,
db-table-alter,
db-table-authorize,
db-table-create,
db-table-describe,
db-table-drop,
db-table-grant,
db-table-modify,
db-table-select,
org-billing-read,
org-billing-write,
org-db-addpeering,
org-db-create,
org-db-expand,
org-db-managemigratorproxy,
org-db-passwordreset,
org-db-suspend,
org-db-terminate,
org-db-view,
org-user-read,
org-user-write

API RO User

Read IP Access List,
Describe All Keyspaces,
Access GraphQL API,
Describe Keyspace,
Access REST,
Describe Table,
Select Table,
View DB,
Read User

accesslist-read,
db-all-keyspace-describe,
db-graphql,
db-keyspace-describe,
db-rest,
db-table-describe,
db-table-select,
org-db-view,
org-user-read

API R/W User

Read IP Access List,
Describe All Keyspaces,
Access GraphQL API,
Describe Keyspace,
Access REST,
Describe Table,
Modify Table,
Select Table,
View DB,
Read User

accesslist-read,
db-all-keyspace-describe,
db-graphql,
db-keyspace-describe,
db-rest,
db-table-describe,
db-table-modify,
db-table-select,
org-db-view,
org-user-read

User Service Account Roles

Role name Console name DevOps API Parameters

Admin Svc Acct

Create All Keyspaces,
Describe All Keyspaces,
Access GraphQL API,
Access CQL,
Alter Keyspace,
Authorize Keyspace,
Create Keyspace,
Describe Keyspace,
Drop Keyspace,
Grant Keyspace,
Modify Keyspace,
Manage Private Endpoint,
Manage Region,
Access REST,
Alter Table,
Authorize Table,
Create Table,
Describe Table,
Drop Table,
Grant Table,
Modify Table,
Select Table,
Read Billing,
Write Billing,
Add Peering,
Create DB,
Expand DB,
Manage Migrator Proxy,
Reset Password,
Suspend DB,
Terminate DB,
View DB,
Read User,
Write User

db-all-keyspace-create,
db-all-keyspace-describe,
db-graphql,
db-cql,
db-keyspace-alter,
db-keyspace-authorize,
db-keyspace-create,
db-keyspace-describe,
db-keyspace-drop,
db-keyspace-grant,
db-keyspace-modify,
db-manage-privateendpoint,
db-manage-region,
db-rest,
db-table-alter,
db-table-authorize,
db-table-create,
db-table-describe,
db-table-drop,
db-table-grant,
db-table-modify,
db-table-select,
org-billing-read,
org-billing-write,
org-db-addpeering,
org-db-create,
org-db-expand,
org-db-managemigratorproxy,
org-db-passwordreset,
org-db-suspend,
org-db-terminate,
org-db-view,
org-user-read,
org-user-write

RO Svc Acct

Read IP Access List,
Describe All Keyspaces,
Access GraphQL API,
Access CQL,
Describe Keyspace,
Access REST,
Describe Table,
Select Table

accesslist-read,
db-all-keyspace-describe,
db-graphql,
db-cql,
db-keyspace-describe,
db-rest,
db-table-describe,
db-table-select

R/W Svc Acct

Read IP Access List,
Describe All Keyspaces,
Access GraphQL API,
Access CQL,
Describe Keyspace,
Access REST,
Describe Table,
Modify Table,
Select Table

accesslist-read,
db-all-keyspace-describe,
db-graphql,
db-cql,
db-keyspace-describe,
db-rest,
db-table-describe,
db-table-modify,
db-table-select

API Service Account Roles

Role name Console name DevOps API Parameters

API Admin Svc Acct

Create All Keyspaces,
Describe All Keyspaces,
Access GraphQL API,
Access CQL,
Alter Keyspace,
Authorize Keyspace,
Create Keyspace,
Describe Keyspace,
Drop Keyspace,
Grant Keyspace,
Modify Keyspace,
Manage Private Endpoint,
Manage Region,
Access REST,
Alter Table,
Authorize Table,
Create Table,
Describe Table,
Drop Table,
Grant Table,
Modify Table,
Select Table,
Read Billing,
Write Billing,
Add Peering,
Create DB,
Expand DB,
Manage Migrator Proxy,
Reset Password,
Suspend DB,
Terminate DB,
View DB,
Read User,
Write User

db-all-keyspace-create,
db-all-keyspace-describe,
db-graphql,
db-cql,
db-keyspace-alter,
db-keyspace-authorize,
db-keyspace-create,
db-keyspace-describe,
db-keyspace-drop,
db-keyspace-grant,
db-keyspace-modify,
db-manage-privateendpoint,
db-manage-region,
db-rest,
db-table-alter,
db-table-authorize,
db-table-create,
db-table-describe,
db-table-drop,
db-table-grant,
db-table-modify,
db-table-select,
org-billing-read,
org-billing-write,
org-db-addpeering,
org-db-create,
org-db-expand,
org-db-managemigratorproxy,
org-db-passwordreset,
org-db-suspend,
org-db-terminate,
org-db-view,
org-user-read,
org-user-write

API RO Svc Acct

Read IP Access List,
Describe All Keyspaces,
Access GraphQL API,
Describe Keyspace,
Access REST,
Describe Table,
Select Table

accesslist-read,
db-all-keyspace-describe,
db-graphql,
db-keyspace-describe,
db-rest,
db-table-describe,
db-table-select

API R/W Svc Acct

Read IP Access List,
Describe All Keyspaces,
Access GraphQL API,
Describe Keyspace,
Access REST,
Describe Table,
Modify Table,
Select Table

accesslist-read,
db-all-keyspace-describe,
db-graphql,
db-keyspace-describe,
db-rest,
db-table-describe,
db-table-modify,
db-table-select

Special Roles Detail

Billing Admin

The Billing Admin role provides only access to view the billing information for Astra DB services. This role has no management capabilities nor access to data.

Console name DevOps API Parameters

Read Billing,
Write Billing,
View DB,
Read User

org-billing-read,
org-billing-write,
org-db-view,
org-user-read

Database Administrator

The Database Administrator role is designed to effectively manage organizations and the databases using CRUD. This role does not have the ability to view billing, mange role-based access control (RBAC), or manage users.

Console name DevOps API Parameters

Read IP Access List,
Write IP Access List,
Create All Keyspaces,
Describe All Keyspaces,
Access GraphQL API,
Access CQL,
Alter Keyspace,
Authorize Keyspace,
Create Keyspace,
Describe Keyspace,
Drop Keyspace,
Grant Keyspace,
Modify Keyspace,
Manage Private Endpoint,
Manage Region,
Access REST,
Alter Table,
Authorize Table,
Create Table,
Describe Table,
Drop Table,
Grant Table,
Modify Table,
Select Table,
Add Peering,
Create DB,
Expand DB,
Manage Migrator Proxy,
Reset Password,
Suspend DB,
Terminate DB,
View DB,
Read Token,
Write Token,
Read User

accesslist-read,
accesslist-write,
db-all-keyspace-create,
db-all-keyspace-describe,
db-graphql,
db-cql,
db-keyspace-alter,
db-keyspace-authorize,
db-keyspace-create,
db-keyspace-describe,
db-keyspace-drop,
db-keyspace-grant,
db-keyspace-modify,
db-manage-privateendpoint,
db-manage-region,
db-rest,
db-table-alter,
db-table-authorize,
db-table-create,
db-table-describe,
db-table-drop,
db-table-grant,
db-table-modify,
db-table-select,
org-db-addpeering,
org-db-create,
org-db-expand,
org-db-managemigratorproxy,
org-db-passwordreset,
org-db-suspend,
org-db-terminate,
org-db-view,
org-token-read,
org-token-write,
org-user-read

Organization Administrator

The Organization Administrator role is the most permissive default role.

Console name DevOps API Parameters

Read IP Access List,
Write IP Access List,
Create All Keyspaces,
Describe All Keyspaces,
Access GraphQL API,
Access CQL,
Alter Keyspace,
Authorize Keyspace,
Create Keyspace,
Describe Keyspace,
Drop Keyspace,
Grant Keyspace,
Modify Keyspace,
Manage Private Endpoint,
Manage Region,
Access REST,
Alter Table,
Authorize Table,
Create Table,
Describe Table,
Drop Table,
Grant Table,
Modify Table,
Select Table,
Read Audits,
Read Billing,
Write Billing,
Add Peering,
Create DB,
Expand DB,
Manage Migrator Proxy,
Reset Password,
Suspend DB,
Terminate DB,
View DB,
Read External Auth,
Write External Auth,
Notification Write,
Read Organization,
Delete Custom Role,
Read Custom Role,
Write Custom Role,
Read Token,
Write Token,
Read User,
Write User,
Write Organization

accesslist-read,
accesslist-write,
db-all-keyspace-create,
db-all-keyspace-describe,
db-graphql,
db-cql,
db-keyspace-alter,
db-keyspace-authorize,
db-keyspace-create,
db-keyspace-describe,
db-keyspace-drop,
db-keyspace-grant,
db-keyspace-modify,
db-manage-privateendpoint,
db-manage-region,
db-rest,
db-table-alter,
db-table-authorize,
db-table-create,
db-table-describe,
db-table-drop,
db-table-grant,
db-table-modify,
db-table-select,
org-audits-read,
org-billing-read,
org-billing-write,
org-db-addpeering,
org-db-create,
org-db-expand,
org-db-managemigratorproxy,
org-db-passwordreset,
org-db-suspend,
org-db-terminate,
org-db-view,
org-external-auth-read,
org-external-auth-write,
org-notification-write,
org-read,
org-role-delete,
org-role-read,
org-role-write,
org-token-read,
org-token-write,
org-user-read,
org-user-write,
org-write

UI View Only

The UI View Only role is a highly limited role that is only able to list users, databases, and access lists.

Console name DevOps API Parameters

Read IP Access List,
View DB,
Read User

accesslist-read,
org-db-view,
org-user-read

Custom permissions

The tables below contain detailed descriptions of each of the permissions available in Astra DB and can be used to get more detail on the permissions assigned to the roles above.

Organization permissions

Console name Description DevOps API parameter

View DB

See a database in a list of databases or Astra Portal.

org-db-view

Create DB

Create a database using the DevOps API or Astra Portal.

org-db-create

Terminate DB

Permanently delete a database and all of of its data using the DevOps API or Astra Portal.

org-db-terminate

Reset Password

Reset the password for a classic database.

org-db-passwordreset

Manage Migrator Proxy

Add and remove the migrator proxy from a db.

org-db-managemigratorproxy

Read Audits

Enables read and download audits.

org-audits-read

Write Billing

Enables links and ability to add or edit billing payment info.

org-billing-write

Write IP Access List

Create or modify an access list using the DevOps API or Astra Portal.

accesslist-write

Manage Region

Add, create, or remove a region using the DevOps API or Astra Portal.

db-manage-region

Write User

Add, create, or remove a user using the DevOps API or Astra Portal.

org-user-write

Write Organization

Create new organizations or delete an existing organization. Hides manage org and org settings.

org-write

Write Custom Role

Create custom role.

org-role-write

Write External Auth

Update security settings related to external auth providers.

org-external-auth-write

Write Token

Create application token.

org-token-write

Read Billing

Enables links and access to billing details page.

org-billing-read

Read IP Access List

Enables links and access to acess list page.

accesslist-read

Read User

Access to viewing users of an organization.

org-user-read

Read Organization

View organization in Astra Portal.

org-read

Read Custom Role

See a custom role and its associated permissions.

org-role-read

Read External Auth

See security settings related to external authentication providers.

org-external-auth-read

Read Token

Read token details.

org-token-read

Delete Custom Role

Delete of custom role.

org-role-delete

Add Peering

Create of VPC peering connection.

org-db-addpeering

Notification Write

Enable or disable notifications in organization notification settings.

org-notification-write

Suspend DB

Park/unpark classic databases and suspend/unsuspend serverless databases.

org-db-suspend

Keyspace permissions

Console name Description DevOps API parameter

Alter Keyspace

Make changes to a specified keyspace.

db-keyspace-alter

Describe Keyspace

Get a list of tables within a specified keyspace.

db-keyspace-describe

Modify Keyspace

Access or modify a keyspace.

db-keyspace-modify

Authorize Keyspace

Give access to specified keyspace.

db-keyspace-authorize

Drop Keyspace

Remove keyspace. Available in only Astra Portal.

db-keyspace-drop

Create Keyspace

Create keyspace. Available in only Astra Portal.

db-keyspace-create

Grant Keyspace

Grant specific permissions for specified keyspace.

db-keyspace-grant

API access permissions

Console name Description DevOps API parameter

Access GraphQL API

Connect to database via GraphQL API.

db-graphql

Access REST

Connect to database via REST API.

db-rest

Access CQL

Connect to database via CQL.

db-cql

Which role should I assign a user?

Database Access Method Roles

Astra User Interface access

  • Organization Administrator

  • Database Administrator

  • Billing Administrator

  • UI View Only

  • Developer Administrator

  • Developer Read/Write

  • Developer Read Only

  • Administrator Service Account

  • Read/Write Service Account

  • Read Only Service Account

GraphQL, REST, and Document API access based on database access permissions

  • Organization Administrator

  • Database Administrator

  • Billing Administrator

  • UI View Only

  • Administrator User

  • Read/Write User

  • Read Only User

  • Administrator Service Account

  • Read/Write Service Account

  • Read Only Service Account

  • API Administrator User

  • API Read/Write User

  • API Read Only User

  • API Administrator Service Account

  • API Read/Write Service Account

  • API Read Only Service Account

Data Loader access based on database access permissions

  • Administrator User

  • Read/Write User

  • Read Only User

  • Administrator Service Account

  • Read/Write Service Account

  • Read Only Service Account

dsbulk access based on database access permissions

  • Read/Write Service Account

  • Read Only Service Account

DevOps API access based on database access permissions

  • Organization Administrator

  • Database Administrator

Drivers based on database access permissions

  • Administrator User

  • Read/Write User

  • Read Only User

  • Administrator Service Account

  • Read/Write Service Account

  • Read Only Service Account

Manage access list for IP addresses and CIDR

  • Organization Administrator

  • Database Administrator

General Inquiries: +1 (650) 389-6000 info@datastax.com

© DataStax | Privacy policy | Terms of use

DataStax, Titan, and TitanDB are registered trademarks of DataStax, Inc. and its subsidiaries in the United States and/or other countries.

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries.

Kubernetes is the registered trademark of the Linux Foundation.

landing_page landingpage