Managing your Astra DB organization

As an administrator, you can manage your database and organization. This includes the following tasks:

Add organizations in Astra DB

Creating multiple organizations in DataStax Astra DB is useful for segmenting groups of users and creating various environments.

  1. From any page in Astra DB, select the Organizations dropdown.

    Organization Selection
  2. In the main dropdown, select Manage Organizations.

  3. Select Add Organization. The Add Organization window opens.

    • Enter the name and email address for your new organization.

    • Select Add to add the new organization.

The organization is added to the list. An email is sent to the email address entered for the organization owner.

Invite users to an organization

Invite users to join your organization and provide them with access based on the selected role.

  1. From any page in Astra DB, select the Organizations dropdown.

    Organization Selection
  2. In the main dropdown, select Organization Settings.

  3. From User Management, select Invite User.

  4. Enter the email address for the user you want to invite for the specific user role. If adding multiple users, separate the email addresses with commas, spaces, or line breaks.

  5. Select the user role(s) for the user(s) you are inviting. Multiple roles are available within each group of roles for Organization Access, Database, Keyspace, or Table Access, and API Access.

  6. Select Invite Users to send email invitations to the users at their email address.

Invited users are listed as pending until they accept the invitation to join your organization.

Manage user permissions

Default and custom roles allow admins to manage unique permissions for users based on your organization and database requirements.

You can manage roles using the DataStax Astra DB user interface or the DevOps API.

Default Operational Roles

The default roles address four types of operational users and three levels of access.

This matrix show how the four types of operational users with each of the three levels of access:

User API User User Service Account API Service Account

Admin

Administrator User

API Administrator User

Administrator Svc Acct

API Administrator Svc Acct

Read Only

RO User

API RO User

RO Svc Acct

API RO Svc Acct

Read/Write

R/W User

API R/W User

R/W Svc Acct

API R/W Svc Acct

Service Account Roles are limited from listing users and databases. API Roles limit CQL access.

Default Special Roles

In addition to the operational roles, four special default roles exist:

  • Organization Administrator: Super User

  • Database Administrator: Full access to CRUD organizations and databases

  • UI View Only: Read only access to view organizations and databases

  • Billing Admin: Billing only access

Operational Roles Detail

User Roles

Role name Console name DevOps API Parameters

Admin User

Create All Keyspace,
Describe All Keyspaces,
Access GraphQL API,
Access CQL,
Alter Keyspace,
Authorize Keyspace,
Create Keyspace,
Describe Keyspace,
Drop Keyspace,
Grant Keyspace,
Modify Keyspace,
Manage Private Endpoint,
Manage Region,
Access REST,
Alter Table,
Authorize Table,
Create Table,
Describe Table,
Drop Table,
Grant Table,
Modify Table,
Select Table,
Read Billing,
Write Billing,
Add Peering,
Create DB,
Expand DB,
Manage Migrator Proxy,
Reset Password,
Suspend DB,
Terminate DB,
View DB,
Read Organization,
Read User,
Write User

db-all-keyspace-create,
db-all-keyspace-describe,
db-graphql,
db-cql,
db-keyspace-alter,
db-keyspace-authorize,
db-keyspace-create,
db-keyspace-describe,
db-keyspace-drop,
db-keyspace-grant,
db-keyspace-modify,
db-manage-privateendpoint,
db-manage-region,
db-rest,
db-table-alter,
db-table-authorize,
db-table-create,
db-table-describe,
db-table-drop,
db-table-grant,
db-table-modify,
db-table-select,
org-billing-read,
org-billing-write,
org-db-addpeering,
org-db-create,
org-db-expand,
org-db-managemigratorproxy,
org-db-passwordreset,
org-db-suspend,
org-db-terminate,
org-db-view,
org-read,
org-user-read,
org-user-write

RO User

Read IP Access List,
Describe All Keyspaces,
Access GraphQL API,
Access CQL,
Describe Keyspace,
Access REST,
Describe Table,
Select Table,
View DB,
Read User

accesslist-read,
db-all-keyspace-describe,
db-graphql,
db-cql,
db-keyspace-describe,
db-rest,
db-table-describe,
db-table-select,
org-db-view,
org-user-read

R/W User

Read IP Access List,
Describe All Keyspaces,
Access GraphQL API,
Access CQL,
Describe Keyspace,
Access REST,
Describe Table,
Modify Table,
Select Table,
View DB,
Read User

accesslist-read,
db-all-keyspace-describe,
db-graphql,
db-cql,
db-keyspace-describe,
db-rest,
db-table-describe,
db-table-modify,
db-table-select,
org-db-view,
org-user-read

API User Roles

Role name Console name DevOps API Parameters

API Admin User

Read IP Access List,
Create All Keyspace,
Describe All Keyspaces,
Access GraphQL API,
Alter Keyspace,
Authorize Keyspace,
Create Keyspace,
Describe Keyspace,
Drop Keyspace,
Grant Keyspace,
Modify Keyspace,
Manage Private Endpoint,
Manage Region,
Access REST,
Alter Table,
Authorize Table,
Create Table,
Describe Table,
Drop Table,
Grant Table,
Modify Table,
Select Table,
Read Billing,
Write Billing,
Add Peering,
Create DB,
Expand DB,
Manage Migrator Proxy,
Reset Password,
Suspend DB,
Terminate DB,
View DB,
Read User,
Write User

accesslist-read,
db-all-keyspace-create,
db-all-keyspace-describe,
db-graphql,
db-keyspace-alter,
db-keyspace-authorize,
db-keyspace-create,
db-keyspace-describe,
db-keyspace-drop,
db-keyspace-grant,
db-keyspace-modify,
db-manage-privateendpoint,
db-manage-region,
db-rest,
db-table-alter,
db-table-authorize,
db-table-create,
db-table-describe,
db-table-drop,
db-table-grant,
db-table-modify,
db-table-select,
org-billing-read,
org-billing-write,
org-db-addpeering,
org-db-create,
org-db-expand,
org-db-managemigratorproxy,
org-db-passwordreset,
org-db-suspend,
org-db-terminate,
org-db-view,
org-user-read,
org-user-write

API RO User

Read IP Access List,
Describe All Keyspaces,
Access GraphQL API,
Describe Keyspace,
Access REST,
Describe Table,
Select Table,
View DB,
Read User

accesslist-read,
db-all-keyspace-describe,
db-graphql,
db-keyspace-describe,
db-rest,
db-table-describe,
db-table-select,
org-db-view,
org-user-read

API R/W User

Read IP Access List,
Describe All Keyspaces,
Access GraphQL API,
Describe Keyspace,
Access REST,
Describe Table,
Modify Table,
Select Table,
View DB,
Read User

accesslist-read,
db-all-keyspace-describe,
db-graphql,
db-keyspace-describe,
db-rest,
db-table-describe,
db-table-modify,
db-table-select,
org-db-view,
org-user-read

User Service Account Roles

Role name Console name DevOps API Parameters

Admin Svc Acct

Create All Keyspace,
Describe All Keyspaces,
Access GraphQL API,
Access CQL,
Alter Keyspace,
Authorize Keyspace,
Create Keyspace,
Describe Keyspace,
Drop Keyspace,
Grant Keyspace,
Modify Keyspace,
Manage Private Endpoint,
Manage Region,
Access REST,
Alter Table,
Authorize Table,
Create Table,
Describe Table,
Drop Table,
Grant Table,
Modify Table,
Select Table,
Read Billing,
Write Billing,
Add Peering,
Create DB,
Expand DB,
Manage Migrator Proxy,
Reset Password,
Suspend DB,
Terminate DB,
View DB,
Read User,
Write User

db-all-keyspace-create,
db-all-keyspace-describe,
db-graphql,
db-cql,
db-keyspace-alter,
db-keyspace-authorize,
db-keyspace-create,
db-keyspace-describe,
db-keyspace-drop,
db-keyspace-grant,
db-keyspace-modify,
db-manage-privateendpoint,
db-manage-region,
db-rest,
db-table-alter,
db-table-authorize,
db-table-create,
db-table-describe,
db-table-drop,
db-table-grant,
db-table-modify,
db-table-select,
org-billing-read,
org-billing-write,
org-db-addpeering,
org-db-create,
org-db-expand,
org-db-managemigratorproxy,
org-db-passwordreset,
org-db-suspend,
org-db-terminate,
org-db-view,
org-user-read,
org-user-write

RO Svc Acct

Read IP Access List,
Describe All Keyspaces,
Access GraphQL API,
Access CQL,
Describe Keyspace,
Access REST,
Describe Table,
Select Table

accesslist-read,
db-all-keyspace-describe,
db-graphql,
db-cql,
db-keyspace-describe,
db-rest,
db-table-describe,
db-table-select

R/W Svc Acct

Read IP Access List,
Describe All Keyspaces,
Access GraphQL API,
Access CQL,
Describe Keyspace,
Access REST,
Describe Table,
Modify Table,
Select Table

accesslist-read,
db-all-keyspace-describe,
db-graphql,
db-cql,
db-keyspace-describe,
db-rest,
db-table-describe,
db-table-modify,
db-table-select

API Service Account Roles

Role name Console name DevOps API Parameters

API Admin Svc Acct

Create All Keyspace,
Describe All Keyspaces,
Access GraphQL API,
Access CQL,
Alter Keyspace,
Authorize Keyspace,
Create Keyspace,
Describe Keyspace,
Drop Keyspace,
Grant Keyspace,
Modify Keyspace,
Manage Private Endpoint,
Manage Region,
Access REST,
Alter Table,
Authorize Table,
Create Table,
Describe Table,
Drop Table,
Grant Table,
Modify Table,
Select Table,
Read Billing,
Write Billing,
Add Peering,
Create DB,
Expand DB,
Manage Migrator Proxy,
Reset Password,
Suspend DB,
Terminate DB,
View DB,
Read User,
Write User

db-all-keyspace-create,
db-all-keyspace-describe,
db-graphql,
db-cql,
db-keyspace-alter,
db-keyspace-authorize,
db-keyspace-create,
db-keyspace-describe,
db-keyspace-drop,
db-keyspace-grant,
db-keyspace-modify,
db-manage-privateendpoint,
db-manage-region,
db-rest,
db-table-alter,
db-table-authorize,
db-table-create,
db-table-describe,
db-table-drop,
db-table-grant,
db-table-modify,
db-table-select,
org-billing-read,
org-billing-write,
org-db-addpeering,
org-db-create,
org-db-expand,
org-db-managemigratorproxy,
org-db-passwordreset,
org-db-suspend,
org-db-terminate,
org-db-view,
org-user-read,
org-user-write

API RO Svc Acct

Read IP Access List,
Describe All Keyspaces,
Access GraphQL API,
Describe Keyspace,
Access REST,
Describe Table,
Select Table

accesslist-read,
db-all-keyspace-describe,
db-graphql,
db-keyspace-describe,
db-rest,
db-table-describe,
db-table-select

API R/W Svc Acct

Read IP Access List,
Describe All Keyspaces,
Access GraphQL API,
Describe Keyspace,
Access REST,
Describe Table,
Modify Table,
Select Table

accesslist-read,
db-all-keyspace-describe,
db-graphql,
db-keyspace-describe,
db-rest,
db-table-describe,
db-table-modify,
db-table-select

Special Roles Detail

Billing Admin

The Billing Admin role provides only access to view the billing information for Astra DB services. This role has no management capabilities nor access to data.

Console name DevOps API Parameters

Read Billing,
Write Billing,
View DB,
Read User

org-billing-read,
org-billing-write,
org-db-view,
org-user-read

Database Administrator

The Database Administrator role is designed to effectively manage organizations and the databases using CRUD. This role does not have the ability to view billing, mange role-based access control (RBAC), or manage users.

Console name DevOps API Parameters

Read IP Access List,
Write IP Access List,
Create All Keyspace,
Describe All Keyspaces,
Access GraphQL API,
Access CQL,
Alter Keyspace,
Authorize Keyspace,
Create Keyspace,
Describe Keyspace,
Drop Keyspace,
Grant Keyspace,
Modify Keyspace,
Manage Private Endpoint,
Manage Region,
Access REST,
Alter Table,
Authorize Table,
Create Table,
Describe Table,
Drop Table,
Grant Table,
Modify Table,
Select Table,
Add Peering,
Create DB,
Expand DB,
Manage Migrator Proxy,
Reset Password,
Suspend DB,
Terminate DB,
View DB,
Read Token,
Write Token,
Read User

accesslist-read,
accesslist-write,
db-all-keyspace-create,
db-all-keyspace-describe,
db-graphql,
db-cql,
db-keyspace-alter,
db-keyspace-authorize,
db-keyspace-create,
db-keyspace-describe,
db-keyspace-drop,
db-keyspace-grant,
db-keyspace-modify,
db-manage-privateendpoint,
db-manage-region,
db-rest,
db-table-alter,
db-table-authorize,
db-table-create,
db-table-describe,
db-table-drop,
db-table-grant,
db-table-modify,
db-table-select,
org-db-addpeering,
org-db-create,
org-db-expand,
org-db-managemigratorproxy,
org-db-passwordreset,
org-db-suspend,
org-db-terminate,
org-db-view,
org-token-read,
org-token-write,
org-user-read

Organization Administrator

The Organization Administrator role is the most permissive default role.

Console name DevOps API Parameters

Read IP Access List,
Write IP Access List,
Create All Keyspace,
Describe All Keyspaces,
Access GraphQL API,
Access CQL,
Alter Keyspace,
Authorize Keyspace,
Create Keyspace,
Describe Keyspace,
Drop Keyspace,
Grant Keyspace,
Modify Keyspace,
Manage Private Endpoint,
Manage Region,
Access REST,
Alter Table,
Authorize Table,
Create Table,
Describe Table,
Drop Table,
Grant Table,
Modify Table,
Select Table,
Read Audits,
Read Billing,
Write Billing,
Add Peering,
Create DB,
Expand DB,
Manage Migrator Proxy,
Reset Password,
Suspend DB,
Terminate DB,
View DB,
Read External Auth,
Write External Auth,
Notification Write,
Read Organization,
Delete Custom Role,
Read Custom Role,
Write Custom Role,
Read Token,
Write Token,
Read User,
Write User,
Write Organization

accesslist-read,
accesslist-write,
db-all-keyspace-create,
db-all-keyspace-describe,
db-graphql,
db-cql,
db-keyspace-alter,
db-keyspace-authorize,
db-keyspace-create,
db-keyspace-describe,
db-keyspace-drop,
db-keyspace-grant,
db-keyspace-modify,
db-manage-privateendpoint,
db-manage-region,
db-rest,
db-table-alter,
db-table-authorize,
db-table-create,
db-table-describe,
db-table-drop,
db-table-grant,
db-table-modify,
db-table-select,
org-audits-read,
org-billing-read,
org-billing-write,
org-db-addpeering,
org-db-create,
org-db-expand,
org-db-managemigratorproxy,
org-db-passwordreset,
org-db-suspend,
org-db-terminate,
org-db-view,
org-external-auth-read,
org-external-auth-write,
org-notification-write,
org-read,
org-role-delete,
org-role-read,
org-role-write,
org-token-read,
org-token-write,
org-user-read,
org-user-write,
org-write

UI View Only

The UI View Only role is a highly limited role that is only able to list users, databases, and access lists.

Console name DevOps API Parameters

Read IP Access List,
View DB,
Read User

accesslist-read,
org-db-view,
org-user-read

Custom permissions

The tables below contain detailed descriptions of each of the permissions available in Astra DB and can be used to get more detail on the permissions assigned to the roles above.

Organization permissions

Console name Description DevOps API parameter

View DB

See a database in a list of databases or the Astra DB console.

org-db-view

Create DB

Create a database using the DevOps API or the Astra DB console.

org-db-create

Terminate DB

Permanently delete a database and all of of its data using the DevOps API or the Astra DB console.

org-db-terminate

Expand DB

Classic only: Resize a database using the DevOps API or the Astra DB console to add more capacity units.

org-db-expand

Reset Password

Reset the password for a classic database.

org-db-passwordreset

Manage Migrator Proxy

Add and remove the migrator proxy from a db.

org-db-managemigratorproxy

Read Audits

Enables read and download audits.

org-audits-read

Write Billing

Enables links and ability to add or edit billing payment info.

org-billing-write

Write IP Access List

Create or modify an access list using the DevOps API or the Astra DB console.

accesslist-write

Manage Region

Add, create, or remove a region using the DevOps API or the Astra DB console.

db-manage-region

Write User

Add, create, or remove a user using the DevOps API or the Astra DB console.

org-user-write

Write Organization

Create new organizations or delete an existing organization. Hides manage org and org settings.

org-write

Write Custom Role

Create custom role.

org-role-write

Write External Auth

Update security settings related to external auth providers.

org-external-auth-write

Write Token

Create application token.

org-token-write

Read Billing

Enables links and access to billing details page.

org-billing-read

Read IP Access List

Enables links and access to acess list page.

accesslist-read

Read User

Access to viewing users of an organization.

org-user-read

Read Organization

View organization in the Astra DB console.

org-read

Read Custom Role

See a custom role and its associated permissions.

org-role-read

Read External Auth

See security settings related to external authentication providers.

org-external-auth-read

Read Token

Read token details.

org-token-read

Delete Custom Role

Delete of custom role.

org-role-delete

Add Peering

Create of VPC peering connection.

org-db-addpeering

Notification Write

Enable or disable notifications in organization notification settings.

org-notification-write

Suspend DB

Park/unpark classic databases and suspend/unsuspend serverless databases.

org-db-suspend

Keyspace permissions

Console name Description DevOps API parameter

Alter Keyspace

Make changes to a specified keyspace.

db-keyspace-alter

Describe Keyspace

Get a list of tables within a specified keyspace.

db-keyspace-describe

Modify Keyspace

Access or modify a keyspace.

db-keyspace-modify

Authorize Keyspace

Give access to specified keyspace.

db-keyspace-authorize

Drop Keyspace

Remove keyspace. Available in only the Astra DB console.

db-keyspace-drop

Create Keyspace

Create keyspace. Available in only the Astra DB console.

db-keyspace-create

Grant Keyspace

Grant specific permissions for specified keyspace.

db-keyspace-grant

API access permissions

Console name Description DevOps API parameter

Access GraphQL API

Connect to database via GraphQL API.

db-graphql

Access REST

Connect to database via REST API.

db-rest

Access CQL

Connect to database via CQL.

db-cql

Which role should I assign a user?

Database Access Method Roles

Astra User Interface access

  • Organization Administrator

  • Database Administrator

  • Billing Administrator

  • UI View Only

  • Developer Administrator

  • Developer Read/Write

  • Developer Read Only

  • Administrator Service Account

  • Read/Write Service Account

  • Read Only Service Account

GraphQL, REST, and Document API access based on database access permissions

  • Organization Administrator

  • Database Administrator

  • Billing Administrator

  • UI View Only

  • Administrator User

  • Read/Write User

  • Read Only User

  • Administrator Service Account

  • Read/Write Service Account

  • Read Only Service Account

  • API Administrator User

  • API Read/Write User

  • API Read Only User

  • API Administrator Service Account

  • API Read/Write Service Account

  • API Read Only Service Account

Data Loader access based on database access permissions

  • Administrator User

  • Read/Write User

  • Read Only User

  • Administrator Service Account

  • Read/Write Service Account

  • Read Only Service Account

dsbulk access based on database access permissions

  • Read/Write Service Account

  • Read Only Service Account

DevOps API access based on database access permissions

  • Organization Administrator

  • Database Administrator

Drivers based on database access permissions

  • Administrator User

  • Read/Write User

  • Read Only User

  • Administrator Service Account

  • Read/Write Service Account

  • Read Only Service Account

Manage access list for IP addresses and CIDR

  • Organization Administrator

  • Database Administrator

Manage application tokens

Application tokens allow you to connect to your database from your application using the Document, REST, and GraphQL APIs for DataStax Astra DB.
As of 4 March 2021, your Astra DB username and password will not work for your database. You will need to use an application token to connect to your database.

Create application token

You can also create an application token using the DevOps API.

  1. From any page in Astra DB, select the Organizations dropdown.

    Organization Selection
  2. In the main dropdown, select Organization Settings.

  3. From your Organization page, select Token Management.

  4. Select the role you want to attach to your token. The permissions for your selected role will be displayed.

  5. Select Generate Token. Astra DB will generate your token and display the Client ID, Client Secret, and Token.

  6. Download your Client ID, Client Secret, and Token.

After you navigate away from the page, you won’t be able to download your Client ID, Client Secret, and Token again. These tokens do not automatically expire, but can be destroyed in case they are compromised or no longer needed.

You can now use your token to connect to the Astra DB APIs. See more about the available APIs:

You can use your Client ID and Client Secret to connect to your database. See more about the available connection options:

Set environment variables

In your command-line interface associated with your environment, paste the following environment variables copied for your Astra DB database:

export ASTRA_DB_ID=<database_id>
export ASTRA_DB_REGION=<database_region>
export ASTRA_DB_KEYSPACE=<keyspace_name>
export ASTRA_DB_APPLICATION_TOKEN=<app_token>

Delete application token

If you need to limit access to your database, you can delete an application token.

  1. Select the overflow menu for the application token you want to delete.

  2. Select Delete to delete that application token.

  3. If necessary, generate a new application token for the same user role.

Authenticating classic databases

This information applies to only classic databases.

Classic databases were created before 4 March 2021. These databases have fixed compute and storage capabilities and do not include the latest authentication version.

To authenticate your DataStax Astra DB classic database, generate an authorization token. You’ll use this token to authenticate with your database and make additional requests, such as creating tables or adding rows.

Use the authorization endpoint to generate the token. For the following examples, we’ll use cURL commands. If you’re making requests from your application, use the code samples described in the authorization endpoint details.

The authorization token is active for 30 minutes from the most recent request made. If no request has been made within 30 minutes, the authorization token expires.

  1. Open a browser, navigate to Astra DB, and log in.

  2. From your Dashboard page, select your database.

  3. Copy the Cluster ID of your database. You can also find the Cluster ID in the URL, which is the last UUID in the path: https://astra.datastax.com/org/{org-Id}/database/{databaseid}

  4. Add the Cluster ID as an environment variable with the following command:

  • Set environment variable

  • Example

export ASTRA_CLUSTER_ID={databaseid}
export ASTRA_CLUSTER_ID=b5285f63-8da5-4c6e-afd8-ade371a48795
  1. Copy the Region of your database, the region where your database is located.

  2. Add the Region as an environment variable with the following command:

  • Set environment variable

  • Example

export ASTRA_CLUSTER_REGION={region}
export ASTRA_CLUSTER_REGION=us-east1
  1. Add your username, keyspace, and your password as environment variables with the following command:

  • Set environment variable

  • Example

export ASTRA_DB_USERNAME={username}
export ASTRA_DB_KEYSPACE={keyspace}
export ASTRA_DB_PASSWORD={password}
export ASTRA_DB_USERNAME=john.smith@datastax.com
export ASTRA_DB_KEYSPACE=users
export ASTRA_DB_PASSWORD=P@ssw0rd
  1. Use printenv to ensure the environment variables were exported.

  2. Run the entire cURL command with the values for your database:

    • Replace db_username with your database username.

    • Replace db_password with your database password.

    • Optional: Add a unique UUID for the authorization request:

curl --request POST \\
 --url https://${ASTRA_CLUSTER_ID}-${ASTRA_CLUSTER_REGION}.apps.astra.datastax.com/api/rest/v1/auth \
 --header 'Content-Type: application/json' \
 --data '{"username":"'"$ASTRA_DB_USERNAME"'", "password":"'"$ASTRA_DB_PASSWORD"'"}'
 --header 'x-cassandra-request-id: {unique-UUID}

Consider using a tool like this Online UUID generator to quickly create a random UUID to pass with your authorization request.

An authorization token is returned:

{"authToken": "37396a44-dcb8-4740-a97f-79f0dba47973"}
  1. Copy the value of the returned authToken and store the authorization token in the ASTRA_AUTHORIZATION_TOKEN environment variable:

  • Set environment variable

  • Example

export ASTRA_AUTHORIZATION_TOKEN={authToken}
export ASTRA_AUTHORIZATION_TOKEN=37396a44-dcb8-4740-a97f-79f0dba47973

The authorization token must be included when making requests to your database, such as creating tables, adding rows, or modifying columns.

  1. If the authorization token expires, generate a new authorization token and update it in the ASTRA_AUTHORIZATION_TOKEN environment variable.

What’s next?

You can now use your token to connect to the Astra DB APIs. See more about the available APIs:

Manage custom roles

Within Role Management, you can see the permissions for a specific role by hovering over the number in the Permissions column of the table. This will show the permissions granted to the role.

Roles

If the default roles don’t meet your requirements, you can use custom roles that meet your organizational needs.

Create custom role

You can also create custom roles using the DevOps API.

  1. From any page in Astra DB, select the Organizations dropdown.

  2. In the main dropdown, select the organization for which you want to add your custom role.

  3. From your Organization page, select Role Management.

  4. Select Add Custom Role.

  5. Enter the name you want to use for your custom role. This name should help you easily identify when you want to assign this role to users.

  6. Select the Organization, Keyspace, Table, and API permissions you want to assign to your custom role.

    If you want users with this role to be able to see the Astra DB user interface, make sure you select Read User and View DB permissions.

  7. If you want to apply your selected permissions to specific databases or keyspaces, toggle the switch to not apply the permissions to all databases in an organization. Then select the specific databases or keyspaces to which you want to apply the permissions.

  8. Once you have selected your permissions, select Create Role.

To see your custom roles, select Role Management within your Organization. You can now invite users using your new custom role.

Edit user roles

  1. From your Organization page, select Role Management.

  2. Select Edit Role from the overflow menu for the custom role you want to update.

  3. When editing the role, you can edit the name, permissions, database, and keyspace.

  4. Once you have updated your permissions, select Edit Role.

Your updated custom role will show up in Role Management within your Organization.

Bring Your Own Key

Encryption is a widely accepted mechanism to secure data against breaches. By default, DataStax Astra DB encrypts data, and cloud providers such as AWS and Google Cloud offer encryption solutions. However, you may want to further limit data access, because cloud providers have access to the keys and ultimately to the data.

To address this security concern, Astra DB allows you to associate a Customer Managed Key (one per region) that you defined in the cloud provider’s Key Management Service with a Customer Key that you create in Astra DB.

We call this organization-scoped Astra DB feature Bring Your Own Key (BYOK).

Using Astra DB console:

Using DevOps v2 API:

Pricing and billing

Learn about the pricing model and billing structure for DataStax Astra DB serverless databases.

For more, see the Astra DB Pricing page.

Serverless pricing

There are three primary factors that affect the pricing:

  • plan selection

  • units of measure

  • cloud provider and region

Plan selection

DataStax allows you to choose your commitment, and thus your savings. To get an accurate cost for your database, select a cloud provider/region and create your first database. To get started for free without entering credit card details, select the Free plan and receive a $25 credit. This credit is good for up to 80GB storage and 20 million Read/Write operations.

Units of measure

The following units of measure affect the pricing of your database:

  • Read requests (per 1M): the unit of measure for billing database reads. This unit is based on the payload of each read query response. A read request that returns up to 4KB of data is considered one Read Request Unit (RRU). If the request returns more than 4KB of data, additional read requests are required.

    • If the read request involves an ALLOW FILTERING query, the data is measured prior to in-memory filtering.

  • Write requests (per 1M): the unit of measure for billing database writes. This unit is based on the payload size of each write request. A write request with up to 1KB of data is considered one Write Request Unit (WRU). If the request has more than 1KB of data, additional writes are required.

    • Insert/Update/Upsert: each option is treated as a write operation and is calculated as part of the Write Request Unit (WRU).

    • Logged and Unlogged are the two types of batched writes. Logged batched writes have an additional WRU consumed.

      For example, a single-partition unlogged batch write operation with 10 rows, each row containing 1.2KB of data has 12 WRUs (Total size of the single-partition rows divided by 1KB. That is, [(10 rows * 1.2KB)/1KB = 12 WRUs]). A 2-partition logged batch with 2 rows (one row for each partition), each row containing 1.2KB of data has 5 WRUs ([ (2 * 1.2KB) /1KB + 2 = 5 WRU]). This calculation depends on the size per table in the batch. In this case, the size of the table (2 * 1.2KB) results in 3 WRUs and 2 additional WRUs for logged batch operation.

    • The write index SAI is treated the same as a write, but has an additional cost.

      • The write index SAI size is based on the size of each indexed column (not the size of the index), regardless of the column type. For example, the SAI index for a column with a value of 2KB in size results in 2 WRUs.

    • One delete operation is considered one write request regardless of the size. This is calculated as part of the WRU.

      • There is no charge for the TTL delete operation, DROP statements or TRUNCATE statements.

    • Lightweight Transactions (LWT) are treated as a combination of a read and write event. LWTs do a read, evaluate a condition, and a write if the condition is true. For LWT, there are both WRU and additional RRU costs. The number of RRUs is always one regardless of the size.

    • User-defined Types UDT: there are no additional charges for UDTs. The column data size is counted regardless of the type.

  • Data storage (GB/month): all data stored in the database (including the actual data, indexes, and metadata). You are not billed extra for standard backups of your data. It is included in the base storage costs.

  • Data transfer (GB): the transfer of Customer Data out of the database. Billable units and pricing may vary depending on whether the Data Transfer occurs within the same cloud provider network (Data Transfer - Within Cloud Provider Network) or leaves the cloud provider network over the Internet (Data Transfer - Internet).

REST and Document API

These are the additional points to consider for REST and Document APIs:

  • For the REST API, there is a one-to-one mapping between REST operations and CQL requests.

  • For the Document API, the writes are similar to unlogged batched writes. Your JSON is translated to one row per leaf data and is written as a Cassandra batch. A document such as { "a": "b", "b": "c"} is turned into two rows and written in a batch. This is also how inserts, updates, and upserts work.

  • Document API deletions works similar to Cassandra API deletions.

  • Indexing has an additional cost. For example, this document {a: something, b: 1, c: true, d: 2} is stored as:

    key, dbl_value, text_value, bool_value
    "a", null, something, null
    "b", 1, null, null
    "c", null, null, true
    "d", 2, null null

For each non-null value column, there is also an index. SAI cost is computed as the size of each indexed column (regardless of the column type).

For more, see Stargate.

Cloud providers and regions

You can select AWS, Google Cloud, or Azure as your cloud provider. Each cloud provider offers different database regions. See each offering by region. The cloud provider and region you select affects the price of each unit of measure for your database.

Multiple regions

Multiple regions is available on only pay as you go and annual plans.

If you are using multiple regions for your serverless database:

  • Write requests are replicated in all regions and charged at the respective rates for each region.

  • Read requests are performed at the region level and charged at the region-specific rate.

Data Storage is calculated based on actual disk consumption per region at the region-specific rate.

CDC for Astra Streaming

Enabling CDC for Astra Streaming results in increased usage costs based on your Astra Streaming usage.

Free plans

For free plans, your remaining credits will be displayed. These credits include the $25 credit that is renewed every month.

Pay as you go plans

For pay as you go plans, you must have a billing method for your account. Any remaining credits are displayed. Any usage amount appears in the Estimated Bill, which is auto-drafted monthly based on Greenwich Mean Time (GMT), also known as Coordinated Universal Time (UTC).

Annual plans

For the annual plan, you are committing to the minimum monthly spend for 12 months. Your remaining credits display the balance of any unused credits you have, along with the committed monthly minimum that is billed in arrears at the end of the month. If you exceed your credit and committed monthly minimum, the overages will be charged at your discounted rate. This amount shows up in the Estimated Bill, which is auto-drafted monthly based on Greenwich Mean Time (GMT), also known as Coordinated Universal Time (UTC).

Private endpoints

Private endpoints are charged per endpoint per region at $0.01/hour.

Additionally, you will be billed for ingress and egress data at $0.01/GB for all data that uses the private endpoint. If you exceed your monthly credit and you do not have a payment method in Astra DB, your database will not be available for use until you add a payment method.

Egress charges for private endpoints is in addition to your regular data egress charges.

Classic pricing

Classic databases can no longer be created through the Astra DB console. We recommend migrating your database to our current serverless option, which could save you money and allow you to manage your compute and storage capabilities separately.

Pricing for Astra DB classic databases is based on plan, units of measure, cloud provider, and region.

The cost of your classic Astra DB database depends on the classic database plan you select. Classic Astra DB databases use a single capacity unit (CU) by default, which represents three database instances that are grouped together for three replicas. The classic database plan represents the amount of compute power allocated to each CU, and represents three compute instances per CU. Classic database pricing is presented in the DataStax Astra console in hourly terms, but billed in one-minute granularity.

Cloud providers and regions

You can select AWS, Google Cloud, or Azure as your cloud provider. Each cloud provider offers Standard, Premium and Premium+ regions. The cloud provider and region you select affects the price of each unit of measure for your database.

Effective July 1, 2022, Astra Classic Multi-region and Data Transfer pricing will be the same as Astra Serverless pricing. For more details on the definitions of "Multi-Region" and "Data Transfer" as well as respective pricing, please visit the Astra Serverless pricing page. The pricing below will remain in effect until June 30, 2022.

Multiple regions

If you are using multiple regions for your classic database, you will pay a pricing premium for each additional region:

  • 15% premium for US and EMEA

  • 30% premium for APAC

This premium pricing includes 1.25 TB of data egress. If your data egress exceeds 1.25 TB, the excess data egress is charged at the following rates:

  • $0.03/GB for AWS US and EMEA regions

  • $0.03/GB for Google Cloud North America regions

  • $0.11/GB for all other clouds/regions combinations

Billing

Astra DB handles billing through an integration with Stripe, and displays all related billing information in the Billing & Payments section of your Organization.
In Billing & Payments, you will see your plan and payment method, along with when the plan was created. You can select Manage to change your plan.

You can also update your payment method in the Billing & Payments section. Your Billing & Payments will also display each database included in your server, allowing you to see what your total cost is per database.

Managing payment methods

You can also update your payment method in the Billing & Payments section. Your Billing & Payments will also display each database included in your server, allowing you to see what your total cost is per database.

Update the payment method you entered when creating your DataStax Astra DB database. Before your monthly credit runs out, you must enter your credit card number and associated billing information to ensure your database remains accessible.

Enter updated credit card information and associated billing details, or delete the existing payment method.

Astra DB supports one payment method for each organization.

Updating your payment information

  1. From any page in Astra DB, select the Organizations dropdown.

OrgSelection
  1. In the main dropdown, select Organization Settings.

  2. From Billing & Payment, select Invite User.

    • From your Astra Dashboard, select Add Payment Method or Update beside the existing payment method.

    • In the Update Payment Method menu, confirm that you want to Update your payment method.

    • Enter the new billing information and Save.

Your payment method is updated. All future billing will use the new payment entered.

Removing a Payment Method

Use this section to remove any payment method associated with Astra DB serverless and Astra Streaming.

There are two selections to consider before removing your payment method: any outstanding balance for your organization and any premium features added to this plan. A premium feature, such as multi-region or private endpoints, is optionally applied to a resource.

To remove your payment method, open your Astra DB account and go to Billing. Your organization’s dashboard of billing services and payments made is available for viewing. Click Remove.

Prerequisites

Ensure your organization meets the following requirements to remove your payment method:

  • With no outstanding balance and no premium features, you can remove your payment method at any time. A dialog box appears to confirm you want to remove the payment method; select Remove Payment Method.

    want to remove payment

    A message appears that you have successfully removed the payment method. An email is also sent for your records.

  • If you have no outstanding balance and premium features, you must remove all of these features before you can proceed. Click the link for each premium feature (as shown below) to remove them.

    payment removal
  • If you have an outstanding balance and no premium features, you must wait until the next billing cycle to settle this account.

    ob features
  • If you have an outstanding balance and premium features, you must remove your premium features before you can remove your payment method. You must wait until the next billing cycle to settle this account.

    balance and features

Removing premium features

Each premium feature is unique and has specific instructions for removal. The following links offer instructions on removing the following premium features: