ContextQMD
Back to Yugabyte Db

Role-based access control (RBAC) model in YCQL

docs/content/stable/secure/authorization/rbac-model-ycql.md

2026.1.0.0-b253.0 KB
Original Source

Role-based access control (RBAC) consists of a collection of permissions on resources given to roles.

<ul class="nav nav-tabs-alt nav-tabs-yb"> <li > <a href="../rbac-model/" class="nav-link"> <i class="icon-postgres" aria-hidden="true"></i> YSQL </a> </li> <li > <a href="../rbac-model-ycql/" class="nav-link active"> <i class="icon-cassandra" aria-hidden="true"></i> YCQL </a> </li> </ul>

Roles

Roles in YCQL can represent individual users or a group of users. They encapsulate a set of permissions that can be assigned to other roles (or users). Roles are essential to implementing and administering access control on a YugabyteDB cluster. Below are some important points about roles:

  • Roles which have login permission are users. Hence, all users are roles but all roles are not users.

  • Roles can be granted to other roles, making it possible to organize roles into a hierarchy.

  • Roles inherit the permissions of all other roles granted to them.

Resources

YCQL defines a number of specific resources, that represent underlying database objects. A resource can denote one object or a collection of objects. YCQL resources are hierarchical as described below:

  • Keyspaces and tables follow the hierarchy: ALL KEYSPACES > KEYSPACE > TABLE
  • ROLES are hierarchical (they can be assigned to other roles). They follow the hierarchy: ALL ROLES > ROLE #1 > ROLE #2 ...

The table below lists out the various resources.

ResourceDescription
KEYSPACEDenotes one keyspace. Typically includes all the tables and indexes defined in that keyspace.
TABLEDenotes one table. Includes all the indexes defined on that table.
ROLEDenotes one role.
ALL KEYSPACESCollection of all keyspaces in the database.
ALL ROLESCollection of all roles in the database.

Permissions

Permissions are necessary to execute operations on database objects. Permissions can be granted at any level of the database hierarchy and are inherited downwards. The set of permissions include:

PermissionObjectsOperations
ALTERkeyspace, table, roleALTER
AUTHORIZEkeyspace, table, roleGRANT PERMISSION, REVOKE PERMISSION
CREATEkeyspace, table, role, indexCREATE
DROPkeyspace, table, role, indexDROP
MODIFYkeyspace, tableINSERT, UPDATE, DELETE, TRUNCATE
SELECTkeyspace, tableSELECT
DESCRIBE (not implemented)roleLIST ROLES

{{< note title="Note" >}}

The ALTER permission on the base table is required in order to CREATE or DROP indexes on it.

{{< /note >}}

Read more about permissions in YCQL.