GRANT

  • Capella Operational
  • reference
    +
    The GRANT statement allows granting any RBAC roles to a specific user or group.

    Roles can be of the following two types:

    simple

    Roles which apply generically to all keyspaces or resources in the cluster.

    For example: cluster_admin or bucket_admin

    parameterized by a keyspace

    Roles which are defined for the context of the specified keyspace only. Specify the keyspace name after the keyword ON.

    The keyspace must be fully qualified and must include the bucket, scope, and collection names. Even if you’re granting a role to an entire bucket, you must specify the default scope (_default) and default collection (_default). Using only the bucket name is not sufficient.

    For example: data_reader ON `travel-sample`.`_default`.`_default`
    or query_select ON `travel-sample`.`inventory`.`airline`

    To run the GRANT statement, you must be an Organization Owner or Project Owner.

    Syntax

    grant ::= grant-user | grant-group
    Syntax diagram: refer to source code listing
    grant-user ::= 'GRANT' role ( ',' role )* ( 'ON' keyspace-ref ( ',' keyspace-ref )* )?
              'TO' ( 'USER' | 'USERS' )? user ( ',' user )*
    Syntax diagram: refer to source code listing
    grant-group ::= 'GRANT' role ( ',' role )* ( 'ON' keyspace-ref ( ',' keyspace-ref )* )?
              'TO' ( 'GROUP' | 'GROUPS' ) group ( ',' group )*          
    Syntax diagram: refer to source code listing
    role

    One of the RBAC role names predefined by Couchbase Capella.

    For the following roles, you can use their short forms as well:

    • query_selectselect

    • query_insertinsert

    • query_updateupdate

    • query_deletedelete

    keyspace-ref

    Keyspace Reference

    user

    A user name created by the Couchbase Capella RBAC system.

    group

    A group name created by the Couchbase Server RBAC system.

    When granting roles to users, the keyword USER or USERS is optional. However, when granting roles to groups, you must include the keyword GROUP or GROUPS. You can use either the singular or plural form of these keywords as this does not affect the number of users or groups the role applies to.

    Keyspace Reference

    keyspace-ref ::= keyspace-path | keyspace-partial
    Syntax diagram: refer to source code listing
    keyspace-path ::= ( namespace ':' )? bucket ( '.' scope '.' collection )?
    Syntax diagram: refer to source code listing
    keyspace-partial ::= collection
    Syntax diagram: refer to source code listing

    The simple name or fully qualified name of a keyspace. For more information about the syntax, see the CREATE INDEX statement.

    Usage

    GRANT statements have two forms:

    1. Unparameterized Roles
    GRANT replication_admin, query_external_access
       TO cchaplan, jgleason;
    2. Parameterized Roles
    GRANT query_select, views_admin
       ON `retail`.`customers`.`orders`
       TO bill, linda;
    Mixing of parameterized and unparameterized roles or syntax is not allowed and will create an error.

    Examples

    Example 1. Grant the role of Cluster Admin to multiple users
    GRANT cluster_admin TO david, michael, robin;
    Example 2. Grant Query Select and Data Reader roles on a keyspace to a specific user
    GRANT query_select, data_reader ON `travel-sample`.`_default`.`_default` TO debby;
    Example 3. Grant the role of Data Reader on a keyspace to a specific group
    GRANT data_reader ON `travel-sample`.`inventory`.`hotel` TO GROUP sales;