Configure Database Users

    +
    Only database users can access data on clusters.

    About Database Users

    Database users are different than organization users. For example, an organization user is allowed to log into the Couchbase Cloud UI and administrate a cluster (e.g. add nodes, create buckets, configure backups, etc). However, to access any data on that same cluster, the organization user requires a database user entity.

    A database user entity is specific to a cluster, and consists of a username, password, and a set of bucket privileges. A database user entity is required for applications to remotely authenticate on a cluster and access bucket data. Likewise, an organization user will need a database user entity assigned to them if they are to access bucket data on a particular cluster either remotely or through the Couchbase Cloud UI.

    Database User Roles and Privileges

    Database user roles are assigned on a per-bucket basis. For example, a database user can be assigned a single role for all buckets in a cluster, or different roles for different sets of buckets.

    The following table describes the available bucket roles and their associated privileges.

    Table 1. Database User Roles
    Role Description

    Database Read/Write

    Grants the privileges of the following Couchbase roles:

    Database Read

    Grants the privileges of the following Couchbase roles:

    Creating Database Users

    There are two ways to create database users:

    1. Create a Database User Entity for an Organization User

      This is the method that you’ll need to use in order to grant an organization user access to things like the Query Workbench and the document editor/viewer in the Couchbase Cloud UI.

    2. Create a Database-only User

    Create a Database User Entity for an Organization User

    In order to create a database user entity for an existing organization user, you must have Project Edit privileges for the project that contains the cluster on which you are creating the database user.

    An organization user can have multiple database user entities across multiple clusters, but can only have one database user entity per cluster.

    1. Go to the Users tab in the main navigation.

    2. Search for the user whom you wish to grant database access, and then click on their name.

      This opens the user’s fly-out menu.

    3. In the Database Users section, click Add Another.

    4. Select a cluster.

      Using the Select Cluster drop-down menu that appears, specify the cluster on which to create the database user entity. Only the clusters that you have access to will appear in the drop-down menu.

    5. Configure the database user.

      1. Specify a username and password.

        In the Username and Password fields, enter the username and password for the database user entity. These will be the credentials that the organization user will use for authenticating on the cluster when connecting remotely via the Couchbase SDK or other tools. Note that the username cannot exceed 128 UTF-8 characters in length and cannot contain the following characters: ( ) < > @ , ; : \ " / [ ] ? = { }

        The password can be changed later, but there is no way to retrieve it — store a copy of the password if necessary.

      2. Configure bucket access.

        Use the Choose Buckets field to specify the data buckets on the cluster that the user will have access to.

        If you wish to grant the user access to all current and future buckets, then leave the field blank.

        If you wish to limit access to a specific selection of buckets, you can do so by specifying each individual bucket. Clicking on the field will show a truncated drop-down list of all of the buckets in the selected cluster. If you don’t see the desired bucket at first, you can start typing the name of the bucket until it shows up in the list.

        Use the radio buttons to select whether the user will have Read or Read/Write permissions for the specified buckets.

        Note that if you left the Choose Buckets field blank, then whatever level of access you select will apply to all current and future buckets on the cluster. (For more information about cluster permission types, refer to the section About Database User Permissions section on this page.)

    6. Once you’ve finished making the desired configurations, click Save.

    It’s important to remember that database user credentials can’t be used for logging into the Couchbase Cloud UI or managing Couchbase Cloud features. The credentials can only be used for the purposes of reading or writing bucket data via the Couchbase SDK and other supported tools.

    Create a Database-only User

    In order to create a database-only user, you must have Project Edit privileges for the project that contains the cluster on which you are creating the database user entities.

    A database-only user can have multiple database user entities across multiple clusters, but can only have one database user entity per cluster.

    1. Go to the Users tab in the main navigation.

    2. Click Add Users.

      This opens the Add Users fly-out menu.

    3. Make sure that only the Add Database User box is checked. (The Add Couchbase Cloud User box should be unchecked.)

      This procedure assumes that you are creating a database-only user by only checking the box for Add Database User.

      You can check the boxes for both Add Couchbase Cloud User and Add Database User if you are simultaneously inviting a new user to your organization and creating a database user entity for them.

    4. Enter the User Details.

      Full Name

      Enter a name for the database-only user. Note that this is only the name that will appear in the Couchbase Cloud UI, and is not the username of the database user (you’ll configure that later).

      Email

      Enter an email address for the database-only user. It’s recommended that you use an email address that is shared between the people who are responsible for maintaining the database-only user, such as a database administration team.

      If you enter an email address that is associated with an existing organization user, then a database-only user will not be created. Instead, a database user entity will be created under the existing organization user.

    5. Select a cluster.

      In the Add Database User(s) section, use the Select Cluster drop-down menu to specify the cluster on which to create the database user entity. Only the clusters that you have access to will appear in the drop-down menu.

    6. Configure the database user.

      1. Specify a username and password.

        In the Username and Password fields, enter the username and password for the database user entity. These will be the credentials that can be used for authenticating on the cluster when connecting remotely via the Couchbase SDK or other tools. Note that the username cannot exceed 128 UTF-8 characters in length and cannot contain the following characters: ( ) < > @ , ; : \ " / [ ] ? = { }

        The password can be changed later, but there is no way to retrieve it — store a copy of the password if necessary.

      2. Configure bucket access.

        Use the Choose Buckets field to specify the data buckets on the cluster that the user will have access to.

        If you wish to grant the user access to all current and future buckets, then leave the field blank.

        If you wish to limit access to a specific selection of buckets, you can do so by specifying each individual bucket. Clicking on the field will show a truncated drop-down list of all of the buckets in the selected cluster. If you don’t see the desired bucket at first, you can start typing the name of the bucket until it shows up in the list.

        Use the radio buttons to select whether the user will have Read or Read/Write permissions for the specified buckets.

        Note that if you left the Choose Buckets field blank, then whatever level of access you select will apply to all current and future buckets on the cluster. (For more information about cluster permission types, refer to the section About Database User Permissions section on this page.)

    7. (Optional) Add additional database access.

      To grant additional database access, click Add Another Database User. This allows you to create another database user on a different cluster, but still under the same identity in your organization (the identity you configured in the User Details section).

      A common use for this functionality is to create a single identity in the organization that has different levels of access on different clusters. This can make it easier to manage a set of cluster permissions in one place.

    8. Once you’ve finished making the desired configurations, click Add Users.

      Note that if the box labeled Save and add another user is selected, the fly-out menu will clear out once the user is added, allowing you to add an additional user more quickly.

    It’s important to remember that database user credentials can’t be used for logging into the Couchbase Cloud UI or managing Couchbase Cloud features. The credentials can only be used for the purposes of reading or writing bucket data via the Couchbase SDK and other supported tools.

    Modify a User’s Existing Database Access

    You can modify the existing database access of an organization user or database-only user via their respective fly-out menus.

    In order to modify an existing user’s database access, you must have Project Edit privileges for the project that contains the relevant cluster of the database user entity you are modifying.

    1. Go to the Users tab in the main navigation.

    2. Search for the user whose database access you wish to modify, and then click on their name.

      This opens the user’s fly-out menu.

    3. In the Database Users section, click on the database user entity you wish to modify.

    4. Modify the database user configuration.

      1. To modify the database user’s password, enter a new password in the Password field.

      2. To grant access to all current and future buckets on the cluster, select the All Buckets radio button and use the Bucket Permissions drop-down menu to specify the role that the database user should have on those buckets.

      3. To grant granular access to different sets of buckets, select the Selected Buckets radio button, and then use the appropriate fields to specify which buckets the database user should have Read and Read/Write access to.

    5. Once you’ve finished making the desired configurations, click Save.

    Remove a User’s Database Access

    You can delete the database user entity associated with an organization user or database-only user via their respective fly-out menus.

    In order to delete the database user entity, you must have Project Edit privileges for the project that contains the relevant cluster of the database user entity you are deleting.

    1. Go to the Users tab in the main navigation.

    2. Search for the user whose database user entity you wish to delete, and then click on their name.

      This opens the user’s fly-out menu.

    3. In the Database Users section, find the database user entity you wish to delete, and click the Trash icon.

      The database user entity is deleted from the cluster.