Access Control
Fine-grained access control lets you define read and write permissions for downstream edge clients at the database, scope, and collection level. This enables multiple applications to share a single Couchbase Edge Server instance while keeping each application’s data isolated.
Overview
By default, all configured users have unrestricted read and write access to all collections in a database.
Fine-grained access control is opt-in.
When you enable it at the server level using enable_user_access_control, Couchbase Edge Server enforces the access permissions you define for each user before allowing any REST operation.
Fine-grained access control applies to downstream edge clients accessing Couchbase Edge Server over the REST API or via Couchbase Lite sync. It does not affect upstream replication credentials used to sync with Sync Gateway or Capella App Services.
Keyspace Patterns
Permissions are defined using keyspace patterns. A keyspace pattern identifies a target database, scope, and collection using dot notation.
| Pattern | Target |
|---|---|
|
A specific collection within a specific scope. |
|
All collections within a specific scope. |
|
All collections within the database, including |
|
The |
|
A named collection within the |
Permissions
Each keyspace pattern is assigned an array of one or more permissions.
| Permission | Effect |
|---|---|
|
The user can read documents from the targeted keyspace. |
|
The user can create, update, and delete documents in the targeted keyspace. Write-only access to a collection is supported for drop-box scenarios. |
Enforcement Behavior
When enable_user_access_control is set to true on a database, Couchbase Edge Server checks the requesting user’s permissions against the target keyspace for every REST call.
The following table describes how enforcement applies to each operation type.
| Operation Type | REST Operations | Access Requirement |
|---|---|---|
General access |
Any REST call |
The user must have |
Data visibility |
|
The user must have |
Data mutation |
|
The user must have |
Query execution |
|
The user must have access to the named query, as determined by the query’s access configuration. See configuration:configure-query-access.adoc. |
Data synchronization |
|
Pull requires |
Administrative tasks |
|
Requires the |
Unauthorized requests and requests targeting keyspaces that do not exist both return 403 Forbidden.
This prevents users from discovering keyspaces they are not authorized to access.
|