Configure Access Control
Configure fine-grained access control to define which collections each edge client user can read from or write to.
Prerequisites
-
Couchbase Edge Server {version} or later.
-
A users file configured for your deployment. See Authentication.
-
Users must authenticate using Basic Auth or mTLS client certificates.
Enable Access Control on a Database
Access control enforcement is opt-in and is configured at the server level.
Set enable_user_access_control to true in the top-level server configuration.
{
"enable_user_access_control": true,
"databases": {
"mydb": { }
}
}
When this property is not set or is set to false, all configured users have unrestricted read and write access to all collections in all databases.
Define User Access Permissions
Access permissions are defined in the users file using the access property.
Each entry maps a keyspace pattern to an array of permitted operations.
{
"$schema": "…/users_schema.json",
"appUser": {
"access": {
"travel.*": ["read"],
"travel.inventory.hotels": ["write"],
"travel.inventory.landmarks": ["read", "write"],
"sales": ["read"]
},
"password": "<<bcrypt password>>"
},
"admin": {
"roles": ["admin"],
"password": "<<bcrypt password>>"
}
}
In this example:
-
appUserhas read access to all collections in thetraveldatabase. -
appUserhas write-only access to thehotelscollection in thetravel.inventoryscope. -
appUserhas read and write access to thelandmarkscollection in thetravel.inventoryscope. -
appUserhas read access to the_default._defaultcollection of thesalesdatabase. -
adminhas unrestricted access to all databases as an admin role user.
The password field is optional when using mTLS certificate-based authentication.
If provided, it is ignored for mTLS users.
|
Keyspace Pattern Reference
| Pattern | Target |
|---|---|
|
A specific collection within a specific scope. |
|
All collections within a specific scope. |
|
All collections within the database, including |
|
The |
|
A named collection within the |
Next Steps
-
To restrict which named queries a user can execute, see configuration:configure-query-access.adoc.
-
To review how Couchbase Edge Server enforces access control across REST operations, see configuration:fine-grained-access-control.adoc.