A newer version of this documentation is available.

View Latest

RBAC for Applications

Role-Based Access Control precisely determines an application’s ability to read and write data.

Roles and Privileges

Couchbase roles each have a fixed association with a set of one or more privileges. Each privilege is associated with a resource. Privileges are actions such as Read, Write, Execute, Manage, Flush, or List; or a combination of some or all of these.

When an application attempts to access a resource, the application’s roles and privileges are checked by Couchbase Server. If the assigned roles contain privileges that support the kind of access that is being attempted, access is granted; otherwise, it is denied.

The following list contains all application-roles supported by Couchbase RBAC. Each role explained by means of a description and a table: the table lists the privileges in association with resources. Where a privilege is associated with a resource, this is indicated with a check-mark. Where a privilege is not associated with a resource (or where association would not be applicable), this is indicated with a cross.

Access to Couchbase Web Console

Only a subset of application-roles are granted access to the Couchbase Web Console. In the tables below, if a UI row is included, the role is granted the UI-related privilege indicated in the row, and the username and password associated with the role can therefore be used to log into the console. If no UI row is included, no UI-related privilege is granted; and the username and password cannot therefore be used to log into the console.

Bucket Full Access

The Bucket Full Access role provides full access to bucket data. Note that this privilege is available for the Community Edition of Couchbase Server, as well as for Enterprise Edition.

The role is provided in support of buckets that were created on versions of Couchbase Server prior to 5.0. Such buckets were accessed by specifying bucket-name and bucket-password: however, bucket-passwords are not recognized by Couchbase Server 5.0 and after. Therefore, for each pre-existing bucket, the 5.0 upgrade-process creates a new user, whose username is identical to the bucket-name; and whose password is identical to the former bucket-password, if one existed. If no bucket-password existed, the user is created with no password. This migration-process allows the same name-combination as before to be used in authentication. To ensure backwards compatibility, each system-created user is assigned the Bucket Full Access role, which authorizes the same read-write access to bucket-data as was granted before 5.0.

Use of the Bucket Full Access role is deprecated for buckets created on Couchbase Server 5.0 and after: use the other bucket-access roles provided.

The tables below list each bucket’s name followed by its alias name in parenthesis. The alias names are used in commands and are accessible only by N1QL queries.
Role: Bucket Full Access (bucket_full_access)
Resources Privileges
Read Write Execute Manage Flush

Bucket [ * | bucket-name ]: Data

yes

yes

yes

yes

no

Bucket [ * | bucket-name ]: Views

yes

yes

yes

yes

no

N1QL: Index

yes

yes

yes

yes

no

N1QL: Other

yes

yes

yes

no

no

Bucket: [ * | bucket-name ]

yes

no

no

no

yes

Pools

yes

no

no

no

no

Data Reader

The Data Reader role allows data to be read from a specified bucket. Note that the role does not permit the running of N1QL queries (such as SELECT) against data.

Role: Data Reader (data_reader)
Resources Privileges
Read Write Execute Manage

Bucket [ * | bucket-name ]: Docs

yes

no

no

no

Bucket [ * | bucket-name ]: Meta

yes

no

no

no

Bucket [ * | bucket-name ]: Xattr

yes

no

no

no

Pools

yes

no

no

no

Data Writer

The Data Writer role allows information to be written to and read from a specified bucket.

Role: Data Writer (data_writer)
Resources Privileges
Read Write Execute Manage

Bucket [ * | bucket-name ]: Docs

yes

yes

no

no

Bucket [ * | bucket-name ]: Xattr

yes

yes

no

no

Pools

yes

no

no

no

Data DCP Reader

The Data DCP Reader role allows DCP streams to be read.

Role: Data DCP Reader (data_dcp_reader)
Resources Privileges
Read Write Execute Manage

Bucket: [ * | bucket-name ]: Docs

yes

no

no

no

Bucket: [ * | bucket-name ]: Meta

yes

no

no

no

Bucket: [ * | bucket-name ]: DCP

yes

no

no

no

Bucket: [ * | bucket-name ]: Sxattr

yes

no

no

no

Bucket: [ * | bucket-name ]: Xattr

yes

no

no

no

Admin: Memcached: Idle

no

yes

no

no

Pools

yes

no

no

no

Data Backup

The Data Backup role allows data to be backed up and restored.

Role: Data Backup (data_backup)
Resources Privileges
Read Write Execute Manage

Bucket: [ * | bucket-name ]: Data

yes

yes

no

no

Bucket: [ * | bucket-name ]: Views

yes

yes

no

no

Bucket: [ * | bucket-name ]: FTS

yes

yes

no

yes

Bucket: [ * | bucket-name ]: Stats

yes

no

no

no

Bucket: [ * | bucket-name ]: Settings

yes

no

no

no

Bucket: [ * | bucket-name ]: Pools

yes

no

no

no

Data Monitoring

The Data Monitoring role allows all bucket-statistics to be read.

Role: Data Monitoring (data_monitoring)
Resources Privileges
Read Write Execute Manage

Bucket [ * | bucket-name ]: Stats

yes

no

no

no

Pools

yes

no

no

no

Views Reader

The Views Reader role allows all views to be read.

Role: Views Reader (views_reader)
Resources Privileges
Read Write Execute Manage

Bucket [ * | bucket-name ]: Data

yes

no

no

no

Bucket [ * | bucket-name ]: Views

yes

no

no

no

FTS Searcher

The role FTS Searcher allows Full Text Search indexes to be searched by users with appropriate bucket-privileges.

Role: FTS Searcher (fts_searcher)
Resources Privileges
Read Write Execute Manage

Bucket [ * | bucket-name ]: FTS

yes

no

no

no

Settings: FTS

yes

no

no

no

UI

yes

no

no

no

Pools

yes

no

no

no

Query Select

The Query Select role allows the SELECT statement to be executed on a specified bucket.

Role: Query Select (query_select)
Resources Privileges
Read Write Execute Manage

Bucket [ * | bucket-name ]: N1QL, SELECT

no

no

yes

no

UI

yes

no

no

no

Pools

yes

no

no

no

Query Update

The Query Update role allows the UPDATE statement to be executed on a specified bucket.

Role: Query Update (query_update)
Resources Privileges
Read Write Execute Manage

Bucket [ * | bucket-name ]: N1QL, UPDATE

no

no

yes

no

UI

yes

no

no

no

Pools

yes

no

no

no

Query Insert

The Query Insert role allows the INSERT statement to be executed on a specified bucket.

Role: Query Insert (query_insert)
Resources Privileges
Read Write Execute Manage

Bucket [ * | bucket-name ]: N1QL, INSERT

no

no

yes

no

UI

yes

no

no

no

Pools

yes

no

no

no

Query Delete

The Query Delete role allows the DELETE statement to be executed on a specified bucket.

Role: Query Delete (query_delete)
Resources Privileges
Read Write Execute Manage

Bucket [ * | bucket-name ]: N1QL, DELETE

no

no

yes

no

UI

yes

no

no

no

Pools

yes

no

no

no

Query Manage Index

The Query Manage Index role allows indexes to be managed for a specified bucket.

Role: Query Manage Index (query_manage_index)
Resources Privileges
Read Write Execute Manage

Bucket [ * | bucket-name ]: N1QL, INDEX

yes

yes

yes

yes

UI

yes

no

no

no

Pools

yes

no

no

no

Query System Catalog

The Query System Catalog role allows information to be looked up in the system catalog: this includes system:indexes, system:prepareds, and tables listing current and past queries. This role is designed for troubleshooters, who need to debug queries.

Role: Query System Catalog (query_system_catalog)
Resources Privileges
Read Write Execute Manage List

Bucket [ * | bucket-name ]: N1QL, INDEX

no

no

no

no

yes

Bucket [ * | bucket-name ]: N1QL, Meta

yes

no

no

no

no

UI

yes

no

no

no

no

Pools

yes

no

no

no

no

Query External Access

The Query External Access role allows the N1QL CURL function to be executed by an externally authenticated user.

Note that the Query External Access role should be assigned with caution, since it entails risk: CURL runs within the local Couchbase Server network; therefore, the assignee of the Query External Access role is permitted to run GET and POST requests on the internal network, while being themselves externally located.

For an account of limitations on CURL, see CURL Function.

Role: Query External Access (query_external_access)
Resources Privileges
Read Write Execute Manage

Bucket [ * | bucket-name ]: N1QL, curl

no

no

yes

no

UI

yes

no

no

no

Pools

yes

no

no

no

System Keyspaces (Tables)

In Couchbase Server 5.0, three new system keyspaces have been added:

  • system:applicable_roles

  • system:my_user_info

  • system:user_info

Along with these three keyspaces, meta data related to roles and user access has been added as well.

This brings the total number of system keyspaces up to 12:

System Catalogs

Monitoring Catalogs

Security Catalogs

SELECT Operations on System Keyspaces

All of the system keyspaces support SELECT operations and are divided into the below security levels:

concepts rba for apps table SELECT