Roles
A Couchbase role permits one or more resources to be accessed according to defined privileges.
Roles and Privileges
Couchbase roles each have a fixed association with a set of one or more privileges. Each privilege is associated with a resource. Privileges are actions such as Read, Write, Execute, Manage, Flush, and List; or a combination of some or all of these.
Roles are of two kinds:
-
Administration and Global: Associated with cluster-wide privileges. Some of these roles are for administrators; who might manage cluster-configurations; or read statistics; or enforce security. Others are for users and user-defined applications that require access to specific, cluster-wide resources.
-
Per Bucket: Associated with one or more buckets. These roles support the reading and writing of bucket-settings; the management of services, indexes, and replication procedures; and access to data.
When an administrator, user, or application attempts to access a resource, they must authenticate, by means of a username and password. The roles and privileges associated with these credentials are checked by Couchbase Server. If the associated roles contain privileges that support the kind of access that is being attempted, access is granted; otherwise, it is denied.
The following list contains all roles supported by Couchbase Server, Enterprise Edition. Each role is explained by means of a description and (in most cases) a table: the table lists the privileges in association with resources. The header of each table states the role’s name, followed by its alias name in parentheses: alias names are used in commands and queries. In each table-body, where a privilege is associated with a resource, this is indicated with a check-mark. Where a privilege is not associated with a resource (or where association would not be applicable), this is indicated with a cross. Resources not referred to in a particular table have no privileges associated with them in the context of role being described.
Note that some roles grant access to Couchbase Web Console; while others do not. The set of features displayed within the console varies, according to role.
Note also that any authentication failure will be logged in the log file for the resource on which access was attempted. See Manage Logging, for detailed information on using log files.
Full Admin
The Full Admin role (an Administration and Global role) supports full access to all Couchbase-Server features and resources, including those of security. The role allows access to the Couchbase Web Console, and allows the reading and writing of bucket-data.
This role is also available in Couchbase Server Community Edition.
Cluster Admin
The Cluster Admin role (an Administration and Global role) allows the management of all cluster features except security. The role allows access to Couchbase Web Console, but does not permit the writing of data.
Role: Cluster Admin (cluster_admin) |
||||
|---|---|---|---|---|
| Resources | Privileges | |||
| Read | Write | Execute | Manage | |
Cluster (except Passwords) |
|
|
|
|
UI (except Passwords) |
|
|
|
|
Security (except Passwords) |
|
|
|
|
Bucket Data |
|
|
|
|
Security Admin
The Security Admin role (an Administration and Global role) allows the management of user roles and the reading of all cluster statistics. The role does not permit the granting of Full Admin or Security Admin roles, and does not permit the administrator to change their own role (which therefore remains Security Admin). The role supports access to Couchbase Web Console, but does not support the reading of data.
Role: Security Admin (security_admin) |
||||
|---|---|---|---|---|
| Resources | Privileges | |||
| Read | Write | Execute | Manage | |
Cluster |
|
|
|
|
UI (except Security) |
|
|
|
|
Security (including UI) |
|
|
|
|
Bucket Data |
|
|
|
|
Read-Only Admin
The Read-Only Admin role (an Administration and Global role) supports the reading of Couchbase clServer-statistics: this includes registered usernames with roles and authentication domains, but excludes passwords. The role allows access to Couchbase Web Console.
This role is also available in Couchbase Server Community Edition.
Role: Read-Only Admin (ro_admin) |
||||
|---|---|---|---|---|
| Resources | Privileges | |||
| Read | Write | Execute | Manage | |
Cluster |
|
|
|
|
UI (except Passwords) |
|
|
|
|
Security (except Passwords) |
|
|
|
|
Bucket Data |
|
|
|
|
XDCR Admin
The XDCR Admin role (an Administration and Global role) allows use of XDCR features, to create cluster references and replication streams. The role allows access to Couchbase Web Console.
Role: XDCR Admin (replication_admin) |
||||
|---|---|---|---|---|
| Resources | Privileges | |||
| Read | Write | Execute | Manage | |
XDCR for Cluster and Bucket |
|
|
|
|
Bucket Data |
|
|
|
|
Bucket Settings |
|
|
|
|
UI (XDCR) |
|
|
|
|
UI (Other) |
|
|
|
|
Query Curl Access
The Query Curl Access role (an Administration and Global role) allows the N1QL CURL function to be executed by an externally authenticated user. The user can access Couchbase Web Console, but cannot read data, other than that returned by the N1QL CURL function.
Note that the Query Curl Access role should be assigned with caution, since it entails risk: CURL runs within the local Couchbase Server network; therefore, the assignee of the Query Curl Access role is permitted to run GET and POST requests on the internal network, while being themselves externally located.
For an account of limitations on CURL, see CURL Function.
In versions of Couchbase Server prior to 5.5, this role was referred to as Query External Access.
Role: Query Curl Access (query_external_access) |
||||
|---|---|---|---|---|
| Resources | Privileges | |||
| Read | Write | Execute | Manage | |
Bucket : N1QL, curl |
|
|
|
|
UI |
|
|
|
|
Pools |
|
|
|
|
Query System Catalog
The Query System Catalog role (an Administration and Global role) allows information to be looked up by means of N1QL in the system catalog: this includes system:indexes, system:prepareds, and tables listing current and past queries.
This role is designed for troubleshooters, who need to debug queries.
The role allows access to Couchbase Web Console, but does not permit the reading of bucket-items.
Role: Query System Catalog (query_system_catalog) |
|||||
|---|---|---|---|---|---|
| Resources | Privileges | ||||
| Read | Write | Execute | Manage | List | |
Bucket : N1QL, INDEX |
|
|
|
|
|
Bucket : N1QL, Meta |
|
|
|
|
|
UI |
|
|
|
|
|
Pools |
|
|
|
|
|
Analytics Reader
The Analytics Reader role (an Administration and Global role) allows querying of shadow data-sets. The role allows access to Couchbase Web Console, and permits the reading of data.
Role: Analytics Reader (analytics_reader) |
||||
|---|---|---|---|---|
| Resources | Privileges | |||
| Read | Write | Execute | Manage | |
Bucket : Analytics |
|
|
|
|
Bucket : UI |
|
|
|
|
Pools |
|
|
|
|
Bucket Admin
The Bucket Admin role allows the management of all per bucket features (including starting and stopping XDCR). The role allows access to Couchbase Web Console, but does not permit the reading or writing of data.
Role: Bucket Admin (bucket_admin) |
||||
|---|---|---|---|---|
| Resources | Privileges | |||
| Read | Write | Execute | Manage | |
Cluster |
|
|
|
|
Bucket (including XDCR) |
|
|
|
|
Bucket Data |
|
|
|
|
Bucket UI |
|
|
|
|
Other UI |
|
|
|
|
Views Admin
The Views Admin role allows the management of views, per bucket. The role allows access to Couchbase Web Console.
Role: Views Admin (views_admin) |
||||
|---|---|---|---|---|
| Resources | Privileges | |||
| Read | Write | Execute | Manage | |
Bucket Data (Views) |
|
|
|
|
Bucket Data (Other) |
|
|
|
|
Bucket Settings |
|
|
|
|
UI (Views) |
|
|
|
|
UI (Other) |
|
|
|
|
Search Admin
The Search Admin role allows management of all features of the Search Service, per bucket. The role allows access to Couchbase Web Console.
In versions of Couchbase Server prior to 5.5, this role was referred to as FTS Admin.
Role: Search Admin (fts_admin) |
||||
|---|---|---|---|---|
| Resources | Privileges | |||
| Read | Write | Execute | Manage | |
Bucket Data (Search) |
|
|
|
|
Bucket Data (Other) |
|
|
|
|
Bucket Settings |
|
|
|
|
UI (Search) |
|
|
|
|
UI (Other) |
|
|
|
|
Services and Curl |
|
|
|
|
Pools |
|
|
|
|
Application Access
The Application Access role provides read and write access to data, per bucket. The role does not allow access to Couchbase Web Console: it is intended for applications, rather than users. Note that this role is also available in the Community Edition of Couchbase Server.
The role is provided in support of buckets that were created on versions of Couchbase Server prior to 5.0. Such buckets were accessed by specifying bucket-name and bucket-password: however, bucket-passwords are not recognized by Couchbase Server 5.0 and after. Therefore, for each pre-existing bucket, the upgrade-process for 5.0 and after creates a new user, whose username is identical to the bucket-name; and whose password is identical to the former bucket-password, if one existed. If no bucket-password existed, the user is created with no password. This migration-process allows the same name-combination as before to be used in authentication. To ensure backwards compatibility, each system-created user is assigned the Application Access role, which authorizes the same read-write access to bucket-data as was granted before 5.0.
Use of the Application Access role is deprecated for buckets created on Couchbase Server 5.0 and after: use the other bucket-access roles provided. Note that in versions of Couchbase Server prior to 5.5, this role was referred to as Bucket Full Access.
Role: Application Access (bucket_full_access) |
|||||
|---|---|---|---|---|---|
| Resources | Privileges | ||||
| Read | Write | Execute | Manage | Flush | |
Bucket Data |
|
|
|
|
|
Bucket Views |
|
|
|
|
|
N1QL: Index |
|
|
|
|
|
N1QL: Other |
|
|
|
|
|
Bucket |
|
|
|
|
|
Pools |
|
|
|
|
|
Data Reader
The Data Reader role allows data to be read, per bucket. Note that the role does not permit the running of N1QL queries (such as SELECT) against data. The role does not allow access to Couchbase Web Console: it is intended to support applications, rather than users.
Role: Data Reader (data_reader) |
||||
|---|---|---|---|---|
| Resources | Privileges | |||
| Read | Write | Execute | Manage | |
Bucket Docs |
|
|
|
|
Bucket : Meta |
|
|
|
|
Bucket : Xattr |
|
|
|
|
Pools |
|
|
|
|
Data Writer
The Data Writer role allows data to be written, per bucket. The role does not allow access to Couchbase Web Console: it is intended to support applications, rather than users.
Role: Data Writer (data_writer) |
||||
|---|---|---|---|---|
| Resources | Privileges | |||
| Read | Write | Execute | Manage | |
Bucket : Docs |
|
|
|
|
Bucket : Xattr |
|
|
|
|
Pools |
|
|
|
|
Data DCP Reader
The Data DCP Reader role allows DCP streams to be initiated, per bucket. The role does not allow access to Couchbase Web Console: it is intended to support applications, rather than users. The role does allow the reading of data.
Role: Data DCP Reader (data_dcp_reader) |
||||
|---|---|---|---|---|
| Resources | Privileges | |||
| Read | Write | Execute | Manage | |
Bucket: : Docs |
|
|
|
|
Bucket: : Meta |
|
|
|
|
Bucket: : DCP |
|
|
|
|
Bucket: : Sxattr |
|
|
|
|
Bucket: : Xattr |
|
|
|
|
Admin: Memcached: Idle |
|
|
|
|
Pools |
|
|
|
|
Data Backup
The Data Backup role allows data to be backed up and restored, per bucket. The role supports the reading of data. The role does not allow access to Couchbase Web Console: it is intended to support applications, rather than users.
Role: Data Backup (data_backup) |
||||
|---|---|---|---|---|
| Resources | Privileges | |||
| Read | Write | Execute | Manage | |
Bucket: : Data |
|
|
|
|
Bucket: : Views |
|
|
|
|
Bucket: : FTS |
|
|
|
|
Bucket: : Stats |
|
|
|
|
Bucket: : Settings |
|
|
|
|
Bucket: : Pools |
|
|
|
|
Data Monitor
The Data Monitor role allows statistics to be read, per bucket. It does not allow access to Couchbase Web Console, and does not permit the reading of data. This role is intended to support application-access, rather than user-access.
In versions of Couchbase Server prior to 5.5, this role was referred to as Data Monitoring.
Role: Data Monitor (data_monitoring) |
||||
|---|---|---|---|---|
| Resources | Privileges | |||
| Read | Write | Execute | Manage | |
Bucket : Stats |
|
|
|
|
Pools |
|
|
|
|
XDCR Inbound
The XDCR Inbound role allows the creation of inbound XDCR streams, per bucket. It does not allow access to Couchbase Web Console, and does not permit the reading of data.
In versions of Couchbase Server prior to 5.5, this role was referred to as Replication Target.
Role: XDCR Inbound (replication_target) |
||||
|---|---|---|---|---|
| Resources | Privileges | |||
| Read | Write | Execute | Manage | |
Bucket : Settings |
|
|
|
|
Bucket : Meta |
|
|
|
|
Bucket : Stats |
|
|
|
|
Pools |
|
|
|
|
Analytics Manager
The Analytics Manager role allows management of Analytics, per bucket. It also allows management of shadow datasets, provided that Data Read permission has been granted on the corresponding buckets. This role allows access to Couchbase Web Console.
Role: Analytics Manager (analytics_manager) |
||||
|---|---|---|---|---|
| Resources | Privileges | |||
| Read | Write | Execute | Manage | |
Bucket : Analytics |
|
|
|
|
Bucket : UI |
|
|
|
|
Bucket : Stats |
|
|
|
|
Pools |
|
|
|
|
Views Reader
The Views Reader role allows data to be read from the views, per bucket. This role does not allow access to Couchbase Web Console, and is intended to support applications, rather than users.
Role: Views Reader (views_reader) |
||||
|---|---|---|---|---|
| Resources | Privileges | |||
| Read | Write | Execute | Manage | |
Bucket : Docs |
|
|
|
|
Bucket : Views |
|
|
|
|
Pools |
|
|
|
|
Search Reader
The role Search Reader allows Full Text Search indexes to be searched, per bucket. The role allows access to Couchbase Web Console, and supports the reading of data.
In versions of Couchbase Server prior to 5.5, this role was referred to as FTS Searcher.
Role: Search Reader (fts_searcher) |
||||
|---|---|---|---|---|
| Resources | Privileges | |||
| Read | Write | Execute | Manage | |
Bucket : FTS |
|
|
|
|
Settings: FTS |
|
|
|
|
UI |
|
|
|
|
Pools |
|
|
|
|
Query Select
The Query Select role allows the SELECT statement to be executed, perbucket. This role allows access to Couchbase Web Console, and supports the reading of data.
Role: Query Select (query_select) |
||||
|---|---|---|---|---|
| Resources | Privileges | |||
| Read | Write | Execute | Manage | |
Bucket : N1QL, SELECT |
|
|
|
|
UI |
|
|
|
|
Pools |
|
|
|
|
Query Update
The Query Update role allows the UPDATE statement to be executed, per bucket. The role supports access to Couchbase Web Console, but does not allow the reading of data.
Role: Query Update (query_update) |
||||
|---|---|---|---|---|
| Resources | Privileges | |||
| Read | Write | Execute | Manage | |
Bucket : N1QL, UPDATE |
|
|
|
|
UI |
|
|
|
|
Pools |
|
|
|
|
Query Insert
The Query Insert role allows the INSERT statement to be executed, per bucket. The role supports access to Couchbase Web Console, but does not allow the reading of data.
Role: Query Insert (query_insert) |
||||
|---|---|---|---|---|
| Resources | Privileges | |||
| Read | Write | Execute | Manage | |
Bucket : N1QL, INSERT |
|
|
|
|
UI |
|
|
|
|
Pools |
|
|
|
|
Query Delete
The Query Delete role allows the DELETE statement to be executed, per bucket. The role supports access to Couchbase Web Console, but does not allow the reading of data.
Role: Query Delete (query_delete) |
||||
|---|---|---|---|---|
| Resources | Privileges | |||
| Read | Write | Execute | Manage | |
Bucket : N1QL, DELETE |
|
|
|
|
UI |
|
|
|
|
Pools |
|
|
|
|
Query Manage Index
The Query Manage Index role allows indexes to be managed, per bucket. The role allows access to Couchbase Web Console, but does not permit the reading of data.
Role: Query Manage Index (query_manage_index) |
||||
|---|---|---|---|---|
| Resources | Privileges | |||
| Read | Write | Execute | Manage | |
Bucket : N1QL, INDEX |
|
|
|
|
UI |
|
|
|
|
Pools |
|
|
|
|
