Roles
Roles grant users access to one or more resources. Administrators assign roles to users to enable them to perform the tasks they need to carry out when using Couchbase Server.
Roles and Privileges
Roles provide a set of privileges for interacting with a resource. These privileges are often specific. For example, the Data Writer role lets a user write data using key-value operations. This role does not let the user read data. The Data Reader role grants that ability.
Some roles let you limit the privileges a role grants to specific collections, scopes, or buckets. For example, when granting a user the Data Writer role, you can limit the user so they can only write to a specific collection. You can also enable the user to write data to multiple collections, multiple scopes, or even to all buckets. For detailed information about scopes and collections, see Scopes and Collections.
You can grant a user multiple roles to tailor their privileges for the tasks they need to perform. For example, you can grant a user the Data Reader role to let them read all data in a specific bucket. In addition, you can grant them the Data Writer role, but limit them to writing data into a specific collection within the bucket. Some roles, such as Query List Index, are so limited that they’re only useful when combined with other roles (Query Select, for example).
Roles in Relation to Buckets
Some roles provide privileges to resources across the entire cluster. For example, most administrator roles grant the user access to resources cluster wide. Other roles, such as those dealing with managing data, let the administrator granting the role limit its privileges to specific buckets, scopes, or collections.
User Categories
Couchbase Server users fall into three categories: administrators, developers, and applications. Which roles you assign to a user often depend on which category they fall into:
- Administrators
-
Users with any of the administrator roles can log into Couchbase Server Web Console and perform administrative tasks. Most of these roles do not grant the ability to read or write data.
The administrative roles grant their users the ability to carry out specific tasks. For example, a user with the Cluster Admin role can manage all cluster features except for security. Users with the Read-Only Admin role can log into the Couchbase Server Web Console to read cluster settings, statistics, and backup plans, but not change them. The Bucket Admin role allows management only of one or more buckets. See Administrative Roles for details.
The user interface of the Couchbase Web Console changes based on the role the user has. For example, Couchbase Server only displays the the entire Security page to a user with the Full Admin role. Users with either the Local User Admin or the External User Admin roles can only see the Users & Groups tab on this screen. - Applications
-
An application needs to have a user account to authenticate with Couchbase Server. You often assign these users roles that let them read or write data or other limited privileges. Most of the roles you grant applications do not allow them to log into Couchbase Server Web Console or modify cluster settings. For example, the Data Reader and Data Writer roles let the user read and write data using key-value operations. You can limit these privileges to one or more collections, scopes, or buckets. Other roles appropriate for applications are Manage Scopes, Data DCP Reader, and Data Backup & Restore.
- Developers
-
Developers require more privileges for greater access to data and to manage resources than do applications. However, they should not have the unrestricted privileges that most Administrator roles grant. These roles do let users log into the Couchbase Server Web Console, so they can perform tasks in a GUI environment. You can tailor the roles you grant to developers so they have just enough privileges to perform their tasks. For example, the Analytics Admin and Manage Global External Functions roles were designed for interactive users. They let them maintain some parts of the database. However, they lack the ability to change cluster settings like most administrator roles.
Role Overviews
The following sections describe the roles defined by Couchbase Server. The list is broken into the same categories that appear within the Couchbase Server Web Console’s Edit User dialog. Each description has a table listing what resources a user with the role can access and any limitations on their access. If a resource does not appear in this table, the role does not grant the user any privileges for it.
| The majority of roles are only available in Couchbase Server Enterprise Edition. The list indicates when a role is available in Couchbase Server Community Edition. |
Administrative Roles
The following roles grant users the ability to administer some aspects of Couchbase Server.
Full Admin
The Full Admin role (admin) grants full privileges to all Couchbase Server features and resources, including security.
The role allows the user to log into the Couchbase Server Web Console.
This role is also available in Couchbase Server Community Edition.
Read-Only Admin
The Read-Only Admin role lets the user read Couchbase Server settings and statistics. Users with this role can also read Backup Service data to monitor backup plans and tasks.
The role lets the user log into the Couchbase Server Web Console.
This role is also available in Couchbase Server Community Edition.
| Prior to Couchbase Server 8.0, this role allowed the user to read security information including listing users and groups. In 8.0, these permissions were split off into the Read-Only Security Admin role. The Read-Only Admin role now does not allow access to any of the security information. |
+ When you upgrade Couchbase Server from a version earlier than 8.0 to 8.0 or later, the upgrade process grants any user with this role the Read-Only Security Admin role as well. Granting this role lets the user retain the privileges they had in prior versions.
Role: Read-Only Admin (ro_admin) |
||
|---|---|---|
Resource |
Permissions |
Restrictions |
Servers |
View configuration and statistics |
Cannot add, failover, remove, modify services, or rebalance |
Buckets |
List buckets, scopes, and collections |
Cannot create, drop, edit settings, read or write data |
Backup |
List repositories and plans |
Cannot add or edit repositories or plans. |
XDCR |
List remote clusters and outgoing replications |
Cannot list incoming replications, or add or edit replications. |
Security |
None. |
All. |
Settings |
View all settings |
Cannot edit settings |
Logs |
View logs |
Cannot collect information |
Indexes |
Can view index settings and stats |
Cannot add, edit, or drop indexes |
Query |
None |
All |
Search |
Can view Search indexes |
Cannot edit or add Search indexes |
Analytics |
None |
All |
Eventing |
None |
All |
Views |
Can list defined views |
Cannot change views |
Security Admin
The Security Admin role allows the user to manage all security settings except for users and groups.
This role lets the user log into the Couchbase Server Web Console.
Role: Security Admin (security_admin) |
||
|---|---|---|
Resource |
Permissions |
Restrictions |
Servers |
View configuration and statistics |
Cannot add, failover, remove, modify services, or rebalance |
Buckets |
List buckets, scopes, and collections |
Cannot create, drop, or edit settings, or read or write data |
Backup |
None |
All |
XDCR |
List outgoing replications |
Cannot create, start, alter connections |
Security |
Manage LDAP, SAML, certificates, encryption at rest, audit, and logging settings. |
Cannot view or change users or groups. |
Settings |
View |
Change |
Logs |
View |
Collect Information |
Query |
None |
All |
Search |
None |
All |
Analytics |
None |
All |
Eventing |
None |
All |
Views |
None |
All |
Read-Only Security Admin
The Read-Only Security Admin role lets the user view all security settings except for listing users and groups.
This role lets the user log into the Couchbase Server Web Console.
| This role is new in Couchbase Server 8.0. It was created to separate security privileges from the Read-Only Admin role. The upgrade process from prior versions to Couchbase Server 8.0 or later grants this role to users that had the Read-Only Admin. This grant ensures the user retains the privileges they had in prior versions. |
Role: Read-Only Security Admin (ro_security_admin) |
||
|---|---|---|
Resource |
Permissions |
Restrictions |
Servers |
View configuration and statistics |
Cannot add, failover, remove, modify services, or rebalance |
Buckets |
List buckets, scopes, and collections |
Cannot create, drop, or edit settings, or read or write data |
Backup |
None |
All |
XDCR |
List outgoing replications |
Cannot create, start, alter connections |
Security |
View LDAP, SAML, certificates, encryption at rest, audit, and logging settings. |
Cannot make any changes to security settings. Cannot view or change users or groups. |
Settings |
View |
Change |
Logs |
View |
Collect Information |
Query |
None |
All |
Search |
None |
All |
Analytics |
None |
All |
Eventing |
None |
All |
Views |
None |
All |
Local User Admin
The Local User Admin role lets a user manage users defined in the local authentication domain. It also grants the ability to read all cluster statistics such as the settings, logs, and buckets. It does not grant the ability to read data.
| While this role does not allow the user to read or write data, they can create users that can read and write data. This could be considered a privilege escalation, but it’s intentional behavior. This role is intended to manage all non-administrator roles, including those that can read or write data. You can address any possible privilege escalation concerns by auditing the actions of users with this role to see if they create users to get around the data access limitations. |
This role allows users to edit local users, but they cannot grant these users the Full Admin, Read-Only Admin, Local User Admin, or External User Admin roles. They also cannot edit the accounts for any user with those roles (including their own account).
| This role replaced the Local User Security Admin role available in Couchbase Server prior to version 8.0. The Local User Security Admin role had additional administration privileges that were split off into the Security Admin role. When upgrading to 8.0 or restoring a backup from a pre-8.0 version to Couchbase Server 8.0 or later, users with the Local User Security Admin role are granted this role and the Security Admin role. This conversion ensures the user retains the privileges they had in prior versions. |
This role lets users log into the Couchbase Server Web Console.
Role: Local User Admin (user_admin_local) |
||
|---|---|---|
Resource |
Permissions |
Restrictions |
Servers |
View statistics |
Add, failover, remove, modify services, rebalance |
Buckets |
List buckets, scopes, and collections |
Create, drop, edit settings, read or write data |
Backup |
None |
All |
XDCR |
View list of outgoing replications |
View incoming replications, remote clusters, add or edit connections |
Security |
Add, delete, and edit local users. Can add, delete, and edit groups. |
Cannot grant Full Admin, Read-Only Admin, Local or External User Admin, or Security Admin roles to users or groups. Cannot access non-user and group security resources. |
Settings |
View |
Change |
Logs |
View |
Collect Information |
Query |
None |
All |
Search |
None |
All |
Analytics |
None |
All |
Eventing |
None |
All |
Views |
None |
All |
External User Admin
The External User Admin role lets users manage users defined in the external authentication domain. It also lets the user manage groups and read all cluster statistics. Users with this role cannot grant external users or groups Full Admin, Read-Only Admin, Security Admin, or Local or External User Admin roles. They also cannot edit users with those roles.
| This role replaced the External User Security Admin role available in Couchbase Server prior to version 8.0. The External User Security Admin role had additional administration privileges that were split off into the Security Admin role. When upgrading to 8.0 or restoring a backup from a pre-8.0 version to Couchbase Server 8.0 or later, users with the External User Security Admin role are granted this role and the Security Admin role. This conversion ensures the user retains the privileges they had in prior versions. |
This role lets the user log into the Couchbase Server Web Console.
Role: External User Admin (user_admin_external) |
||
|---|---|---|
Resource |
Permissions |
Restrictions |
Servers |
View statistics |
Add, failover, remove, modify services, or rebalance servers |
Buckets |
List buckets, scopes, and collections |
Create, drop, edit settings, read or write data |
Backup |
None |
All |
XDCR |
View list of outgoing replications |
View incoming replications, remote clusters, add or edit connections |
Security |
Add, delete, edit external users. Add, delete, and edit groups. |
Cannot grant Full Admin, Read-Only Admin, Local or External User Admin, or Security Admin roles to groups or external users. Cannot access security resources besides users and groups. |
Settings |
View |
Change |
Logs |
View |
Collect Information |
Query |
None |
All |
Search |
None |
All |
Analytics |
None |
All |
Eventing |
None |
All |
Views |
None |
All |
Cluster Admin
The Cluster Admin role lets the user manage of all cluster features except security. Cluster Admins can create, edit, and drop buckets but cannot read or write data.
This role lets users log into the Couchbase Server Web Console.
Role: Cluster Admin (cluster_admin) |
||
|---|---|---|
Resource |
Permissions |
Restrictions |
Servers |
All |
None |
Buckets |
Create, drop, edit settings |
Read or write data |
Backup |
None |
All |
XDCR |
All |
None |
Security |
None |
All |
Settings |
All |
None |
Logs |
All |
None |
Query |
None |
All |
Search |
None |
All |
Analytics |
None |
All |
Eventing |
Import, Change Settings |
Add, remove, edit functions |
Views |
None |
All |
Eventing Full Admin
The Eventing Full Admin role lets a user create and manage eventing functions as well as other administration tasks.
The role lets the user log into the Couchbase Server Web Console.
Role: Eventing Full Admin (eventing_admin) |
||
|---|---|---|
Resource |
Permissions |
Restrictions |
Servers |
View configuration and statistics |
Cannot add, failover, remove, modify services, rebalance |
Buckets |
List buckets, scopes, and collections. Can create, compact, and drop buckets, scopes, and collections. Can read and write data in buckets. |
None |
Backup |
List repositories and plans |
Cannot add or edit repositories or plans |
XDCR |
List outgoing replications |
Cannot list incoming replications or remote clusters. Cannot add or edit replications. |
Security |
None |
All |
Settings |
View all settings and load sample buckets |
Cannot edit settings |
Logs |
View logs |
Cannot collect information |
Indexes |
All |
None |
Query |
All |
None |
Search |
All |
None |
Analytics |
All |
None |
Eventing |
All |
None |
Views |
All |
None |
Backup Full Admin
The Backup Full Admin role lets the user administer backup-related tasks as well as other aspects of Couchbase Server.
| This role does not grant the ability to back up or restore users. For a user to be able to back up both data and users, you must assign them the Local User Admin and the External User Admin roles in addition to this role. |
This role lets the user log into Couchbase Server Web Console.
Role: Backup Full Admin (backup_admin) |
||
|---|---|---|
Resource |
Permissions |
Restrictions |
Servers |
All |
None |
Buckets |
All, including add and drop buckets and edit, add, and drop documents |
None |
Backup |
All |
None |
XDCR |
All |
None |
Security |
None |
All |
Settings |
All |
None |
Logs |
View logs |
Cannot collect information |
Query |
All |
None |
Indexes |
All |
None |
Search |
All |
None |
Analytics |
All |
None |
Eventing |
All |
None |
Views |
All |
None |
Views Admin
The Views Admin role lets the user create, modify, and drop views in one or more buckets. When granting this role, you choose the buckets where the user can manage views.
This role lets the user log into Couchbase Server Web Console.
Role: Views Admin (views_admin) |
||
|---|---|---|
Resource |
Permissions |
Restrictions |
Servers |
View configuration and statistics |
Cannot add, failover, remove, modify services, or rebalance servers |
Buckets |
Can read, write, and edit views for the buckets assigned to them. Can read data (via key-value), statistics, and settings in these buckets. |
Cannot write data to buckets or alter bucket settings |
XDCR |
Can list outgoing replications |
Cannot view incoming replications or change XDCR settings |
Settings |
View all settings |
Cannot edit settings |
Logs |
Can view logs |
Cannot collect data |
Query |
None |
Cannot execute queries |
Search |
Can view Search indexes |
Cannot edit or add Search indexes |
Views |
Can create, drop, and edit views in buckets assigned to them. |
Cannot change views |
External Stats Reader
The External Stats Reader role grants only allows the user to call the /metrics and /prometheus_sd_config REST API endpoints.
Assign this role to the user Prometheus uses when authenticating with Couchbase Server.
See Configure Prometheus to Collect Couchbase Metrics for more information.
This role does not let the user log into the Couchbase Server Web Console.
Role: External Stats Reader (external_stats_reader) |
||
|---|---|---|
| Resource | Permissions | Restrictions |
Metrics API |
Able to call |
None |
Application Telemetry Writer
This role lets the user report application telemetry through SDK calls. Assign this role to application users that need to report telemetry information to Couchbase Server.
This role does not let the user log into Couchbase Server Web Console.
Role: Application Telemetry Writer (application_telemetry_writer) |
||
|---|---|---|
| Resource | Permissions | Restrictions |
Application Telemetry |
Able to write to telemetry metric websockets |
None |
Bucket Roles
The following roles give users privileges to manage or access buckets. See Buckets for more information about buckets.
Bucket Admin
The Bucket Admin role lets the user manage one or more buckets. These management abilities include stopping and starting XDCR for a bucket. When granting this role, you choose which buckets the user can manage.
This role lets the user log into Couchbase Server Web Console.
Role: Bucket Admin (bucket_admin) |
||
|---|---|---|
| Resource | Permissions | Restrictions |
Servers |
List servers, view server configuration |
Cannot view configuration, add, failover, remove, modify services, or rebalance servers. |
Buckets |
Can drop, compact and edit buckets assigned to them. Can add, edit, and drop scopes and collections in the buckets. |
Cannot read, insert, or mutate documents. |
XDCR |
Can start and stop replications for buckets assigned to them. |
Cannot add, remove, or edit XDCR connections. |
Settings |
View all cluster settings |
Cannot change cluster settings. |
Logs |
Can view logs. |
Cannot collect information |
Search |
Can list Search indexes. |
Cannot create, drop, or edit Search indexes. |
Eventing |
All |
None |
Manage Scopes
The Manage Scopes role lets a user create and delete scopes and collections within one or more buckets. When granting this role, you choose the buckets where the user can create scopes and collections. The user does not have the ability to read, write, or alter data. Use this role to allow applications to manage a bucket’s scopes and collections.
This role does not let the user log into Couchbase Server Web Console.
Role: Manage Scopes (scope_admin) |
||
|---|---|---|
| Resource | Permissions | Restrictions |
Buckets |
Can add and drop scopes and collections in the buckets assigned to them. |
Cannot read, insert, or mutate documents. |
Application Access
The Application Access role lets a user read and write data in one or more buckets. This role does not grant the ability to query data via SQL++—the user can only access data via keys. When granting this role, you choose the buckets where the user can read and write data. As its name implies, this role is intended for use by applications instead of interactive users.
|
This role is deprecated. Couchbase Server 5.0 added this role to replace an old method of password authentication to access buckets. To transition away from bucket passwords, the upgrade process to Couchbase Server 5.0 created new users with the bucket’s name and password and assigned this role. Do not grant this role to users. Instead, use one of the query or data roles. |
Versions of Couchbase Server prior to 5.5 referred to this role as Bucket Full Access.
This role does not let the user log into Couchbase Server Web Console.
Role: Application Access (bucket_full_access) |
||
|---|---|---|
| Resource | Permissions | Restrictions |
Buckets |
Can read and write data in buckets assigned to them. |
Cannot alter bucket, scope, or collection settings. |
Data Roles
These roles give users the ability to read and write data in buckets via key-value operations. See Work with Documents to learn about key-value operations.
Data Reader
The Data Reader role lets the user read data from one or more collections via key-value retrieval. It does not grant the ability to run SQL++ queries (see Query & Index Roles for roles that do). When granting this role, you choose the collections where the user can read data. Grant this role to users for applications that need to read data via key-value operations.
This role does not let the user log into Couchbase Server Web Console.
Role: Data Reader (data_reader) |
||
|---|---|---|
Resource |
Permissions |
Restrictions |
Buckets |
Read data from collections, scopes, and buckets assigned to them. Can read some bucket metadata, XATTR mappings, and pools on buckets assigned to them. |
Cannot write data |
Query |
None |
All |
Data Writer
The Data Writer role lets the user write data to one or more collections via key-value operations. It does not grant the ability to run SQL++ queries (see Query & Index Roles for roles that do). When granting this role, you choose the collections where the user can write data. Grant this role to users for applications that need to write data via key-value operations.
This role does not let the user log into Couchbase Server Web Console.
Role: Data Writer (data_writer) |
||
|---|---|---|
Resource |
Permissions |
Restrictions |
Buckets |
Write data to collections, scopes, and buckets assigned to them. |
Cannot read data |
Query |
None |
All |
Data DCP Reader
The Data DCP Reader role lets the user start a Database Change Protocol (DCP) stream for one or more collections, scopes, or buckets. When granting this role, you choose the collections, scopes, and buckets where the user can start DCP streams. Grant this role to users for applications that need to start DCP streams.
This role does not let the user log into Couchbase Server Web Console.
Role: Data DCP Reader (data_dcp_reader) |
||
|---|---|---|
Resource |
Permissions |
Restrictions |
Buckets |
Can start DCP streams for collections, scopes, and buckets assigned to them. Can also read data and XATTRs from these collections, scopes, and buckets. |
Cannot write data |
Query |
None |
All |
Data Monitor
The Data Monitor role lets the user read statistics for a bucket, scope, or collection. When granting the role, you decide which statistics the user can read. Use this role for applications that need to read statistics.
| In versions of Couchbase Server prior to 5.5, this role was called Data Monitoring. |
This role does not let the user log into Couchbase Server Web Console.
Role: Data Monitor (data_monitoring) |
||
|---|---|---|
Resource |
Permissions |
Restrictions |
Buckets |
Can read statistics for buckets, scopes, and collections assigned to them. |
None |
Views Roles
The following roles grant users privileges with Views. Also see the related administrator role Views Admin.
| Views were deprecated in Couchbase Server 7.0. See Views Reference for more information. |
Views Reader
The Views Reader role lets a user read data from views in one or more buckets. When granting this role, you choose which buckets contain views the user can read. Grant this role to users you create for applications that need to read data from views.
This role does not let the user log into Couchbase Server Web Console.
Role: Views Reader (views_reader) |
||
|---|---|---|
Resource |
Permissions |
Restrictions |
Buckets |
Can read data from views in the buckets they have access to. Can read data via key-value from these buckets. |
Cannot write data to buckets, alter bucket settings, or alter views. |
Views |
Can read data from views in buckets assigned to them. |
Cannot change views |
Query & Index Roles
These roles grant users the ability to perform queries and work with indexes.
Query CURL Access
The Query CURL Access role lets the user call the SQL++ curl function in their queries.
| The Query CURL Access role allows users to run GET and POST requests to any system on the network Couchbase Server uses for client connections. If your cluster is not configured to use a private network for internal communication, they also have access to the entire cluster. They can interact with any system on this network. |
This role only grants the user the ability to read data returned by the SQL++ curl function. Usually, you assign additional roles to the user to allow them to read and write data.
For more information about the SQL++ curl function, see CURL Function.
This role lets the user log into Couchbase Server Web Console.
Role: Query Curl Access (query_external_access) |
||
|---|---|---|
| Resource | Permissions | Restrictions |
Servers |
List servers |
Cannot view configuration or add, failover, remove, modify services, or rebalance servers |
Buckets |
List buckets |
Cannot list scopes or collections. Cannot create, drop, or edit buckets. Cannot read data other than the results of the SQL++ curl function call. Cannot write data. |
Query |
Can execute SQL++ curl function calls |
Cannot execute any other queries. Cannot use the Query Workbench in Couchbase Server Web Console. |
Query System Catalog
The Query System Catalog role lets the user query the system catalog using SQL++.
This access include querying system:indexes, system:prepareds, and tables listing current and past queries.
Assign this role to developers who need to query these tables when troubleshooting and debugging queries.
The role grants Couchbase Server Web Console access.
Role: Query System Catalog (query_system_catalog) |
||
|---|---|---|
| Resource | Permissions | Restrictions |
Servers |
List servers. |
Cannot view configuration. Cannot add, failover, remove, modify services, or rebalance servers. |
Buckets |
List buckets and view bucket settings |
Cannot list scopes or collections, create, drop, edit settings, read or write data |
Query |
Can query system tables |
Cannot perform any other query actions. Cannot use the Query Workbench in Couchbase Server Web Console. |
Manage Global Functions
The Manage Global Functions role lets the user create and drop global user-defined SQL++ functions. See CREATE FUNCTION.
This role grants Couchbase Server Web Console access.
Role: Manage Global Functions (query_manage_global_functions) |
||
|---|---|---|
| Resource | Permissions | Restrictions |
Servers |
List servers |
Cannot view configuration. Cannot add, failover, remove, modify services, or rebalance servers. |
Buckets |
List buckets |
Cannot list scopes or collections, create, drop, edit settings, read or write data |
Query |
Can execute |
Cannot perform any other queries, including calling global functions. Cannot use the Query Workbench in Couchbase Server Web Console. |
Settings |
View cluster settings |
Cannot view any other settings or change settings |
Execute Global Functions
The Execute Global Functions role lets the user call global SQL++ user-defined functions.
This role lets the user log into Couchbase Server Web Console.
Role: Execute Global Functions (query_execute_global_functions) |
||
|---|---|---|
| Resource | Permissions | Restrictions |
Servers |
List servers |
Cannot view configuration. Cannot add, failover, remove, modify services, or rebalance servers. |
Buckets |
List buckets |
Cannot list scopes or collections, create, drop, edit settings, read or write data |
Query |
Can execute global user-defined functions |
Cannot perform any other queries. Cannot use the Query Workbench in Couchbase Server Web Console. |
Settings |
View cluster settings |
Cannot view any other settings or change settings |
Manage Scope Functions
The Manage Scope Functions role lets the user create and drop user-defined SQL++ functions for one or more scopes. When granting this role, You select the scopes where the user can manage user-defined functions. See CREATE FUNCTION.
This role lets the user log into Couchbase Server Web Console.
Role: Manage Scope Functions (query_manage_functions) |
||
|---|---|---|
| Resource | Permissions | Restrictions |
Servers |
List servers |
Cannot view configuration. Cannot add, failover, remove, modify services, or rebalance servers. |
Buckets |
List buckets |
Cannot list scopes or collections, create, drop, edit settings, read or write data |
Query |
Can execute |
Cannot perform any other queries, including calling the functions. Cannot use the Query Workbench in Couchbase Server Web Console. |
Settings |
View cluster settings |
Cannot view any other settings or change settings |
Query Select
The Query Select role lets the user execute SELECT statements on the data in one or more collections.
See Select Data with Queries.
When granting this role, you choose the collections where the user execute SELECT statements.
This role lets the user log into Couchbase Server Web Console.
Role: Query Select (query_select) |
||
|---|---|---|
| Resource | Permissions | Restrictions |
Servers |
List servers |
Cannot view configuration. Cannot add, failover, remove, modify services, or rebalance servers. |
Buckets |
Can list buckets. Can read data from specific collections. |
Cannot list scopes or collections, create, drop, edit settings, read or write data |
Query |
Can execute |
Cannot perform any other queries. Cannot use the Query Workbench in Couchbase Server Web Console. |
Settings |
View cluster settings |
Cannot view any other settings or change any settings |
Query Update
The Query Update role lets the user execute UPDATE statements to mutate existing documents in specific collections.
See UPDATE for more information.
When granting this role, you select which collections contain documents the user can mutate.
This role lets the user log into Couchbase Server Web Console.
Role: Query Update (query_update) |
||
|---|---|---|
| Resource | Permissions | Restrictions |
Servers |
List servers |
Cannot view configuration. Cannot add, failover, remove, modify services, or rebalance servers. |
Buckets |
List buckets and view bucket settings |
Cannot list scopes or collections, create, drop, edit settings |
Query |
Can execute |
Cannot perform any other queries. Cannot create new documents. Cannot use the Query Workbench in Couchbase Server Web Console. |
Settings |
View cluster settings |
Cannot view any other settings or change settings |
Query Insert
The Query Insert role lets the user execute the SQL++ INSERT statement to add new documents to one or more collections.
See INSERT for more information.
When granting this role, you select the collections where the user can add documents.
This role lets the user log into Couchbase Server Web Console.
Role: Query Insert (query_insert) |
||
|---|---|---|
| Resource | Permissions | Restrictions |
Servers |
List servers |
Cannot view configuration. Cannot add, failover, remove, modify services, or rebalance servers. |
Buckets |
List buckets and view bucket settings |
Cannot list scopes or collections, create, drop, edit settings |
Query |
Can execute |
Cannot perform any other queries. Cannot mutate existing documents. Cannot use the Query Workbench in Couchbase Server Web Console. |
Settings |
View cluster settings |
Cannot view any other settings or change settings |
Query Delete
The Query Delete role lets the user execute the SQL++ DELETE satatement to delete documents from one or more scopes.
See DELETE for more information.
When granting this role, you select the collections where the user can delete documents.
This role lets the user log into Couchbase Server Web Console.
Role: Query Delete (query_delete) |
||
|---|---|---|
| Resource | Permissions | Restrictions |
Servers |
List servers |
Cannot view configuration. Cannot add, failover, remove, modify services, or rebalance servers. |
Buckets |
List buckets and view bucket settings |
Cannot list scopes or collections. Cannot edit bucket settings. |
Query |
Can execute |
Cannot perform any other queries. Cannot use the Query Workbench in Couchbase Server Web Console. |
Settings |
View cluster settings |
Cannot view any other settings or change settings |
Query Use Sequential Scans
The Query Use Sequential Scan role allows users' queries to perform a sequential scan of a keyspace. The query planner only uses a sequential scan when no suitable index exists for the keyspace. Only queries by users with this role can use a sequential scan to query data because scanning a large unindexed keyspace can be expensive. See Sequential Scans for more information.
| Administrator roles automatically have permission to perform sequential scans when necessary. |
This role does not let the user log into Couchbase Server Web Console.
Role: Query Use Sequential Scans (query_use_sequential_scans) |
||
|---|---|---|
| Resource | Permissions | Restrictions |
Query |
Can execute a query in a collection that lacks a primary and secondary index |
Cannot perform any other queries |
Query Manage Index
The Query Manage Index role allows the user to manage indexes for one or more collections. When granting this role, you select the collections where the user can manage indexes.
This role lets the user log into Couchbase Server Web Console.
Role: Query Manage Index (query_manage_index) |
||
|---|---|---|
| Resource | Permissions | Restrictions |
Servers |
List servers |
Cannot view configuration. Cannot add, failover, remove, modify services, or rebalance servers. |
Buckets |
List buckets and view bucket settings |
Cannot list scopes or collections, create, drop, edit settings. Cannot read or write data. |
Index |
Can create, drop, and view indexes for the collections whose indexes they have been given permission to manage |
Cannot use the Query Workbench in Couchbase Server Web Console |
Settings |
View cluster settings |
Cannot view any other settings or change settings |
Query List Index
This role lets the user list indexes defined for one or more buckets, scopes, or collections. When granting this role, you select the buckets, scopes, or collections where the user can list indexes.
This role lets the user log into Couchbase Server Web Console.
Role: Query List Index (query_list_index) |
||
|---|---|---|
| Resource | Permissions | Restrictions |
Servers |
List servers and view statistics |
Cannot view configuration. Cannot add, failover, remove, modify services, or rebalance servers. |
Buckets |
List and view statistics for buckets, scopes, and collections |
Cannot create, drop, or edit bucket, scope, or collection settings. Cannot read or write data. |
Index |
Can get list of indexes via the stats endpoint (see Index Statistics REST API) |
Cannot add, drop, or edit indexes. Cannot use the Index Workbench in Couchbase Server Web Console. |
Settings |
View cluster settings |
Cannot view any other settings or change settings |
Execute Scope Functions
The Execute Scope Functions role lets the user execute SQL++ user-defined functions defined within a scope. When you grant this role, you select the scopes where the user can call user-defined functions.
This role lets the user log into Couchbase Server Web Console.
Role: Execute Scope Functions (query_execute_functions) |
||
|---|---|---|
| Resource | Permissions | Restrictions |
Servers |
List servers |
Cannot view configuration. Cannot add, failover, remove, modify services, or rebalance servers. |
Query |
Can execute scope user-defined functions in specific scopes |
Cannot perform any other queries. Cannot use the Query Workbench in Couchbase Server Web Console. |
Settings |
View cluster settings |
Cannot view any other settings or change settings |
Manage Global External Functions
The Manage Global External Functions role lets the user manage global external language functions. See External Libraries for more information about external functions.
This role lets the user log into Couchbase Server Web Console.
Role: Manage Global External Functions (query_manage_global_external_functions) |
||
|---|---|---|
| Resource | Permissions | Restrictions |
Servers |
List servers |
Cannot view configuration. Cannot add, failover, remove, modify services, or rebalance servers. |
Query |
Can execute |
Cannot perform any other queries. Cannot use the Query Workbench in Couchbase Server Web Console. |
Settings |
View cluster settings |
Cannot view any other settings or change settings |
Execute Global External Functions
The Execute Global External Functions role lets a user execute globally defined external functions. See External Libraries for more information about external functions.
This role lets the user log into Couchbase Server Web Console.
Role: Execute Global External Functions (query_execute_global_external_functions) |
||
|---|---|---|
| Resource | Permissions | Restrictions |
Servers |
List servers |
Cannot view configuration. Cannot add, failover, remove, modify services, or rebalance servers. |
Query |
Can execute globally defined external functions |
Cannot perform any other queries. Cannot use the Query Workbench in Couchbase Server Web Console. |
Settings |
View cluster settings |
Cannot view any other settings or change settings |
Manage Scope External Functions
The Manage Scope External Functions role lets the user create and drop external language functions defined at the scope level. When you grant this role, you choose the scopes where the user can manage external functions. See External Libraries for more information about external functions.
This role lets the user log into Couchbase Server Web Console.
Role: Manage Scope External Functions (query_manage_external_functions) |
||
|---|---|---|
| Resource | Permissions | Restrictions |
Servers |
List servers |
Cannot view configuration. Cannot add, failover, remove, modify services, or rebalance servers. |
Query |
Can call globally defined external functions |
Cannot perform any other queries. Cannot use the Query Workbench in Couchbase Server Web Console. |
Settings |
View cluster settings |
Cannot view any other settings or change settings |
Execute Scope External Functions
The Execute Scope External Functions role lets the user call external functions defined in a scope. When you grant this role, you choose the scopes where the user can call external functions. See External Libraries for more information about external functions.
This role lets the user log into Couchbase Server Web Console.
Role: Execute Scope External Functions (query_execute_external_functions) |
||
|---|---|---|
| Resource | Permissions | Restrictions |
Servers |
List servers |
Cannot view configuration. Cannot add, failover, remove, modify services, or rebalance servers. |
Query |
Can call globally defined external functions |
Cannot perform any other queries. Cannot use the Query Workbench in Couchbase Server Web Console. |
Settings |
View cluster settings |
Cannot view any other settings or change settings |
Manage Sequences
This role lets the user manage sequences for one or more scopes. See Sequence Operators for more information about sequences. When you grant this role, you choose the scopes where the user can manage sequences.
This role lets the user log into Couchbase Server Web Console.
Role: Manage Sequences (query_manage_sequences) |
||
|---|---|---|
| Resource | Permissions | Restrictions |
Servers |
List servers |
Cannot view configuration. Cannot add, failover, remove, modify services, or rebalance servers. |
Query |
Can create and alter sequences in buckets assigned to them |
Cannot perform any other queries. Cannot use the Query Workbench in Couchbase Server Web Console. Cannot manage sequences in buckets they do have not assigned to them. |
Settings |
View cluster settings |
Cannot view any other settings or change settings |
Use Sequences
This role lets the user incorporate sequences into their queries in one or more scopes. When you grant this role, you choose the scopes where the user can use sequences. See Sequence Operators for more information about sequences.
This role lets the user log into Couchbase Server Web Console.
Role: Manage Sequences (query_use_sequences) |
||
|---|---|---|
| Resource | Permissions | Restrictions |
Servers |
List servers |
Cannot view configuration. Cannot add, failover, remove, modify services, or rebalance servers |
Query |
Can use sequences in scopes assigned to them. |
Cannot perform any other queries. Cannot use the Query Workbench in Couchbase Server Web Console. Cannot manage sequences. |
Settings |
View cluster settings |
Cannot view any other settings or change settings |
Query Manage System Catalog
This role lets a user manage all system catalogs for query automatic workload reports using SQL++ statements.
This role lets the user log into Couchbase Server Web Console.
Role: Query Manage System Catalog (query_manage_system_catalog) |
||
|---|---|---|
| Resource | Permissions | Restrictions |
Servers |
List servers |
Cannot view configuration. Cannot add, failover, remove, modify services, or rebalance servers. |
Query |
Can manage query workload system catalogs |
Cannot perform any other queries. Cannot use the Query Workbench in Couchbase Server Web Console. |
Settings |
View cluster settings |
Cannot view any other settings or change settings. |
Search Roles
The following roles give users privileges to the Search Service features.
Search Admin
The Search Admin role lets the user manage the Search Service in one or more buckets. When you grant this role, you choose the buckets where the user can manage search.
| In versions of Couchbase Server earlier than 5.5, this role was named FTS Admin. |
This role lets the user log into Couchbase Server Web Console.
Role: Search Admin (fts_admin) |
||
|---|---|---|
Resource |
Permissions |
Restrictions |
Servers |
Can list servers. |
Cannot view or edit server configuration or statistics. Cannot rebalance, failover, add, or remove servers. |
Buckets |
Can list buckets, scopes, and collections. Can view documents. |
Cannot edit documents or change bucket settings |
Settings |
Can view cluster settings |
Cannot view other settings nor change any settings |
Query |
None |
All |
Search |
Can add, edit, and drop Search indexes on the buckets they have access to. |
Cannot manage Search indexes of buckets they do not have access to. |
Search Reader
The Search Reader role lets the user execute searches using Full-Text Search indexes in one or more buckets. When you grant this role, you choose the buckets in which the user can execute searches.
| In versions of Couchbase Server prior to 5.5, this role was referred to as FTS Searcher. |
This role lets the user log into Couchbase Server Web Console.
Role: Search Reader (fts_searcher) |
||
|---|---|---|
Resource |
Permissions |
Restrictions |
Servers |
Can list servers. |
Cannot view or edit server configuration or statistics. Cannot rebalance, failover, add, or remove servers. |
Buckets |
Can list buckets |
Cannot read documents |
Settings |
Can view cluster settings |
Cannot view other settings nor change any settings |
Query |
None |
All |
Search |
Can use Search indexes in the buckets they have access to |
Cannot add, drop, or change settings for Search indexes |
Analytics Roles
The following roles give uses privileges for the Analytics Service. See Analytics Service for more information.
Analytics Reader
The Analytics Reader role lets the user query all analytic datasets. For more information, see Analyze Large Datasets.
This role lets the user log into Couchbase Server Web Console.
Role: Analytics Reader (analytics_reader) |
||
|---|---|---|
| Resource | Permissions | Restrictions |
Servers |
List servers |
Cannot view configuration. Cannot add, failover, remove, modify services, or rebalance servers. |
Settings |
View cluster settings |
Cannot view any other settings or change settings. |
Analytics |
Can read any analytic data. Can use the Couchbase Server Web Console’s Analytics query editor. |
Cannot change analytic configuration. |
Analytics Admin
The Analytics Admin role lets users manage Analytics Service links, scopes, and datasets for all buckets. For more information, see Analyze Large Datasets.
This role lets the user log into Couchbase Server Web Console.
Role: Analytics Admin (analytics_admin) |
||
|---|---|---|
| Resource | Permissions | Restrictions |
Servers |
List servers |
Cannot view configuration. Cannot add, failover, remove, modify services, or rebalance servers. |
Settings |
View cluster settings |
Cannot view any other settings or change settings |
Analytics |
Can add or drop Analytics Service links, scopes, and dataset |
None |
Analytics Select
The Analytics Select role lets the user query analytic datasets for one or more buckets, scopes, or collections. When you grant this role, you choose the buckets, scopes, and collections where the user can execute queries.
This role lets the user log into Couchbase Server Web Console.
Role: Analytics Select (analytics_select) |
||
|---|---|---|
Resource |
Permissions |
Restrictions |
Servers |
Can list servers. |
Cannot view or edit server configuration or statistics. Cannot rebalance, failover, add, or remove servers. |
Settings |
Can view cluster settings |
Cannot view other settings nor change any settings |
Analytics |
Can query analytics data in the buckets they have access to |
Cannot add or drop Analytic scopes, links, or collections or change their settings |
Analytics Manager
The Analytics Manager role lets the user manage and query the analytic datasets for one or more buckets. They can also manage Analytics Service local links. When you grant this role, you choose the buckets where the user can manage and query analytics.
This role lets the user log into Couchbase Server Web Console.
Role: Analytics Manager (analytics_manager) |
||
|---|---|---|
Resource |
Permissions |
Restrictions |
Servers |
Can list servers. |
Cannot view or edit server configuration or statistics. Cannot rebalance, failover, add, or remove servers. |
Settings |
Can view cluster settings |
Cannot view other settings nor change any settings |
Analytics |
Can query analytics data in the buckets they have access to. Can manage analytics in these buckets, including local links and adding/dropping analytics collections. |
Cannot manage analytics in other buckets |
Eventing Roles
These roles control a user’s access to the Eventing Service. Also, see Eventing Full Admin for the Eventing-related administrator role. For more information about Eventing, see Run a Function on Data Change.
Eventing Manage Scope Functions
The Eventing Manage Scope Functions role lets the user manage the eventing functions in one or more scopes. When you grant this role, you choose the scopes where the user can manage eventing functions.
| In addition to this role, the user must have the Data DCP Reader on the collections they want their functions to listen to. They must also have read and write permissions on one or more collections to store the function’s event data. |
This role lets the user log into Couchbase Server Web Console.
Role: Eventing Manage Scope Functions (eventing_manage_functions) |
||
|---|---|---|
Resource |
Permissions |
Restrictions |
Server |
Can list servers |
Cannot view server settings or statistics. Cannot edit server settings, failover, or rebalance servers. |
Settings |
Can view cluster settings |
Cannot view other settings or change any settings |
Eventing |
Can add Eventing functions to a scope assigned to them. Can change eventing settings for the scopes. |
None |
XDCR Roles
The following roles give users the ability to manage XDCR settings and features.
XDCR Admin
The XDCR Admin role grants the user the ability to manage XDCR connections.
This role lets the user log into Couchbase Server Web Console.
Role: XDCR Admin (replication_admin) |
||
|---|---|---|
| Resource | Permissions | Restrictions |
Servers |
View configuration and statistics |
Cannot add, failover, remove, modify services, or rebalance servers |
Buckets |
List buckets, scopes, and collections |
Cannot create, drop, edit settings, read or write data |
Backup |
None |
All |
XDCR |
All |
None |
Security |
None |
All |
Settings |
View |
Change |
Logs |
View |
Collect Information |
Query |
None |
All |
Search |
None |
All |
Analytics |
None |
All |
Eventing |
None |
All |
Views |
None |
All |
XDCR Inbound
The XDCR Inbound role lets the user create inbound XDCR streams for one or more buckets. When granting this role, you choose the buckets where the user can create inbound XDCR connections. Assign this role to the user that you’ll specify when creating an XDCR reference. See Create a Reference for more information.
| Versions of Couchbase Server prior to 5.5 called this role Replication Target. |
This role does not let the user log into Couchbase Server Web Console.
Role: XDCR Inbound (replication_target) |
||
|---|---|---|
| Resource | Permissions | Restrictions |
XDCR |
Can create inbound connections on buckets they have been granted permissions on. |
Cannot create outbound connections or alter other XDCR settings. |
Backup Roles
The following role gives users the ability to backup and restore data. Also see the Administrative role Backup Full Admin.
Data Backup & Restore
The Data Backup & Restore lets users back up and restore data in one or more buckets. When you grant this role, you choose the buckets the user can back up. This role is not intended for interactive users. Grant this role to users for applications that need to back up and restore data.
| This role does not let the user access some important cluster-level data, so it cannot fully backup the cluster. See Bucket Level in the cbbackupmgr backup documentation for details. |
This role does not let the user log into Couchbase Server Web Console.
Role: Data Backup & Restore (data_backup) |
||
|---|---|---|
Resource |
Permissions |
Restrictions |
Buckets |
Can read, write, and manage buckets assigned to them. |
None |
Backup |
Can backup bucket data, bucket SQL++ metadata, and analytics |
Cannot backup other data |
Security |
Can view settings for SAML, certificates, encryption at rest, audits, and other settings |
Cannot change settings |
Indexes |
Can build, create, and list |
Cannot backup, read, or manage |
Bucket Analytics |
Can manage and select buvket analytics |
Cannot read bucket analytics |
Analytics |
Can select and back up analytics |
Cannot read analytics synonyms |
Mobile Roles
The mobile roles support connections with the Sync Gateway and related features. See the Sync Gateway Introduction for more information.
Sync Gateway
The Sync Gateway role gives the user full access to the data Sync Gateway’s data stored in Couchbase Server. This role also lets the user manage indexes and read some cluster information. Only assign this role to the user that you create for the Sync Gateway to use when connecting to Couchbase Server. Choose one or more buckets that contain mobile data that you want this user to manage. See Configure Server for Sync Gateway for more information.
This role does not let the user log into Couchbase Server Web Console.
Role: Sync Gateway (mobile_sync_gateway) |
||
|---|---|---|
| Resource | Permissions | Restrictions |
Sync Gateway Data |
Can perform all actions on data (including flushing) and views on the Sync Gateway data stored in the Couchbase Server buckets you grant them access to. Can view settings of these buckets. |
Cannot change bucket settings |
Query |
Can execute queries on data in buckets containing Sync Gateway data |
None |
Indexes |
Add and drop indexes and view index statistics in the buckets containing Sync Gateway data |
None. |
Settings |
View cluster settings |
Cannot view any other settings or change settings |
Sync Gateway Architect
The Sync Gateway Architect role lets the user manage Sync Gateway databases, users, and roles.
You choose one or more collections, scopes, or buckets where the user can manage Sync Gateway data.
This role also grants access to the Sync Gateway’s metrics via the /metrics REST API endpoint.
For information about Sync Gateway users and roles, see Access Control Concepts.
This role does not let the user log into Couchbase Server Web Console.
Role: Sync Gateway Architect (sync_gateway_configurator) |
||
|---|---|---|
| Resource | Permissions | Restrictions |
Sync Gateway Data |
None |
Cannot read or write Sync Gateway application data |
Sync Gateway Users & Roles |
Can add, remove, and edit Sync Gateway users and roles |
None |
Sync Gateway Metrics |
Can read metrics |
Cannot change metric settings |
Sync Gateway Application
The Sync Gateway Application role lets the user manage Sync Gateway users, roles, and data. It also allows the user to read and write application data through the Sync Gateway. You choose one or more collections, scopes, or buckets where this user can manage mobile users and roles. For information about Sync Gateway users and roles, see Access Control Concepts.
This role does not let the user log into Couchbase Server Web Console.
Role: Sync Gateway Application (sync_gateway_app) |
||
|---|---|---|
| Resource | Permissions | Restrictions |
Collection: Data |
Can read and write application data |
None |
Sync Gateway Users & Roles |
Can add, remove, and edit Sync Gateway users and roles |
None |
Sync Gateway Application Read Only
The Sync Gateway Application Read Only role lets the user read Sync Gateway users and role settings. It also lets them read Sync Gateway data. For information about Sync Gateway users and roles, see Access Control Concepts.
This role does not let the user log into Couchbase Server Web Console.
Role: Sync Gateway Application Read Only (sync_gateway_app_ro) |
||
|---|---|---|
| Resource | Permissions | Restrictions |
Collection: Data |
Can read application data |
Cannot write application data |
Sync Gateway Users & Roles |
Can read Sync Gateway users and roles |
Cannot add, drop, or edit users or roles |
Sync Gateway Replicator
The Sync Gateway Replicator role lets the user manage Sync Gateway replications.
This role does not let the user log into Couchbase Server Web Console.
Role: Sync Gateway Replicator (sync_gateway_replicator) |
||
|---|---|---|
| Resource | Permissions | Restrictions |
Sync Gateway Replication Collection |
Can read and write replication settings |
None |
Sync Gateway Dev Ops
The Sync Gateway Dev Ops role lets the user manage the Sync Gateway’s node-level configuration.
It also grants access to Sync Gateway’s /metrics endpoint for Prometheus integration.
This role does not let the user log into Couchbase Server Web Console.
Role: Sync Gateway Dev Ops (sync_gateway_dev_ops) |
||
|---|---|---|
| Resource | Permissions | Restrictions |
Sync Gateway Node Configuration |
Can read and write node-level settings |
None |
Sync Gateway Metrics |
Can read metrics |
Cannot change metric settings |