Please use the form below to provide your feedback. Because your feedback is valuable to us, the information you submit in this form is recorded in our issue tracking system (JIRA), which is publicly available. You can track the status of your feedback using the ticket number displayed in the dialog once you submit the form.

GRANT

  • reference
The GRANT statement allows granting any RBAC roles to a specific user or group.

Roles can be of the following two types:

simple

Roles which apply generically to all keyspaces or resources in the cluster.

For example: cluster_admin or bucket_admin

parameterized by a keyspace

Roles which are defined for the context of the specified keyspace only. Specify the keyspace name after the keyword ON.

For example: data_reader ON `travel-sample`
or query_select ON `travel-sample`.`inventory`.`airline`

Only Full Administrators can run the GRANT statement. For more details about user roles, see Authorization.

Syntax

grant ::= grant-user | grant-group
Syntax diagram: refer to source code listing 
grant-user ::= 'GRANT' role ( ',' role )* ( 'ON' keyspace-ref ( ',' keyspace-ref )* )?
          'TO' ( 'USER' | 'USERS' )? user ( ',' user )*
Syntax diagram: refer to source code listing 
grant-group ::= 'GRANT' role ( ',' role )* ( 'ON' keyspace-ref ( ',' keyspace-ref )* )?
          'TO' ( 'GROUP' | 'GROUPS' ) group ( ',' group )*
Syntax diagram: refer to source code listing
role

One of the RBAC role names predefined by Couchbase Server.

For the following roles, you can use their short forms as well:

  • query_selectselect

  • query_insertinsert

  • query_updateupdate

  • query_deletedelete
keyspace-ref

Keyspace Reference
user

A user name created by the Couchbase Server RBAC system.
group

A group name created by the Couchbase Server RBAC system.
When granting roles to users, the keyword USER or USERS is optional. However, when granting roles to groups, you must include the keyword GROUP or GROUPS. You can use either the singular or plural form of these keywords as this does not affect the number of users or groups the role applies to.

Keyspace Reference

keyspace-ref ::= keyspace-path | keyspace-partial
Syntax diagram: refer to source code listing 
keyspace-path ::= ( namespace ':' )? bucket ( '.' scope '.' collection )?
Syntax diagram: refer to source code listing 
keyspace-partial ::= collection
Syntax diagram: refer to source code listing

The simple name or fully qualified name of a keyspace. For more information about the syntax, see the CREATE INDEX statement.

Usage

GRANT statements have two forms:

1. Unparameterized Roles
GRANT replication_admin, query_external_access
   TO cchaplan, jgleason;
2. Parameterized Roles
GRANT query_select, views_admin
   ON orders, customers
   TO bill, linda;
Mixing of parameterized and unparameterized roles or syntax is not allowed and will create an error.

Examples

Example 1. Grant the role of Cluster Admin to multiple users
GRANT cluster_admin TO david, michael, robin;
Example 2. Grant Query Select and Data Reader roles on the travel-sample keyspace to a specific user
GRANT query_select, data_reader ON `travel-sample` TO debby;
Example 3. Grant the role of Data Reader on the travel-sample keyspace to a specific group
GRANT data_reader ON `travel-sample` TO GROUP sales;