• reference
    The GRANT statement allows granting any RBAC roles to a specific user.

    Roles can be of the following two types:


    Roles which apply generically to all keyspaces or resources in the cluster.

    For example: ClusterAdmin or BucketAdmin

    parameterized by a keyspace

    Roles which are defined for the scope of the specified keyspace only. The keyspace name is specified after ON.

    For example: DataReader ON `travel-sample`
    or Query_Select ON `travel-sample`

    Only Full Administrators can run the GRANT statement. For more details about user roles, see Authorization.


    grant ::= 'GRANT' role ( ',' role )* ( 'ON' keyspace-ref ( ',' keyspace-ref )* )?
              'TO' user ( ',' user )*
    Syntax diagram: refer to source code listing

    One of the RBAC role names predefined by Couchbase Server.

    The following roles have short forms that can be used as well:

    • query_selectselect

    • query_insertinsert

    • query_updateupdate

    • query_deletedelete


    A user name created by the Couchbase Server RBAC system.

    Keyspace Reference

    keyspace-ref ::= keyspace-path | keyspace-partial
    Syntax diagram: refer to source code listing
    keyspace-path ::= ( namespace ':' )? bucket ( '.' scope '.' collection )?
    Syntax diagram: refer to source code listing
    keyspace-partial ::= collection
    Syntax diagram: refer to source code listing

    The simple name or fully-qualified name of a keyspace. Refer to the CREATE INDEX statement for details of the syntax.


    GRANT statements support legacy systems and have two forms:

    1. Unparameterized Roles
    GRANT Replication Admin, Query External Access
       TO cchaplan, jgleason;
    GRANT replication_admin, query_external_access
       TO cchaplan, jgleason;
    2. Parameterized Roles
    GRANT Query Select, Views Admin
       ON orders, customers
       TO bill, linda;
    GRANT query_select, views_admin
       ON orders, customers
       TO bill, linda;
    Mixing of parameterized and unparameterized roles or syntax is not allowed and will create an error.


    Example 1. Grant the role of Cluster Administrator to three people
    GRANT ClusterAdmin TO david, michael, robin;
    Example 2. Grant the roles of Cluster Administrator and Data Reader in the travel-sample keyspace to Debby
    GRANT ClusterAdmin, DataReader ON `travel-sample` TO debby;