Please use the form below to provide your feedback. Because your feedback is valuable to us, the information you submit in this form is recorded in our issue tracking system (JIRA), which is publicly available. You can track the status of your feedback using the ticket number displayed in the dialog once you submit the form.

How to Assign Users to Roles

    March 23, 2025
    + 12

    How to assign a Sync Gateway User one or more roles for secure access control in cloud-to-edge enterprise data synchronization.
    Sync Gateway Users and Roles are a key part of a flexible approach to data routing and access control.

    Related topics: Create Role | Create User | Add Role to User | Allow Access | Verify Access | Write Access

    Process

    You can assign (or remove) users to (or from) roles using any of the following mechanisms:

    • Admin REST API
      Assign a user to a role via the Admin REST API

    • Configuration Properties file (Pre v3.x+)

      Roles can be configured within using the DB section — see: Legacy Pre-3.0 Configuration.

      Persistent Configuration is enabled by default from 3.0.

      To continue using legacy Pre-3.0 configuration you should start Sync Gateway with disable-persistent-config set true either in the configuration file or in Command Line Options.

    • Sync Function
      Programmatically assign users to roles.

    Removing a role effectively revokes access to the channel that role is associated with. This may mean users will lose access to required documents.

    Example 1. Assign user to role
    Admin REST API
    The recommended method from 3.0

    Assign a user to a role by sending a PUT request to the Admin REST API _user endpoint (/{tkn-db}/_user/{name} ).

    Specify the roles to be assigned in the admin_roles array.

    bash
    Copy
    $ curl -vX PUT "http://localhost:4985/mydatabase/_user/{user}" -H (1)
"accept: application/json" -H "Content-Type: application/json" -d
'{ "admin_roles": ["Edge1"]}' (2)
    1 {user} is the user name to be updated, e.g. "Edge1User"
    2 Include the role that the user is to be assigned to in admin_roles

    See also: /{tkn-db}/_role/{name}

    Sync Function

    You can also use the Sync Function’s role() function to assign users to roles programmatically.

    In this use case, where role assignment is done dynamically via the sync function, the role(s) to which user is assigned can be identified in two ways:

    • By document content — the role can be derived or specified as a property within the document body.

    • By user defined XATTR (3.0+) — the role can be specified within a special user-defined XATTR associated with the document — see: Use XATTRs for Access Grants

    Note that both role and user must already exist. Nonexistent roles don’t cause an error, but have no effect on the user’s access privileges.

    javascript
    Copy
    role ("Edge1User", "role:Edge1");
role ("Edge2User", "role:Edge2":);
    File-based Configuration Properties

    Persistent Configuration is enabled by default from 3.0.

    To continue using legacy Pre-3.0 configuration you should start Sync Gateway with disable-persistent-config set true either in the configuration file or in Command Line Options.

    Add the role the user is to be assigned to in the configuration file. This method is convenient for testing and to get started. Use the Admin REST API for production systems.

    json
    Copy
    {
  "databases": {
    "mydatabase": {
      "users": { (1)
        "GUEST": {"disabled": true},
        "Edge1User": {"password": "pass", "admin_roles": ["Edge1"], (2)
                      "admin_channels": ["RandomChannel"]},
        "Edge2User": {"password": "pass", "admin_roles": ["Edge2"]}
      }
    }
  }
}
    1 Within users find the user you want to assign to a role
    2 Add the role the user is to be assigned to in admin_roles — see: databases.$db.users.$user.admin_roles

    Related Content

    Learn more …​
    Reference material …​
    Community

    Mobile Forum | Blog | Blog (Mobile) | Tutorials

    Sync Function Blogs