Please use the form below to provide your feedback. Because your feedback is valuable to us, the information you submit in this form is recorded in our issue tracking system (JIRA), which is publicly available. You can track the status of your feedback using the ticket number displayed in the dialog once you submit the form.

Role Based Access Control (RBAC)

      +
      For authorizing users, Enterprise Analytics provides Role-Based Access Control.

      Enterprise Analytics uses Role-Based Access Control (RBAC) to manage access to system resources. In this model, privileges are assigned to fixed roles, which can then be granted to users—either directly or through user groups. Users can represent individuals, administrators, or applications.

      RBAC in Enterprise Analytics supports multiple predefined roles, allowing for fine-grained access control. Privileges can be granted both to roles and directly to users, providing flexible and secure permission management.

      Example Scenarios

      Enterprise Analytics RBAC provides a secure solution for each of the following scenarios:

      • An application consists of several services, each of which has a different purpose. Compliance demands that each service be given a different set of read and write privileges, in order to constrain its activities to those absolutely required.

      • An application is available to several different classes of user. Each user-class has a different set of requirements for reading and writing data. Compliance demands that each user-class be given no more than the minimum privileges for supporting its requirements.

      • Test and production environments respectively require different degrees of constraint to be applied to read and write access. Administrators, developers, applications, and services should therefore each be granted one set of privileges for the test environment, and another (more restrictive) for the production.

      RBAC Concepts

      The following concepts are essential to an understanding of Enterprise Analytics RBAC:

      • Resource: An entity the access to which must be controlled. A resource can be specified either individually, by name; or as a group for example, all databases, by means of a wildcard character. The complete list of resources to which RBAC is applied is provided in System Defined Roles.

      • Privilege: The right, assigned by Enterprise Analytics, to apply an action to a resource. Possible actions include read, write, and execute. The associations of privileges to resources and roles are explained in User Role Privileges.

      • Role: An entity associated with a fixed set of privileges. The association of privileges to roles is described in User Defined Roles.

      • User: An identity, recognized by Enterprise Analytics, based on the passing of a username and password. A user can be assigned one or more roles: the privileges associated with each assigned role determine the resource-access granted the user. Users can be local (defined on Enterprise Analytics) or external (defined on a remote, network-accessible system). Each user might be an administrator or an application. For information about how to manage users, see Manage Users and Roles.

      RBAC Security Model

      Couchbase RBAC controls access to cluster-resources. Resources can only be accessed by users. A user may be an administrator or an application.

      Users can be added to Enterprise Analytics by the Full Administrator. Each user must be defined with a username and password. When attempting to access resources, each user must authenticate by means of these credentials.

      A user can be assigned one or more roles by the Full Administrator. Each role is itself associated with a subset of privileges; a privilege being a form of action, such as Read, Write, Execute, or Manage. Each privilege is associated with a resource.

      For example, the Data Reader role features the Read privilege, which is applied to the data of a database. When a user has been assigned the Data Reader role, and attempts to gain read-access to the database’s data by submitting their credentials, Enterprise Analytics identifies the user, recognises their assigned role and privilege, and duly authorises read-access.

      Resource-access can optionally be specified by means of parameterisation. This means that a wildcard character has been used, during role-assignment, to specify that a privilege applies to all resource-instances within a resource-class: for example, to all databases.

      Defining Users and Groups

      Enterprise Analytics allows users to be defined individually, on the cluster. Each user so defined is of one of the following kinds:

      • A local user. The username and password are defined and maintained on Enterprise Analytics.

      • An external user. The username is recorded on Enterprise Analytics. However, the username and password are defined and maintained outside the cluster: for example, on a remote LDAP server.

      Couchbase-Server roles can be assigned both to local and to external users. Roles can be assigned in either or both of the following ways:

      • Directly. The user is associated directly with one or more Couchbase-Server roles.

      • By Group. A Couchbase-Server user-group is defined, and roles are assigned to the user-group. The user is made a member of the user-group, and thereby inherits all the roles of the group. A user can be a member of any number of groups.

      By means of LDAP Group Support, the roles assigned to a Couchbase-Server user-group can be inherited by users not defined on Enterprise Analytics. For a detailed account, see Authentication Domains.

      See Manage Users, Groups, and Roles, for details on creating users and assigning roles.