Authorization | Couchbase Docs (original) (raw)

Couchbase RBAC controls access to cluster-resources. Resources can only be accessed by users. A user may be an administrator or an application.

Users can be added to Couchbase Server by the Full Administrator. Each user must be defined with a username and password. When attempting to access resources, each user must authenticate by means of these credentials.

A user can be assigned one or more roles by the Full Administrator. Each role is itself associated with a subset of privileges; a privilege being a form of action, such as Read, Write, Execute, or Manage. Each privilege is associated with a resource; such as a bucket, index, view, or DCP stream.

For example, the Data Reader role features the Read privilege, which is applied to the data of a bucket. When a user has been assigned the Data Reader role, and attempts to gain read-access to the bucket’s data by submitting their credentials, Couchbase Server identifies the user, recognises their assigned role and privilege, and duly authorises read-access.

Note that resource-access can optionally be specified by means of parameterisation. This means that a wildcard character has been used, during role-assignment, to specify that a privilege applies to all resource-instances within a resource-class: for example, to all buckets.