RBAC security

Contributors dmp-netapp

The Astra REST API supports role-based access control (RBAC) to grant and restrict access to the system functions.

Astra roles

Every Astra user is assigned to a single role which determines the actions that can be performed. The roles are arranged in a hierarchy as described in the table below.

Role Description

Owner

Has all the permissions of the Admin role and can also delete Astra accounts.

Admin

Has all the permissions of the Member role and can also invite users to join an account.

Member

Can fully manage the Astra application and compute resources.

Viewer

Restricted to only viewing resources.

Enhanced RBAC with namespace granularity

Note This feature was introduced with the 22.04 release of the Astra REST API.

When a role binding is established for a specific user, a constraint can be applied to limit the namespaces the user has access to. There are several ways this constraint can be defined as described in the table below. See the parameter roleContraints in the Role Binding API for more information.

Namespaces Description

All

The user can access all the namespaces through the wildcard parameter "*"". This is the default value to maintain backwards compatibility.

None

The constraint list is specified although it is empty. This indicates the user cannot access any namespace.

Namespace list

The UUID of a namespace is included which restricts the user to the single namespace. A comma separated list can also be used to allow access to multiple namespaces.

Label

A label is specified and access is allowed to all the matching namespaces.