Manage Access to Cluster Data
- Capella Columnar
- how-to
Access control accounts provide granular, programmatic and application-level access to data on a cluster.
You need an access control account to programmatically access data on a Columnar cluster. Access control accounts for Capella Columnar are separate from Capella’s organization and project roles.
Access control accounts are not associated with a particular user. They do not control access to UI data tools like the Workbench.
Prerequisites
To create, modify, and delete access control accounts and roles, you need:
-
One of the following Capella roles:
The Project Viewer role can view control accounts and roles, but cannot modify or create them.
|
Create an Access Control Account
-
In the Capella UI, select the Columnar tab and then select a cluster.
-
Click
. -
Click Create Account.
-
Enter the name and password for the new access control account.
An access control account cannot have the same name as a role. You can change the password for an access control account at any time.
-
Assign roles:
When creating an access control account, you can assign it system preset roles or create new roles. Roles include a set of privileges that you can apply to multiple access control accounts for your cluster
-
Assign privileges:
Instead of or in addition to roles, you can also assign privileges directly to an access account. Click Assign Privileges to show a list of all the privileges you can give to this access account. For greater control, you can narrow the scope of a privilege to specific databases, scopes, or links as applicable. Any privileges you apply directly to an account are on the management page for the access control account, where you can modify or remove them.
-
Click Save.
Create Roles
A role is a group of privileges you can assign to one or more access control accounts in your Columnar cluster. Using roles allows you to more easily create multiple access control accounts with the same privileges and rotate them.
Capella Columnar provides four preset roles that cover common use cases: sys_data_admin
, sys_data_reader
, sys_external_stats_reader
, and sys_view_reader
.
You cannot delete these roles.
The new role you create must not start with sys_ .
|
To create a new role:
-
In the Capella UI, select the Columnar tab and then select a cluster.
-
Click
. -
Click Create Role.
-
Enter the name and an optional description for the new role.
A role cannot have the same name as an access control account.
-
Click Assign Privileges to show a list of all the privileges you can give to this role. For greater control, you can narrow the scope of a privilege to specific databases, scopes, or links as applicable.
-
Click Assign.
-
Click Create.
Next Steps
-
To provide user access to the Capella UI and Columnar clusters, see Assign Roles for UI Access.