Roles

Roles grant users access to one or more resources. Administrators assign roles to users to enable them to perform the tasks they need to carry out when using Couchbase Server.

Roles and Privileges

Roles provide a set of privileges for interacting with a resource. These privileges are often specific. For example, the Data Writer role lets a user write data using key-value operations. This role does not let the user read data. The Data Reader role grants that ability.

Some roles let you limit the privileges a role grants to specific collections, scopes, or buckets. For example, when granting a user the Data Writer role, you can limit the user so they can only write to a specific collection. You can also enable the user to write data to multiple collections, multiple scopes, or even to all buckets. For detailed information about scopes and collections, see learn:data/scopes-and-collections.adoc.

You can grant a user multiple roles to tailor their privileges for the tasks they need to perform. For example, you can grant a user the Data Reader role to let them read all data in a specific bucket. In addition, you can grant them the Data Writer role, but limit them to writing data into a specific collection within the bucket. Some roles, such as Query List Index, are so limited that they’re only useful when combined with other roles (Query Select, for example).

Roles in Relation to Buckets

Some roles provide privileges to resources across the entire cluster. For example, most administrator roles grant the user access to resources cluster wide. Other roles, such as those dealing with managing data, let the administrator granting the role limit its privileges to specific buckets, scopes, or collections.

User Categories

Couchbase Server users fall into three categories: administrators, developers, and applications. Which roles you assign to a user often depend on which category they fall into:

Administrators

Users with any of the administrator roles can log into Couchbase Server Web Console and perform administrative tasks. Most of these roles do not grant the ability to read or write data.

The administrative roles grant their users the ability to carry out specific tasks. For example, a user with the Cluster Admin role can manage all cluster features except for security. Users with the Read-Only Admin role can log into the Couchbase Server Web Console to read cluster settings, statistics, and backup plans, but not change them. The Bucket Admin role allows management only of one or more buckets. See Administrative Roles for details.

Note

The user interface of the Couchbase Web Console changes based on the role the user has. For example, Couchbase Server only displays the the entire Security page to a user with the Full Admin role. Users with either the Local User Admin or the External User Admin roles can only see the Users & Groups tab on this screen.

Applications

An application needs to have a user account to authenticate with Couchbase Server. You often assign these users roles that let them read or write data or other limited privileges. Most of the roles you grant applications do not allow them to log into Couchbase Server Web Console or modify cluster settings. For example, the Data Reader and Data Writer roles let the user read and write data using key-value operations. You can limit these privileges to one or more collections, scopes, or buckets. Other roles appropriate for applications are Manage Scopes, Data DCP Reader, and Data Backup & Restore.

Developers

Developers require more privileges for greater access to data and to manage resources than do applications. However, they should not have the unrestricted privileges that most Administrator roles grant. These roles do let users log into the Couchbase Server Web Console, so they can perform tasks in a GUI environment. You can tailor the roles you grant to developers so they have just enough privileges to perform their tasks. For example, the Analytics Admin and Manage Global External Functions roles were designed for interactive users. They let them maintain some parts of the database. However, they lack the ability to change cluster settings like most administrator roles.

Role Overviews

The following sections describe the roles defined by Couchbase Server. The list is broken into the same categories that appear within the Couchbase Server Web Console’s Edit User dialog. Each description has a table listing what resources a user with the role can access and any limitations on their access. If a resource does not appear in this table, the role does not grant the user any privileges for it.

Note	The majority of roles are only available in Couchbase Server Enterprise Edition. The list indicates when a role is available in Couchbase Server Community Edition.

Administrative Roles

The following roles grant users the ability to administer some aspects of Couchbase Server.

Full Admin

The Full Admin role (admin) grants full privileges to all Couchbase Server features and resources, including security. The role allows the user to log into the Couchbase Server Web Console.

This role is also available in Couchbase Server Community Edition.

Read-Only Admin

The Read-Only Admin role lets the user read Couchbase Server settings and statistics. Users with this role can also read Backup Service data to monitor backup plans and tasks.

The role lets the user log into the Couchbase Server Web Console.

This role is also available in Couchbase Server Community Edition.

Note	Prior to Couchbase Server 8.0, this role allowed the user to read security information including listing users and groups. In 8.0, these permissions were split off into the Read-Only Security Admin role. The Read-Only Admin role now does not allow access to any of the security information.

+ When you upgrade Couchbase Server from a version earlier than 8.0 to 8.0 or later, the upgrade process grants any user with this role the Read-Only Security Admin role as well. Granting this role lets the user retain the privileges they had in prior versions.

Role: Read-Only Admin (`ro_admin`)
Resource	Permissions	Restrictions
Servers	View configuration and statistics	Cannot add, failover, remove, modify services, or rebalance
Buckets	List buckets, scopes, and collections	Cannot create, drop, edit settings, read or write data
Backup	List repositories and plans	Cannot add or edit repositories or plans.
XDCR	List remote clusters and outgoing replications	Cannot list incoming replications, or add or edit replications.
Security	None.	All.
Settings	View all settings	Cannot edit settings
Logs	View logs	Cannot collect information
Indexes	Can view index settings and stats	Cannot add, edit, or drop indexes
Query	None	All
Search	Can view Search indexes	Cannot edit or add Search indexes
Analytics	None	All
Eventing	None	All
Views	Can list defined views	Cannot change views

Security Admin

The Security Admin role allows the user to manage all security settings except for users and groups.

This role lets the user log into the Couchbase Server Web Console.

Role: Security Admin (`security_admin`)
Resource	Permissions	Restrictions
Servers	View configuration and statistics	Cannot add, failover, remove, modify services, or rebalance
Buckets	List buckets, scopes, and collections	Cannot create, drop, or edit settings, or read or write data
Backup	None	All
XDCR	List outgoing replications	Cannot create, start, alter connections
Security	Manage LDAP, SAML, certificates, encryption at rest, audit, and logging settings.	Cannot view or change users or groups.
Settings	View	Change
Logs	View	Collect Information
Query	None	All
Search	None	All
Analytics	None	All
Eventing	None	All
Views	None	All

Read-Only Security Admin

The Read-Only Security Admin role lets the user view all security settings except for listing users and groups.

This role lets the user log into the Couchbase Server Web Console.

Note

This role is new in Couchbase Server 8.0. It was created to separate security privileges from the Read-Only Admin role. The upgrade process from prior versions to Couchbase Server 8.0 or later grants this role to users that had the Read-Only Admin. This grant ensures the user retains the privileges they had in prior versions.

Role: Read-Only Security Admin (`ro_security_admin`)
Resource	Permissions	Restrictions
Servers	View configuration and statistics	Cannot add, failover, remove, modify services, or rebalance
Buckets	List buckets, scopes, and collections	Cannot create, drop, or edit settings, or read or write data
Backup	None	All
XDCR	List outgoing replications	Cannot create, start, alter connections
Security	View LDAP, SAML, certificates, encryption at rest, audit, and logging settings.	Cannot make any changes to security settings. Cannot view or change users or groups.
Settings	View	Change
Logs	View	Collect Information
Query	None	All
Search	None	All
Analytics	None	All
Eventing	None	All
Views	None	All

Local User Admin

The Local User Admin role lets a user manage users defined in the local authentication domain. It also grants the ability to read all cluster statistics such as the settings, logs, and buckets. It does not grant the ability to read data.

Note

While this role does not allow the user to read or write data, they can create users that can read and write data. This could be considered a privilege escalation, but it’s intentional behavior. This role is intended to manage all non-administrator roles, including those that can read or write data. You can address any possible privilege escalation concerns by auditing the actions of users with this role to see if they create users to get around the data access limitations.

This role allows users to edit local users, but they cannot grant these users the Full Admin, Read-Only Admin, Local User Admin, or External User Admin roles. They also cannot edit the accounts for any user with those roles (including their own account).

Note

This role replaced the Local User Security Admin role available in Couchbase Server prior to version 8.0. The Local User Security Admin role had additional administration privileges that were split off into the Security Admin role. When upgrading to 8.0 or restoring a backup from a pre-8.0 version to Couchbase Server 8.0 or later, users with the Local User Security Admin role are granted this role and the Security Admin role. This conversion ensures the user retains the privileges they had in prior versions.

This role lets users log into the Couchbase Server Web Console.

Role: Local User Admin (`user_admin_local`)
Resource	Permissions	Restrictions
Servers	View statistics	Add, failover, remove, modify services, rebalance
Buckets	List buckets, scopes, and collections	Create, drop, edit settings, read or write data
Backup	None	All
XDCR	View list of outgoing replications	View incoming replications, remote clusters, add or edit connections
Security	Add, delete, and edit local users. Can add, delete, and edit groups.	Cannot grant Full Admin, Read-Only Admin, Local or External User Admin, or Security Admin roles to users or groups. Cannot access non-user and group security resources.
Settings	View	Change
Logs	View	Collect Information
Query	None	All
Search	None	All
Analytics	None	All
Eventing	None	All
Views	None	All

External User Admin

The External User Admin role lets users manage users defined in the external authentication domain. It also lets the user manage groups and read all cluster statistics. Users with this role cannot grant external users or groups Full Admin, Read-Only Admin, Security Admin, or Local or External User Admin roles. They also cannot edit users with those roles.

Note

This role replaced the External User Security Admin role available in Couchbase Server prior to version 8.0. The External User Security Admin role had additional administration privileges that were split off into the Security Admin role. When upgrading to 8.0 or restoring a backup from a pre-8.0 version to Couchbase Server 8.0 or later, users with the External User Security Admin role are granted this role and the Security Admin role. This conversion ensures the user retains the privileges they had in prior versions.

This role lets the user log into the Couchbase Server Web Console.

Role: External User Admin (`user_admin_external`)
Resource	Permissions	Restrictions
Servers	View statistics	Add, failover, remove, modify services, or rebalance servers
Buckets	List buckets, scopes, and collections	Create, drop, edit settings, read or write data
Backup	None	All
XDCR	View list of outgoing replications	View incoming replications, remote clusters, add or edit connections
Security	Add, delete, edit external users. Add, delete, and edit groups.	Cannot grant Full Admin, Read-Only Admin, Local or External User Admin, or Security Admin roles to groups or external users. Cannot access security resources besides users and groups.
Settings	View	Change
Logs	View	Collect Information
Query	None	All
Search	None	All
Analytics	None	All
Eventing	None	All
Views	None	All

Cluster Admin

The Cluster Admin role lets the user manage of all cluster features except security. Cluster Admins can create, edit, and drop buckets but cannot read or write data.

This role lets users log into the Couchbase Server Web Console.

Role: Cluster Admin (`cluster_admin`)
Resource	Permissions	Restrictions
Servers	All	None
Buckets	Create, drop, edit settings	Read or write data
Backup	None	All
XDCR	All	None
Security	None	All
Settings	All	None
Logs	All	None
Query	None	All
Search	None	All
Analytics	None	All
Eventing	Import, Change Settings	Add, remove, edit functions
Views	None	All

Eventing Full Admin

The Eventing Full Admin role lets a user create and manage eventing functions as well as other administration tasks.

The role lets the user log into the Couchbase Server Web Console.

Role: Eventing Full Admin (`eventing_admin`)
Resource	Permissions	Restrictions
Servers	View configuration and statistics	Cannot add, failover, remove, modify services, rebalance
Buckets	List buckets, scopes, and collections. Can create, compact, and drop buckets, scopes, and collections. Can read and write data in buckets.	None
Backup	List repositories and plans	Cannot add or edit repositories or plans
XDCR	List outgoing replications	Cannot list incoming replications or remote clusters. Cannot add or edit replications.
Security	None	All
Settings	View all settings and load sample buckets	Cannot edit settings
Logs	View logs	Cannot collect information
Indexes	All	None
Query	All	None
Search	All	None
Analytics	All	None
Eventing	All	None
Views	All	None

Backup Full Admin

The Backup Full Admin role lets the user administer backup-related tasks as well as other aspects of Couchbase Server.

Note	This role does not grant the ability to back up or restore users. For a user to be able to back up both data and users, you must assign them the Local User Admin and the External User Admin roles in addition to this role.

This role lets the user log into Couchbase Server Web Console.

Role: Backup Full Admin (`backup_admin`)
Resource	Permissions	Restrictions
Servers	All	None
Buckets	All, including add and drop buckets and edit, add, and drop documents	None
Backup	All	None
XDCR	All	None
Security	None	All
Settings	All	None
Logs	View logs	Cannot collect information
Query	All	None
Indexes	All	None
Search	All	None
Analytics	All	None
Eventing	All	None
Views	All	None

Views Admin

The Views Admin role lets the user create, modify, and drop views in one or more buckets. When granting this role, you choose the buckets where the user can manage views.

This role lets the user log into Couchbase Server Web Console.

Role: Views Admin (`views_admin`)
Resource	Permissions	Restrictions
Servers	View configuration and statistics	Cannot add, failover, remove, modify services, or rebalance servers
Buckets	Can read, write, and edit views for the buckets assigned to them. Can read data (via key-value), statistics, and settings in these buckets.	Cannot write data to buckets or alter bucket settings
XDCR	Can list outgoing replications	Cannot view incoming replications or change XDCR settings
Settings	View all settings	Cannot edit settings
Logs	Can view logs	Cannot collect data
Query	None	Cannot execute queries
Search	Can view Search indexes	Cannot edit or add Search indexes
Views	Can create, drop, and edit views in buckets assigned to them.	Cannot change views

External Stats Reader

The External Stats Reader role grants only allows the user to call the /metrics and /prometheus_sd_config REST API endpoints. Assign this role to the user Prometheus uses when authenticating with Couchbase Server. See manage:monitor/set-up-prometheus-for-monitoring.adoc for more information.

This role does not let the user log into the Couchbase Server Web Console.

Resource	Permissions	Restrictions
Role: External Stats Reader (`external_stats_reader`)
Metrics API	Able to call `/metrics` and `/prometheus_sd_config` REST API endpoints	None

Application Telemetry Writer

This role lets the user report application telemetry through SDK calls. Assign this role to application users that need to report telemetry information to Couchbase Server.

This role does not let the user log into Couchbase Server Web Console.

Role: Application Telemetry Writer (`application_telemetry_writer`)
Resource	Permissions	Restrictions
Application Telemetry	Able to write to telemetry metric websockets	None

Bucket Roles

The following roles give users privileges to manage or access buckets. See learn:buckets-memory-and-storage/buckets.adoc for more information about buckets.

Bucket Admin

The Bucket Admin role lets the user manage one or more buckets. These management abilities include stopping and starting XDCR for a bucket. When granting this role, you choose which buckets the user can manage.

This role lets the user log into Couchbase Server Web Console.

Resource	Permissions	Restrictions
Role: Bucket Admin (`bucket_admin`)
Servers	List servers, view server configuration	Cannot view configuration, add, failover, remove, modify services, or rebalance servers.
Buckets	Can drop, compact and edit buckets assigned to them. Can add, edit, and drop scopes and collections in the buckets.	Cannot read, insert, or mutate documents.
XDCR	Can start and stop replications for buckets assigned to them.	Cannot add, remove, or edit XDCR connections.
Settings	View all cluster settings	Cannot change cluster settings.
Logs	Can view logs.	Cannot collect information
Search	Can list Search indexes.	Cannot create, drop, or edit Search indexes.
Eventing	All	None

Manage Scopes

The Manage Scopes role lets a user create and delete scopes and collections within one or more buckets. When granting this role, you choose the buckets where the user can create scopes and collections. The user does not have the ability to read, write, or alter data. Use this role to allow applications to manage a bucket’s scopes and collections.

This role does not let the user log into Couchbase Server Web Console.

Resource	Permissions	Restrictions
Role: Manage Scopes (`scope_admin`)
Buckets	Can add and drop scopes and collections in the buckets assigned to them.	Cannot read, insert, or mutate documents.

Application Access

The Application Access role lets a user read and write data in one or more buckets. This role does not grant the ability to query data via {sqlpp}—the user can only access data via keys. When granting this role, you choose the buckets where the user can read and write data. As its name implies, this role is intended for use by applications instead of interactive users.

Important

This role is deprecated. Couchbase Server 5.0 added this role to replace an old method of password authentication to access buckets. To transition away from bucket passwords, the upgrade process to Couchbase Server 5.0 created new users with the bucket’s name and password and assigned this role. Do not grant this role to users. Instead, use one of the query or data roles.

Versions of Couchbase Server prior to 5.5 referred to this role as Bucket Full Access.

This role does not let the user log into Couchbase Server Web Console.

Resource	Permissions	Restrictions
Role: Application Access (`bucket_full_access`)
Buckets	Can read and write data in buckets assigned to them.	Cannot alter bucket, scope, or collection settings.

Data Roles

These roles give users the ability to read and write data in buckets via key-value operations. See guides:kv-operations.adoc to learn about key-value operations.

Data Reader

The Data Reader role lets the user read data from one or more collections via key-value retrieval. It does not grant the ability to run {sqlpp} queries (see Query & Index Roles for roles that do). When granting this role, you choose the collections where the user can read data. Grant this role to users for applications that need to read data via key-value operations.

This role does not let the user log into Couchbase Server Web Console.

Role: Data Reader (`data_reader`)
Resource	Permissions	Restrictions
Buckets	Read data from collections, scopes, and buckets assigned to them. Can read some bucket metadata, XATTR mappings, and pools on buckets assigned to them.	Cannot write data
Query	None	All

Data Writer

The Data Writer role lets the user write data to one or more collections via key-value operations. It does not grant the ability to run {sqlpp} queries (see Query & Index Roles for roles that do). When granting this role, you choose the collections where the user can write data. Grant this role to users for applications that need to write data via key-value operations.

This role does not let the user log into Couchbase Server Web Console.

Role: Data Writer (`data_writer`)
Resource	Permissions	Restrictions
Buckets	Write data to collections, scopes, and buckets assigned to them.	Cannot read data
Query	None	All

Data DCP Reader

The Data DCP Reader role lets the user start a Database Change Protocol (DCP) stream for one or more collections, scopes, or buckets. When granting this role, you choose the collections, scopes, and buckets where the user can start DCP streams. Grant this role to users for applications that need to start DCP streams.

This role does not let the user log into Couchbase Server Web Console.

Role: Data DCP Reader (`data_dcp_reader`)
Resource	Permissions	Restrictions
Buckets	Can start DCP streams for collections, scopes, and buckets assigned to them. Can also read data and XATTRs from these collections, scopes, and buckets.	Cannot write data
Query	None	All

Data Monitor

The Data Monitor role lets the user read statistics for a bucket, scope, or collection. When granting the role, you decide which statistics the user can read. Use this role for applications that need to read statistics.

Note	In versions of Couchbase Server prior to 5.5, this role was called Data Monitoring.

This role does not let the user log into Couchbase Server Web Console.

Role: Data Monitor (`data_monitoring`)
Resource	Permissions	Restrictions
Buckets	Can read statistics for buckets, scopes, and collections assigned to them.	None

Views Roles

The following roles grant users privileges with Views. Also see the related administrator role Views Admin.

Important

Views were deprecated in Couchbase Server 7.0. See learn:views/views-intro.adoc for more information.

Views Reader

The Views Reader role lets a user read data from views in one or more buckets. When granting this role, you choose which buckets contain views the user can read. Grant this role to users you create for applications that need to read data from views.

This role does not let the user log into Couchbase Server Web Console.

Role: Views Reader (`views_reader`)
Resource	Permissions	Restrictions
Buckets	Can read data from views in the buckets they have access to. Can read data via key-value from these buckets.	Cannot write data to buckets, alter bucket settings, or alter views.
Views	Can read data from views in buckets assigned to them.	Cannot change views

Query & Index Roles

These roles grant users the ability to perform queries and work with indexes.

Query CURL Access

The Query CURL Access role lets the user call the {sqlpp} curl function in their queries.

Caution

The Query CURL Access role allows users to run GET and POST requests to any system on the network Couchbase Server uses for client connections. If your cluster is not configured to use a private network for internal communication, they also have access to the entire cluster. They can interact with any system on this network.

This role only grants the user the ability to read data returned by the {sqlpp} curl function. Usually, you assign additional roles to the user to allow them to read and write data.

For more information about the {sqlpp} curl function, see n1ql:n1ql-language-reference/curl.adoc.

This role lets the user log into Couchbase Server Web Console.

Resource	Permissions	Restrictions
Role: Query Curl Access (`query_external_access`)
Servers	List servers	Cannot view configuration or add, failover, remove, modify services, or rebalance servers
Buckets	List buckets	Cannot list scopes or collections. Cannot create, drop, or edit buckets. Cannot read data other than the results of the {sqlpp} curl function call. Cannot write data.
Query	Can execute {sqlpp} curl function calls	Cannot execute any other queries. Cannot use the Query Workbench in Couchbase Server Web Console.

Query System Catalog

The Query System Catalog role lets the user query the system catalog using {sqlpp}. Importantly, this role also grants permissions to delete from certain in-memory system tables, which is useful for clearing caches and historical query logs without restarting a server.

This access includes querying system:indexes and system:prepareds, as well as tables listing current and past queries. Assign this role to developers who need to query these tables when troubleshooting and debugging.

The role grants Couchbase Server Web Console access.

Resource	Permissions	Restrictions
Role: Query System Catalog (`query_system_catalog`)
Servers	List servers.	Cannot view configuration. Cannot add, failover, remove, modify services, or rebalance servers.
Buckets	List buckets and view bucket settings	Cannot list scopes or collections, create, drop, edit settings, read or write data
Query	SELECT from all system catalog tables. Querying certain keyspaces like `system:indexes`, `system:keyspaces`, and `system:scopes` is subject to row-based filtering. The user must also have the appropriate `SELECT` privilege on the underlying keyspace or collection to see the corresponding entries. DELETE from the following in-memory system tables to clear caches and logs: `system:active_requests` `system:completed_requests` `system:completed_requests_history` `system:prepareds` `system:functions_cache` `system:dictionary_cache` `system:tasks_cache` `system:aus_settings`	* Cannot perform any other query actions. * Cannot use the Query Workbench in Couchbase Server Web Console. * Cannot `INSERT` or `UPDATE` system catalog tables. For this functionality (available from 8.0+), see the `manage_system_catalog` role.

Manage Global Functions

The Manage Global Functions role lets the user create and drop global user-defined {sqlpp} functions. See n1ql:n1ql-language-reference/createfunction.adoc.

This role grants Couchbase Server Web Console access.

Resource	Permissions	Restrictions
Role: Manage Global Functions (`query_manage_global_functions`)
Servers	List servers	Cannot view configuration. Cannot add, failover, remove, modify services, or rebalance servers.
Buckets	List buckets	Cannot list scopes or collections, create, drop, edit settings, read or write data
Query	Can execute `CREATE FUNCTION` and `DROP FUNCTION` statements	Cannot perform any other queries, including calling global functions. Cannot use the Query Workbench in Couchbase Server Web Console.
Settings	View cluster settings	Cannot view any other settings or change settings

Execute Global Functions

The Execute Global Functions role lets the user call global {sqlpp} user-defined functions.

This role lets the user log into Couchbase Server Web Console.

Resource	Permissions	Restrictions
Role: Execute Global Functions (`query_execute_global_functions`)
Servers	List servers	Cannot view configuration. Cannot add, failover, remove, modify services, or rebalance servers.
Buckets	List buckets	Cannot list scopes or collections, create, drop, edit settings, read or write data
Query	Can execute global user-defined functions	Cannot perform any other queries. Cannot use the Query Workbench in Couchbase Server Web Console.
Settings	View cluster settings	Cannot view any other settings or change settings

Manage Scope Functions

The Manage Scope Functions role lets the user create and drop user-defined {sqlpp} functions for one or more scopes. When granting this role, You select the scopes where the user can manage user-defined functions. See n1ql:n1ql-language-reference/createfunction.adoc.

This role lets the user log into Couchbase Server Web Console.

Resource	Permissions	Restrictions
Role: Manage Scope Functions (`query_manage_functions`)
Servers	List servers	Cannot view configuration. Cannot add, failover, remove, modify services, or rebalance servers.
Buckets	List buckets	Cannot list scopes or collections, create, drop, edit settings, read or write data
Query	Can execute `CREATE FUNCTION` and `DROP FUNCTION` statements to create user-defined functions in specific scopes	Cannot perform any other queries, including calling the functions. Cannot use the Query Workbench in Couchbase Server Web Console.
Settings	View cluster settings	Cannot view any other settings or change settings

Query Select

The Query Select role lets the user execute SELECT statements on the data in one or more collections. See guides:query.adoc. When granting this role, you choose the collections where the user execute SELECT statements.

This role lets the user log into Couchbase Server Web Console.

Resource	Permissions	Restrictions
Role: Query Select (`query_select`)
Servers	List servers	Cannot view configuration. Cannot add, failover, remove, modify services, or rebalance servers.
Buckets	Can list buckets. Can read data from specific collections.	Cannot list scopes or collections, create, drop, edit settings, read or write data
Query	Can execute `SELECT` statements on data in one or more collections. Can read data from one or more collections.	Cannot perform any other queries. Cannot use the Query Workbench in Couchbase Server Web Console.
Settings	View cluster settings	Cannot view any other settings or change any settings

Query Update

The Query Update role lets the user execute UPDATE statements to mutate existing documents in specific collections. See n1ql:n1ql-language-reference/update.adoc for more information. When granting this role, you select which collections contain documents the user can mutate.

This role lets the user log into Couchbase Server Web Console.

Role: Query Update (`query_update`)
Resource	Permissions	Restrictions
Servers	List servers	Cannot view configuration. Cannot add, failover, remove, modify services, or rebalance servers.
Buckets	List buckets and view bucket settings	Cannot list scopes or collections, create, drop, edit settings
Query	Can execute `UPDATE` statements on documents in one or more collections	Cannot perform any other queries. Cannot create new documents. Cannot use the Query Workbench in Couchbase Server Web Console.
Settings	View cluster settings	Cannot view any other settings or change settings

Query Insert

The Query Insert role lets the user execute the {sqlpp} INSERT statement to add new documents to one or more collections. See n1ql:n1ql-language-reference/insert.adoc for more information. When granting this role, you select the collections where the user can add documents.

This role lets the user log into Couchbase Server Web Console.

Resource	Permissions	Restrictions
Role: Query Insert (`query_insert`)
Servers	List servers	Cannot view configuration. Cannot add, failover, remove, modify services, or rebalance servers.
Buckets	List buckets and view bucket settings	Cannot list scopes or collections, create, drop, edit settings
Query	Can execute `INSERT` statements to create documents in one or more collections	Cannot perform any other queries. Cannot mutate existing documents. Cannot use the Query Workbench in Couchbase Server Web Console.
Settings	View cluster settings	Cannot view any other settings or change settings

Query Delete

The Query Delete role lets the user execute the {sqlpp} DELETE satatement to delete documents from one or more scopes. See n1ql:n1ql-language-reference/delete.adoc for more information. When granting this role, you select the collections where the user can delete documents.

This role lets the user log into Couchbase Server Web Console.

Role: Query Delete (`query_delete`)
Resource	Permissions	Restrictions
Servers	List servers	Cannot view configuration. Cannot add, failover, remove, modify services, or rebalance servers.
Buckets	List buckets and view bucket settings	Cannot list scopes or collections. Cannot edit bucket settings.
Query	Can execute `DELETE` statements to delete documents from one or more collections	Cannot perform any other queries. Cannot use the Query Workbench in Couchbase Server Web Console.
Settings	View cluster settings	Cannot view any other settings or change settings

Query Use Sequential Scans

The Query Use Sequential Scan role allows users' queries to perform a sequential scan of a keyspace. The query planner only uses a sequential scan when no suitable index exists for the keyspace. Only queries by users with this role can use a sequential scan to query data because scanning a large unindexed keyspace can be expensive. See Sequential Scans for more information.

Note	Administrator roles automatically have permission to perform sequential scans when necessary.

This role does not let the user log into Couchbase Server Web Console.

Role: Query Use Sequential Scans (`query_use_sequential_scans`)
Resource	Permissions	Restrictions
Query	Can execute a query in a collection that lacks a primary and secondary index	Cannot perform any other queries

Query Manage Index

The Query Manage Index role allows the user to manage indexes for one or more collections. When granting this role, you select the collections where the user can manage indexes.

This role lets the user log into Couchbase Server Web Console.

Role: Query Manage Index (`query_manage_index`)
Resource	Permissions	Restrictions
Servers	List servers	Cannot view configuration. Cannot add, failover, remove, modify services, or rebalance servers.
Buckets	List buckets and view bucket settings	Cannot list scopes or collections, create, drop, edit settings. Cannot read or write data.
Index	Can create, drop, and view indexes for the collections whose indexes they have been given permission to manage	Cannot use the Query Workbench in Couchbase Server Web Console
Settings	View cluster settings	Cannot view any other settings or change settings

Query List Index

This role lets the user list indexes defined for one or more buckets, scopes, or collections. When granting this role, you select the buckets, scopes, or collections where the user can list indexes.

This role lets the user log into Couchbase Server Web Console.

Role: Query List Index (`query_list_index`)
Resource	Permissions	Restrictions
Servers	List servers and view statistics	Cannot view configuration. Cannot add, failover, remove, modify services, or rebalance servers.
Buckets	List and view statistics for buckets, scopes, and collections	Cannot create, drop, or edit bucket, scope, or collection settings. Cannot read or write data.
Index	Can get list of indexes via the stats endpoint (see index-rest-stats:index.adoc)	Cannot add, drop, or edit indexes. Cannot use the Index Workbench in Couchbase Server Web Console.
Settings	View cluster settings	Cannot view any other settings or change settings

Execute Scope Functions

The Execute Scope Functions role lets the user execute {sqlpp} user-defined functions defined within a scope. When you grant this role, you select the scopes where the user can call user-defined functions.

This role lets the user log into Couchbase Server Web Console.

Resource	Permissions	Restrictions
Role: Execute Scope Functions (`query_execute_functions`)
Servers	List servers	Cannot view configuration. Cannot add, failover, remove, modify services, or rebalance servers.
Query	Can execute scope user-defined functions in specific scopes	Cannot perform any other queries. Cannot use the Query Workbench in Couchbase Server Web Console.
Settings	View cluster settings	Cannot view any other settings or change settings

Manage Global External Functions

The Manage Global External Functions role lets the user manage global external language functions. See External Libraries for more information about external functions.

This role lets the user log into Couchbase Server Web Console.

Resource	Permissions	Restrictions
Role: Manage Global External Functions (`query_manage_global_external_functions`)
Servers	List servers	Cannot view configuration. Cannot add, failover, remove, modify services, or rebalance servers.
Query	Can execute `CREATE FUNCTION` statements to create global external functions	Cannot perform any other queries. Cannot use the Query Workbench in Couchbase Server Web Console.
Settings	View cluster settings	Cannot view any other settings or change settings

Execute Global External Functions

The Execute Global External Functions role lets a user execute globally defined external functions. See External Libraries for more information about external functions.

This role lets the user log into Couchbase Server Web Console.

Resource	Permissions	Restrictions
Role: Execute Global External Functions (`query_execute_global_external_functions`)
Servers	List servers	Cannot view configuration. Cannot add, failover, remove, modify services, or rebalance servers.
Query	Can execute globally defined external functions	Cannot perform any other queries. Cannot use the Query Workbench in Couchbase Server Web Console.
Settings	View cluster settings	Cannot view any other settings or change settings

Manage Scope External Functions

The Manage Scope External Functions role lets the user create and drop external language functions defined at the scope level. When you grant this role, you choose the scopes where the user can manage external functions. See External Libraries for more information about external functions.

This role lets the user log into Couchbase Server Web Console.

Resource	Permissions	Restrictions
Role: Manage Scope External Functions (`query_manage_external_functions`)
Servers	List servers	Cannot view configuration. Cannot add, failover, remove, modify services, or rebalance servers.
Query	Can call globally defined external functions	Cannot perform any other queries. Cannot use the Query Workbench in Couchbase Server Web Console.
Settings	View cluster settings	Cannot view any other settings or change settings

Execute Scope External Functions

The Execute Scope External Functions role lets the user call external functions defined in a scope. When you grant this role, you choose the scopes where the user can call external functions. See External Libraries for more information about external functions.

This role lets the user log into Couchbase Server Web Console.

Resource	Permissions	Restrictions
Role: Execute Scope External Functions (`query_execute_external_functions`)
Servers	List servers	Cannot view configuration. Cannot add, failover, remove, modify services, or rebalance servers.
Query	Can call globally defined external functions	Cannot perform any other queries. Cannot use the Query Workbench in Couchbase Server Web Console.
Settings	View cluster settings	Cannot view any other settings or change settings

Manage Sequences

This role lets the user manage sequences for one or more scopes. See n1ql:n1ql-language-reference/sequenceops.adoc for more information about sequences. When you grant this role, you choose the scopes where the user can manage sequences.

This role lets the user log into Couchbase Server Web Console.

Resource	Permissions	Restrictions
Role: Manage Sequences (`query_manage_sequences`)
Servers	List servers	Cannot view configuration. Cannot add, failover, remove, modify services, or rebalance servers.
Query	Can create and alter sequences in buckets assigned to them	Cannot perform any other queries. Cannot use the Query Workbench in Couchbase Server Web Console. Cannot manage sequences in buckets they do have not assigned to them.
Settings	View cluster settings	Cannot view any other settings or change settings

Use Sequences

This role lets the user incorporate sequences into their queries in one or more scopes. When you grant this role, you choose the scopes where the user can use sequences. See n1ql:n1ql-language-reference/sequenceops.adoc for more information about sequences.

This role lets the user log into Couchbase Server Web Console.

Resource	Permissions	Restrictions
Role: Manage Sequences (`query_use_sequences`)
Servers	List servers	Cannot view configuration. Cannot add, failover, remove, modify services, or rebalance servers
Query	Can use sequences in scopes assigned to them.	Cannot perform any other queries. Cannot use the Query Workbench in Couchbase Server Web Console. Cannot manage sequences.
Settings	View cluster settings	Cannot view any other settings or change settings

Query Manage System Catalog

This role lets a user manage all system catalogs for query automatic workload reports using {sqlpp} statements.

This role lets the user log into Couchbase Server Web Console.

Resource	Permissions	Restrictions
Role: Query Manage System Catalog (`query_manage_system_catalog`)
Servers	List servers	Cannot view configuration. Cannot add, failover, remove, modify services, or rebalance servers.
Query	Can manage query workload system catalogs	Cannot perform any other queries. Cannot use the Query Workbench in Couchbase Server Web Console.
Settings	View cluster settings	Cannot view any other settings or change settings.

Search Roles

The following roles give users privileges to the learn:services-and-indexes/services/search-service.adoc features.

Search Admin

The Search Admin role lets the user manage the Search Service in one or more buckets. When you grant this role, you choose the buckets where the user can manage search.

Note	In versions of Couchbase Server earlier than 5.5, this role was named FTS Admin.

This role lets the user log into Couchbase Server Web Console.

Role: Search Admin (`fts_admin`)
Resource	Permissions	Restrictions
Servers	Can list servers.	Cannot view or edit server configuration or statistics. Cannot rebalance, failover, add, or remove servers.
Buckets	Can list buckets, scopes, and collections. Can view documents.	Cannot edit documents or change bucket settings
Settings	Can view cluster settings	Cannot view other settings nor change any settings
Query	None	All
Search	Can add, edit, and drop Search indexes on the buckets they have access to.	Cannot manage Search indexes of buckets they do not have access to.

Search Reader

The Search Reader role lets the user execute searches using Full-Text Search indexes in one or more buckets. When you grant this role, you choose the buckets in which the user can execute searches.

Note	In versions of Couchbase Server prior to 5.5, this role was referred to as FTS Searcher.

This role lets the user log into Couchbase Server Web Console.

Role: Search Reader (`fts_searcher`)
Resource	Permissions	Restrictions
Servers	Can list servers.	Cannot view or edit server configuration or statistics. Cannot rebalance, failover, add, or remove servers.
Buckets	Can list buckets	Cannot read documents
Settings	Can view cluster settings	Cannot view other settings nor change any settings
Query	None	All
Search	Can use Search indexes in the buckets they have access to	Cannot add, drop, or change settings for Search indexes

Analytics Roles

The following roles give uses privileges for the Analytics Service. See learn:services-and-indexes/services/analytics-service.adoc for more information.

Analytics Reader

The Analytics Reader role lets the user query all analytic datasets. For more information, see analytics:introduction.adoc.

This role lets the user log into Couchbase Server Web Console.

Resource	Permissions	Restrictions
Role: Analytics Reader (`analytics_reader`)
Servers	List servers	Cannot view configuration. Cannot add, failover, remove, modify services, or rebalance servers.
Settings	View cluster settings	Cannot view any other settings or change settings.
Analytics	Can read any analytic data. Can use the Couchbase Server Web Console’s Analytics query editor.	Cannot change analytic configuration.

Analytics Admin

The Analytics Admin role lets users manage Analytics Service links, scopes, and datasets for all buckets. For more information, see analytics:introduction.adoc.

This role lets the user log into Couchbase Server Web Console.

Resource	Permissions	Restrictions
Role: Analytics Admin (`analytics_admin`)
Servers	List servers	Cannot view configuration. Cannot add, failover, remove, modify services, or rebalance servers.
Settings	View cluster settings	Cannot view any other settings or change settings
Analytics	Can add or drop Analytics Service links, scopes, and dataset	None

Analytics Select

The Analytics Select role lets the user query analytic datasets for one or more buckets, scopes, or collections. When you grant this role, you choose the buckets, scopes, and collections where the user can execute queries.

This role lets the user log into Couchbase Server Web Console.

Role: Analytics Select (`analytics_select`)
Resource	Permissions	Restrictions
Servers	Can list servers.	Cannot view or edit server configuration or statistics. Cannot rebalance, failover, add, or remove servers.
Settings	Can view cluster settings	Cannot view other settings nor change any settings
Analytics	Can query analytics data in the buckets they have access to	Cannot add or drop Analytic scopes, links, or collections or change their settings

Analytics Manager

The Analytics Manager role lets the user manage and query the analytic datasets for one or more buckets. They can also manage Analytics Service local links. When you grant this role, you choose the buckets where the user can manage and query analytics.

This role lets the user log into Couchbase Server Web Console.

Role: Analytics Manager (`analytics_manager`)
Resource	Permissions	Restrictions
Servers	Can list servers.	Cannot view or edit server configuration or statistics. Cannot rebalance, failover, add, or remove servers.
Settings	Can view cluster settings	Cannot view other settings nor change any settings
Analytics	Can query analytics data in the buckets they have access to. Can manage analytics in these buckets, including local links and adding/dropping analytics collections.	Cannot manage analytics in other buckets

Eventing Roles

These roles control a user’s access to the Eventing Service. Also, see Eventing Full Admin for the Eventing-related administrator role. For more information about Eventing, see eventing:eventing-overview.adoc.

Eventing Manage Scope Functions

The Eventing Manage Scope Functions role lets the user manage the eventing functions in one or more scopes. When you grant this role, you choose the scopes where the user can manage eventing functions.

Note	In addition to this role, the user must have the Data DCP Reader on the collections they want their functions to listen to. They must also have read and write permissions on one or more collections to store the function’s event data.

This role lets the user log into Couchbase Server Web Console.

Role: Eventing Manage Scope Functions (`eventing_manage_functions`)
Resource	Permissions	Restrictions
Server	Can list servers	Cannot view server settings or statistics. Cannot edit server settings, failover, or rebalance servers.
Settings	Can view cluster settings	Cannot view other settings or change any settings
Eventing	Can add Eventing functions to a scope assigned to them. Can change eventing settings for the scopes.	None

XDCR Roles

The following roles give users the ability to manage XDCR settings and features.

XDCR Admin

The XDCR Admin role grants the user the ability to manage XDCR connections.

This role lets the user log into Couchbase Server Web Console.

Role: XDCR Admin (`replication_admin`)
Resource	Permissions	Restrictions
Servers	View configuration and statistics	Cannot add, failover, remove, modify services, or rebalance servers
Buckets	List buckets, scopes, and collections	Cannot create, drop, edit settings, read or write data
Backup	None	All
XDCR	All	None
Security	None	All
Settings	View	Change
Logs	View	Collect Information
Query	None	All
Search	None	All
Analytics	None	All
Eventing	None	All
Views	None	All

XDCR Inbound

The XDCR Inbound role lets the user create inbound XDCR streams for one or more buckets. When granting this role, you choose the buckets where the user can create inbound XDCR connections. Assign this role to the user that you’ll specify when creating an XDCR reference. See Create a Reference for more information.

Note	Versions of Couchbase Server prior to 5.5 called this role Replication Target.

This role does not let the user log into Couchbase Server Web Console.

Resource	Permissions	Restrictions
Role: XDCR Inbound (`replication_target`)
XDCR	Can create inbound connections on buckets they have been granted permissions on.	Cannot create outbound connections or alter other XDCR settings.

Backup Roles

The following role gives users the ability to backup and restore data. Also see the Administrative role Backup Full Admin.

Data Backup & Restore

The Data Backup & Restore lets users back up and restore data in one or more buckets. When you grant this role, you choose the buckets the user can back up. This role is not intended for interactive users. Grant this role to users for applications that need to back up and restore data.

Note	This role does not let the user access some important cluster-level data, so it cannot fully backup the cluster. See Bucket Level in the backup-restore:cbbackupmgr-backup.adoc documentation for details.

This role does not let the user log into Couchbase Server Web Console.

Role: Data Backup & Restore (`data_backup`)
Resource	Permissions	Restrictions
Buckets	Can read, write, and manage buckets assigned to them.	None
Backup	Can backup bucket data, bucket {sqlpp} metadata, and analytics	Cannot backup other data
Security	Can view settings for SAML, certificates, encryption at rest, audits, and other settings	Cannot change settings
Indexes	Can build, create, and list	Cannot backup, read, or manage
Bucket Analytics	Can manage and select buvket analytics	Cannot read bucket analytics
Analytics	Can select and back up analytics	Cannot read analytics synonyms

Mobile Roles

The mobile roles support connections with the Sync Gateway and related features. See the Sync Gateway Introduction for more information.

Sync Gateway

The Sync Gateway role gives the user full access to the data Sync Gateway’s data stored in Couchbase Server. This role also lets the user manage indexes and read some cluster information. Only assign this role to the user that you create for the Sync Gateway to use when connecting to Couchbase Server. Choose one or more buckets that contain mobile data that you want this user to manage. See Configure Server for Sync Gateway for more information.

This role does not let the user log into Couchbase Server Web Console.

Resource	Permissions	Restrictions
Role: Sync Gateway (`mobile_sync_gateway`)
Sync Gateway Data	Can perform all actions on data (including flushing) and views on the Sync Gateway data stored in the Couchbase Server buckets you grant them access to. Can view settings of these buckets.	Cannot change bucket settings
Query	Can execute queries on data in buckets containing Sync Gateway data	None
Indexes	Add and drop indexes and view index statistics in the buckets containing Sync Gateway data	None.
Settings	View cluster settings	Cannot view any other settings or change settings

Sync Gateway Architect

The Sync Gateway Architect role lets the user manage Sync Gateway databases, users, and roles. You choose one or more collections, scopes, or buckets where the user can manage Sync Gateway data. This role also grants access to the Sync Gateway’s metrics via the /metrics REST API endpoint. For information about Sync Gateway users and roles, see Access Control Concepts.

This role does not let the user log into Couchbase Server Web Console.

Resource	Permissions	Restrictions
Role: Sync Gateway Architect (`sync_gateway_configurator`)
Sync Gateway Data	None	Cannot read or write Sync Gateway application data
Sync Gateway Users & Roles	Can add, remove, and edit Sync Gateway users and roles	None
Sync Gateway Metrics	Can read metrics	Cannot change metric settings

Sync Gateway Application

The Sync Gateway Application role lets the user manage Sync Gateway users, roles, and data. It also allows the user to read and write application data through the Sync Gateway. You choose one or more collections, scopes, or buckets where this user can manage mobile users and roles. For information about Sync Gateway users and roles, see Access Control Concepts.

This role does not let the user log into Couchbase Server Web Console.

Resource	Permissions	Restrictions
Role: Sync Gateway Application (`sync_gateway_app`)
Collection: Data	Can read and write application data	None
Sync Gateway Users & Roles	Can add, remove, and edit Sync Gateway users and roles	None

Sync Gateway Application Read Only

The Sync Gateway Application Read Only role lets the user read Sync Gateway users and role settings. It also lets them read Sync Gateway data. For information about Sync Gateway users and roles, see Access Control Concepts.

This role does not let the user log into Couchbase Server Web Console.

Resource	Permissions	Restrictions
Role: Sync Gateway Application Read Only (`sync_gateway_app_ro`)
Collection: Data	Can read application data	Cannot write application data
Sync Gateway Users & Roles	Can read Sync Gateway users and roles	Cannot add, drop, or edit users or roles

Sync Gateway Replicator

The Sync Gateway Replicator role lets the user manage Sync Gateway replications.

This role does not let the user log into Couchbase Server Web Console.

Resource	Permissions	Restrictions
Role: Sync Gateway Replicator (`sync_gateway_replicator`)
Sync Gateway Replication Collection	Can read and write replication settings	None

Sync Gateway Dev Ops

The Sync Gateway Dev Ops role lets the user manage the Sync Gateway’s node-level configuration. It also grants access to Sync Gateway’s /metrics endpoint for Prometheus integration.

This role does not let the user log into Couchbase Server Web Console.

Resource	Permissions	Restrictions
Role: Sync Gateway Dev Ops (`sync_gateway_dev_ops`)
Sync Gateway Node Configuration	Can read and write node-level settings	None
Sync Gateway Metrics	Can read metrics	Cannot change metric settings

Uh oh!

FilesExpand file tree

roles.adoc

Latest commit

History

roles.adoc

File metadata and controls

Roles

Roles and Privileges

Roles in Relation to Buckets

User Categories

Role Overviews

Administrative Roles

Full Admin

Read-Only Admin

Security Admin

Read-Only Security Admin

Local User Admin

External User Admin

Cluster Admin

Eventing Full Admin

Backup Full Admin

Views Admin

External Stats Reader

Application Telemetry Writer

Bucket Roles

Bucket Admin

Manage Scopes

Application Access

Data Roles

Data Reader

Data Writer

Data DCP Reader

Data Monitor

Views Roles

Views Reader

Query & Index Roles

Query CURL Access

Query System Catalog

Manage Global Functions

Execute Global Functions

Manage Scope Functions

Query Select

Query Update

Query Insert

Query Delete

Query Use Sequential Scans

Query Manage Index

Query List Index

Execute Scope Functions

Manage Global External Functions

Execute Global External Functions

Manage Scope External Functions

Execute Scope External Functions

Manage Sequences

Use Sequences

Query Manage System Catalog

Search Roles

Search Admin

Search Reader

Analytics Roles

Analytics Reader

Analytics Admin

Analytics Select

Analytics Manager

Eventing Roles

Eventing Manage Scope Functions

XDCR Roles

XDCR Admin

XDCR Inbound

Backup Roles

Data Backup & Restore

Mobile Roles

Sync Gateway

Sync Gateway Architect

Sync Gateway Application

Sync Gateway Application Read Only

Sync Gateway Replicator

Sync Gateway Dev Ops