CockroachDB Cloud Access Management (Authorization) Overview

On this page Carat arrow pointing down

This page covers the essential concepts related to access management (authorization) in CockroachDB Cloud. Procedures for managing access are covered in Managing Users, Roles, and Service Accounts in CockroachDB Cloud.

Overview of the CockroachDB Cloud authorization model

The CockroachDB Cloud console, found at https://cockroachlabs.cloud/, is a 'single pane of glass' for managing users, billing, and all functions for administering clusters in CockroachDB Cloud. When accessing the console, users must sign in to a CockroachDB Cloud organization (or create a new one).

You can also execute many administrative commands using the ccloud command-line utility and the CockroachDB Cloud API:

In CockroachDB Cloud, an organization corresponds to an authorization hierarchy linked to a billing account. Within each CockroachDB Cloud organization, the unit of database functionality is the CockroachDB cluster, which corresponds to a networked set of CockroachDB cluster nodes. SQL operations and data storage are distributed over a cluster. Every cluster belongs to an organization.

CockroachDB Cloud has a hierarchical authorization model, where roles can be assigned at different scopes:

  1. Organization: Each CockroachDB Cloud organization has a set of roles defined on it, which allow users to perform administrative tasks relating to the management of clusters, organization users, SQL users, and billing.
  2. Folder: roles can be assigned on folders. Role inheritance is transitive; a role granted on the organization or a folder is inherited by descendent resources.

    Tip:

    Organizing clusters using folders is available in Preview. To learn more, refer to Organize Clusters Using Folders.

  3. Cluster: Each CockroachDB cluster defines its own set of SQL users and roles which manage permission to execute SQL statements on the cluster.

The levels within the hierarchy intersect, because administering SQL-level users on specific clusters within an organization is an organization-level function.

For the main pages covering users and roles at the SQL level within a specific database cluster, refer to:

Organization user roles

When a user or service account is first added to an organization, they are granted the default role, Org Member, which grants no permission and only indicates membership in the organization. Org or Cluster Administrators may edit the roles assigned to organization users in the CockroachDB Cloud console's Access Management page, or using the CockroachDB Cloud API or Terraform Provider.

Note:

The user who creates a new organization is assigned the following roles at the organization scope:

Any of these roles may subsequently be removed by a user with both the Org Administrator role and the Cluster Admin role at the organization scope. This is to ensure that at least one user has both of these roles.

To learn more, refer to Manage organization users.

The following CockroachDB Cloud organization roles can be granted:

Organization Member

This default role is granted to all organization users when they are invited or provisioned. It grants no permissions to perform cluster or organization actions.

Org Administrator

Org Administrators can:

Org Administrators automatically receive email alerts about planned cluster maintenance and when CockroachDB Cloud detects that a cluster is overloaded or experiencing issues. In addition, Org Administrators can subscribe other members to the email alerts, and can configure how alerts work for the organization.

This role can be granted only at the scope of the organization.

Billing Coordinator

Users with this role in an organization can manage billing for that organization through the CockroachDB Cloud console billing page at https://cockroachlabs.cloud/billing/overview.

Cluster Operator

Cluster Operators can perform a variety of cluster functions:

This role can be considered a more restricted alternative to Cluster Administrator, as it grants all of the permissions of that role, except that it does not allow users to:

  • Manage cluster-scoped roles on organization users.
  • Manage SQL users from the cloud console.
  • Create or delete a cluster.

This role can be granted at the scope of the organization, on an individual cluster, or on a folder. If granted on a folder, it is inherited on the folder's clusters, descendent folders, and their descendants.

Cluster Administrator

Cluster Administrators can perform all of the Cluster Operator actions, as well as:

This role can be granted at the scope of the organization, on an individual cluster, or on a folder. If granted on a folder, it is inherited on the folder's clusters, descendent folders, and their descendants.

Cluster Creator

Cluster Creators can create clusters in an organization. A cluster's creator is automatically granted the Cluster Administrator role for that cluster upon creation.

This role can be granted at the scope of the organization or on a folder. If granted on a folder, it is inherited on the folder's clusters, descendent folders, and their descendants.

Cluster Developer

Users with this role can view cluster details and access the DB Console, allowing them to export a connection string from the cluster page UI, although they will still need a Cluster Administrator to provision their SQL credentials for the cluster.

This role can be granted at the scope of the organization, on an individual cluster, or on a folder. If granted on a folder, it is inherited on the folder's clusters, descendent folders, and their descendants.

Folder Admin

A Folder Admin can create, rename, and move, or delete folders where they are granted the role, and they can also manage access to these folders. This role can be granted at the level of the organization or on a specific folder. If granted at the level of the organization, the role grants the ability to view all users and service accounts in the organization. If granted on a specific folder, the role is inherited by descendant folders.

A user with the Org Administrator role can grant themselves, another user, or a service account the Folder Admin role.

To create or manage clusters in a folder, a Folder Admin also needs the Cluster Administrator or Cluster Creator role on that folder directly or by inheritance. To delete a cluster, the Cluster Administrator role is required on the cluster directly or by inheritance.

Folder Mover

A Folder Mover can rename or move descendant folders, and can move clusters within the folder hierarchy where they have the role. However, a Folder Mover cannot create or delete folders or clusters, and cannot assign roles. A Folder Mover can move clusters within the folder hierarchy even if they do not have a role that allows them to connect to the cluster, such as Cluster Creator or Cluster Operator).

Note:
A cluster cannot be renamed.

A user with the Org Administrator or Folder Admin role can grant another user or a service account the Folder Mover role. Because the Folder Admin role is a superset of Folder Mover, there is no need for a Folder Admin to grant themselves the Folder Mover role.

Service accounts

Service accounts authenticate with API keys to the CockroachDB Cloud API, rather than to the CockroachDB Cloud Console UI.

Service accounts operate under a unified authorization model with organization users, and can be assigned all of the same organization roles as users, but note that some actions are available in the console but not the API, or vice versa (For example, in the Cluster Operator Role).

Refer to Manage Service Accounts.

Cluster roles for organization users using Cluster SSO

Cluster Single Sign-On (SSO) for CockroachDB Cloud allows authorized organization users to directly access clusters within the organization via ccloud, the CockroachDB Cloud command line interface.

However, because organization users and cluster SQL users are logically separate, a corresponding SQL user must be created for each SSO organization user, on each particular cluster.

This correspondence lies in the SQL user name, which must be in the format sso_{email_name}. Replace (email_name} with the portion of the user's email address before @. For example, the SQL username of a user with the email address docs@cockroachlabs.com is sso_docs. If the role is not set up correctly, ccloud prompts you to create or add it. Only an SQL admin can manage SQL users.


Yes No
On this page

Yes No