This page covers the essential concepts related to access management (authorization) in CockroachDB Cloud. Procedures for managing access are covered in Managing Users, Roles, and Service Accounts in CockroachDB Cloud.
Overview of the CockroachDB Cloud authorization model
The CockroachDB Cloud console, found at https://cockroachlabs.cloud/, is a 'single pane of glass' for managing users, billing, and all functions for administering clusters in CockroachDB Cloud. When accessing the console, users must sign in to a CockroachDB Cloud organization (or create a new one).
You can also execute many administrative commands using the ccloud command-line utility and the CockroachDB Cloud API:
ccloudallows human users to authenticate their terminal via a browser token from the CockroachDB Cloud console.- The CockroachDB Cloud API allows service accounts to authenticate via API keys, which are issued through the console.
- You can use Terraform to provision users and other aspects of your CockroachDB Cloud clusters. However, note that currently Terraform can only be used to provision admin SQL users, as this is a current limitation of the API, on which Terraform depends.
In CockroachDB Cloud, an organization corresponds to an authorization hierarchy linked to a billing account. Within each CockroachDB Cloud organization, the unit of database functionality is the CockroachDB cluster, which corresponds to a networked set of CockroachDB cluster nodes. SQL operations and data storage are distributed over a cluster. Every cluster belongs to an organization.
CockroachDB Cloud has a hierarchical authorization model, where roles can be assigned at different scopes:
- Organization: A CockroachDB Cloud organization assigns permissions based on roles assigned to a Cloud Console user account, which allow these accounts to perform administrative tasks relating to the management of clusters, Console user management, SQL user management, and billing.
Folder: Cloud Console roles can be assigned to a folder containing a group of clusters. Role inheritance is transitive; a role applied with the organization or folder scope is inherited by descendent resources.
Tip:Organizing clusters using folders is available in Preview. To learn more, refer to Organize Clusters Using Folders.
Cluster: Each CockroachDB cluster defines its own set of SQL users and SQL user roles which manage permission to execute SQL statements on the cluster.
The levels within the hierarchy intersect, because administering SQL-level users on specific clusters within an organization is an organization-level function.
SQL users are assigned a distinct set of roles and privileges that are specific to data management on the cluster, independent of the Cloud Console roles and privileges described on this page. For the main pages covering users and roles at the SQL level within a specific database cluster, refer to the main Authorization in CockroachDB documentation
Organization user roles
When a user or service account is first added to an organization, they are granted the default Console role, Organization Member, which adds no permissions and only indicates membership in the organization. Users with the Organization or Cluster Admin role may edit the roles assigned to organization users in the CockroachDB Cloud Console's Access Management page, or using the CockroachDB Cloud API or Terraform Provider.
The user who creates a new organization is assigned the following roles at the organization scope:
Any of these roles may subsequently be removed by a user with both the Organization Admin role and the Cluster Admin role at the organization scope. This is to ensure that at least one user has both of these roles.
To learn more, refer to Manage organization users.
The following table describes the high level permissions granted to each CockroachDB Cloud user role. Permissions are additive, so a user with multiple roles that grant different permissions are granted the highest level privileges given by their assigned roles.
| Role name | User management | Billing management | Cluster management | Database management | Monitoring & observability | Security & access | Backup & restore | Folder management | Other permissions |
|---|---|---|---|---|---|---|---|---|---|
Organization Member |
None | None | None | None | None | None | None | None | None |
Organization Admin |
Manage users and service accounts, grant and revoke roles | None | None | None | None | None | None | None | Manage email alerts (maintenance/issues) |
Billing Coordinator |
None | Manage billing | None | None | None | None | None | None | None |
Cluster Operator |
None | None | Scale nodes, upgrade CockroachDB | Manage Databases | View metrics / insights / logs / jobs | Manage network auth, configure SQL SSO, view PCI status | View / restore backups | None | Access DB console, configure maintenance windows, send test alerts |
Cluster Admin |
Manage SQL users, manage service accounts, grant user roles | None | Create / edit / delete cluster, scale nodes, upgrade CockroachDB | Manage databases | View metrics / insights | Manage network auth, configure SQL SSO, view PCI status | View / restore backups | None, unless role is granted with organization scope | Access DB console, configure maintenance windows |
Cluster Creator |
None | None | Create cluster (grants Cluster Admin role for that cluster), edit / delete clusters created by this user |
None | None | None, unless role is granted with organization scope | None | None, unless role is granted with organization scope | None |
Cluster Developer |
None | None | None | None | None | None | None | None | Access DB console, view cluster details |
Folder Admin |
Assign roles to folders | None | None | None | None | None | None | Create / delete / manage folders | None |
Folder Mover |
None | None | Move cluster between folders | None | None | None | None | None | None |
Some roles can be assigned to users at specific levels of scope to provide more granular permission control:
| Scope level | Description | Applicable roles |
|---|---|---|
Organization |
Applies to the entire CockroachDB Cloud organization, including all clusters and folders | Cluster Admin, Cluster Creator, Billing Coordinator, Organization Admin, Folder Admin, Folder Mover |
Folder |
Applies to clusters within a specific folder. Only available as a selectable scope if folders have been created within the organization by a user with the Folder Admin role |
Cluster Creator, Cluster Admin, Folder Admin, Folder Mover |
Cluster |
Applies to a specific cluster | Cluster Admin, Cluster Operator, Cluster Developer |
The following sections describe the available CockroachDB Cloud Console roles in more detail:
Organization Member
The Organization Member role is assigned by default to all organization users when they are invited or provisioned. This role grants no additional permissions.
Organization Admin
The Organization Admin role allows users to perform the following actions:
- Invite users to join that organization.
- Create service accounts.
- Grant and revoke Cloud Console roles for both users and service accounts.
Organization Admins automatically receive email alerts about planned cluster maintenance and when CockroachDB Cloud detects that a cluster is overloaded or experiencing issues. In addition, Organization Admins can subscribe other members to the email alerts, and configure how alerts work for the organization.
This role can be assigned only at the organization scope.
Billing Coordinator
The Billing Coordinator role allows users to manage billing for that organization through the CockroachDB Cloud console billing page at https://cockroachlabs.cloud/billing/overview.
Cluster Operator
The Cluster Operator role allows actions that are dependent on whether it is assigned to a user or a service account.
Users with this role can perform the following console operations:
- View a cluster's Overview page, which displays its configuration, attributes and statistics, including cloud provider, region topography, and available and maximum storage and request units.
- Manage a cluster's databases from the Databases Page.
- Scale a cluster's nodes.
- View and configure a cluster's authorized networks from the Networking Page.
- Manage network authorization for a cluster.
- View backups in a cluster's Backup and Restore Page.
- Restore a cluster from a backup.
- View a cluster's Jobs from the Jobs page.
- View a cluster's Metrics from the Metrics page.
- View a cluster's Insights from the Insights page.
- Upgrade a cluster's major version of CockroachDB.
- View a cluster's PCI-readiness status (Advanced clusters with Security add-on only).
- Send a test alert from the Alerts Page.
- Configure single sign-on (SSO) enforcement.
- Access the DB Console.
- Configure a cluster's maintenance window.
- Edit a cluster's labels.
Service accounts with this role can perform the following API operations:
This role can be considered a more restricted alternative to Cluster Admin, as it grants all of the permissions of that role but does not allow users to:
- Manage cluster-scoped roles on organization users.
- Manage SQL users from the cloud console.
- Create or delete a cluster.
This role can be assigned at the scope of the organization, on an individual cluster, or on a folder. If assigned to a folder, the role is inherited on the folder's clusters, descendent folders, and their descendants.
Cluster Admin
The Cluster Admin role allows users to perform all Cluster Operator actions, as well as the following:
- Provision SQL users for a cluster using the console.
- Create Service Accounts.
- Edit cluster-scope role assignments (specifically, the Cluster Admin, Cluster Operator, and Cluster Developer roles) on users, and service accounts.
- Edit or delete a cluster.
- Cluster Admins for the whole organization (rather than scoped to a single cluster) can create new clusters.
- Access the DB Console.
- Configure a cluster's maintenance window.
This role can be assigned at the scope of the organization, on an individual cluster, or on a folder. If assigned to a folder, it is inherited on the folder's clusters, descendent folders, and their descendants.
Cluster Creator
The Cluster Creator role allows users to create clusters in an organization. A cluster's creator is automatically assigned the Cluster Admin role for that cluster upon creation.
This role can be assigned at the scope of the organization or on a folder. If assigned to a folder, it is inherited on the folder's clusters, descendent folders, and their descendants.
Cluster Developer
The Cluster Developer role allows users view cluster details and access the DB Console, allowing them to export a connection string from the cluster page UI, although they will still need a Cluster Admin to provision their SQL credentials for the cluster.
This role can be assigned at the scope of the organization, on an individual cluster, or on a folder. If assigned to a folder, it is inherited on the folder's clusters, descendent folders, and their descendants.
Folder Admin
The Folder Admin role allows users to create, rename, move, delete, and manage access to folders where they are assigned the role. Users can also edit folder labels. This role can be assigned at the level of the organization or on a specific folder. If assigned at the level of the organization, the role allows users to view all users and service accounts in the organization. If assigned to a specific folder, the role is inherited by descendant folders.
A user with the Organization Admin role can assign themselves, another user, or a service account the Folder Admin role.
To create or manage clusters in a folder, a Folder Admin also needs the Cluster Admin or Cluster Creator role on that folder directly or by inheritance. To delete a cluster, the Cluster Admin role is required on the cluster directly or by inheritance.
Folder Mover
The Folder Mover role allows users to rename or move descendant folders, and move clusters within the folder hierarchy where they have the role. However, a Folder Mover cannot create or delete folders or clusters and cannot assign roles. A Folder Mover can move clusters within the folder hierarchy even if they do not have a role that allows them to connect to the cluster, such as Cluster Creator or Cluster Operator).
A user with the Organization Admin or Folder Admin role can assign another user or a service account the Folder Mover role. Because the Folder Admin role is a superset of Folder Mover, there is no need for a Folder Admin to assign themselves the Folder Mover role.
Service accounts
Service accounts authenticate with API keys to the CockroachDB Cloud API, rather than to the CockroachDB Cloud Console UI.
Service accounts operate under a unified authorization model with organization users, and can be assigned all of the same roles as users, but note that some actions are available in the console but not the API, or vice versa (For example, in the Cluster Operator Role).
Refer to Manage Service Accounts.
Cluster roles for organization users using Cluster SSO
Cluster Single Sign-On (SSO) for CockroachDB Cloud allows authorized organization users to directly access clusters within the organization via ccloud, the CockroachDB Cloud command line interface.
However, because organization users and cluster SQL users are logically separate, a corresponding SQL user must be created for each SSO organization user, on each particular cluster.
This correspondence lies in the SQL user name, which must be in the format sso_{email_name}. Replace (email_name} with the portion of the user's email address before @. For example, the SQL username of a user with the email address docs@cockroachlabs.com is sso_docs. If the role is not set up correctly, ccloud prompts you to create or add it. Only an SQL admin can manage SQL users.
Was this helpful?
