Access management

YDB supports authentication by username and password.

Built-in groups

A YDB cluster has built-in groups that offer predefined sets of roles:

Group Description
ADMINS Unlimited rights for the entire cluster schema.
DATABASE-ADMINS Rights to create and delete databases (CreateDatabase, DropDatabase).
ACCESS-ADMINS Rights to manage rights of other users (GrantAccessRights).
DDL-ADMINS Rights to alter the database schema (CreateDirectory, CreateTable, WriteAttributes, AlterSchema, RemoveSchema).
DATA-WRITERS Rights to change data (UpdateRow, EraseRow).
DATA-READERS Rights to read data (SelectRow).
METADATA-READERS Rights to read metadata without accessing data (DescribeSchema and ReadAttributes).
USERS Rights to connect to databases (ConnectDatabase).

All users are added to the USERS group by default. The root user is added to the ADMINS group by default.

You can see how groups inherit permissions below. For example, the DATA-WRITERS group includes all the permissions from DATA-READERS:

ADMINS
ADMINS
DATABASE-ADMINS
DATABASE-ADMINS
ACCESS-ADMINS
ACCESS-ADMINS
DDL-ADMINS
DDL-ADMINS
DATA-WRITERS
DATA-WRITERS
DATA-READERS
DATA-READERS
METADATA-READERS
METADATA-READERS
USERS
USERS
Viewer does not support full SVG 1.1

Manage groups

To create, update, or delete a group, use the YQL operators:

Note

When using the names of built-in groups in the ALTER GROUP commands, those names must be provided in the upper case. In addition, the names of built-in groups containing the "-" symbol must be surrounded with the backticks, for example:

ALTER GROUP `DATA-WRITERS` ADD USER myuser1;

Managing users

To create, update, or delete a user, use the YQL operators: