1= couchbase-cli-user-manage(1)
2ifndef::doctype-manpage[:doctitle: user-manage]
3
4ifdef::doctype-manpage[]
5== NAME
6
7couchbase-cli-user-manage -
8endif::[]
9Manage RBAC users
10
11== SYNOPSIS
12
13[verse]
14_couchbase-cli user-manage_ [--cluster <url>] [--username <user>]
15    [--password <password>] [--delete] [--list] [--my-roles] [--set]
16    [--rbac-username <username>] [--rbac-password <password>]
17    [--rbac-name <name>] [--roles <roles_list>] [--auth_domain <domain>]
18
19== DESCRIPTION
20
21This command allows administrators to assign and manage roles to different users
22in their organization. Users can either be managed locally by Couchbase or
23externally through the use of an external domain.
24
25== OPTIONS
26
27include::{partialsdir}/cbcli/part-common-options.adoc[]
28
29--delete::
30  Deletes an RBAC user profile from the cluster. You must have full
31  administrator privileges in order to delete a user profile.
32
33--list::
34  Lists all RBAC user profiles in the cluster and show their roles. You must
35  have full administrator privileges in order to list all user profiles.
36
37--my-roles::
38  Shows the current users RBAC user profile.
39
40--set::
41  Creates or updates an RBAC user profile. You must have full administrator
42  privileges in order to create or update a user profile.
43
44--rbac-username <username>::
45  Specifies the username of the RBAC user to modify. This option is used when
46  deleting, creating, or updating an RBAC user profile.
47
48--rbac-password <password>::
49  Specifies the password to be used for an RBAC user profile. This option is
50  used only when creating or updating a _local_ RBAC user profile. Couchbase
51  does not store password for _external_ RBAC roles.
52
53--rbac-name <name>::
54  Specifies the name to be used for an RBAC user profile. This option is used
55  when creating or updating an RBAC user profile and it is recommanded that
56  this option be set to the users full name.
57
58--roles <roles_list>::
59  Specifies the roles to be given to an RBAC user profile. This option is used
60  when creating or updating an RBAC user profile and it is specified as a
61  comma separated list of roles. See the ROLES section for more details on the
62  available roles in Couchbase.
63
64--auth-domain <domain>::
65  Specifies the auth_domain to used for an RBAC user profile. This option is
66  used when deleting, creating or updating an RBAC user profile and it if may
67  be set to either _local_ or _external_. Loacl users are users that are
68  managed directly by the Couchbase cluster. External users are users
69  managed by an external source suchas LDAP.
70
71include::{partialsdir}/cbcli/part-host-formats.adoc[]
72
73=== ROLES
74
75.Cluster-Wide Roles:
76
77admin::
78  Give the user permissions to manage all Couchbase configuration settings,
79  and read and write all data in the cluster. This user can make changes to
80  anything in the cluster.
81
82bucket_admin[...]::
83  Gives the user permissions to manage bucket settings. This role can be
84  assigned globally to all buckets or to a particular bucket. For XDCR
85  operations, the user can start/stop replication for the buckets they
86  administer, but they cannot set up the XDCR cluster references. To give
87  a user the ability to manage all bucket settings set their role to
88  bucket_admin[*]. To give the user permission to manage bucket settings on a
89  single bucket named _default_ then specify the role as
90  bucket_admin[default]. If the user needs to be manage multiple buckets, for
91  example _default_ and _app_, then set the role as bucket[default],bucket[app].
92
93cluster_admin::
94  Gives the user permissions to read, write and manage all cluster-level
95  settings except security.
96
97replication_admin::
98  Allows the user to configure XDCR topology and manage XDCR replications.
99
100ro_admin::
101  Gives the user read-only access and cannot make any changes to the system.
102  This user has read-only access to cluster overview, design documents
103  (without the ability to create or query views), bucket summaries (without
104  the ability to create or view documents), XDCR cluster references, XDCR
105  replications, and cluster settings.
106
107view_admin[...]::
108  Gives the user privileges to define views and then run these views on data
109  to ensure that views are defined properly. This applies both to the
110  map-reduce and spatial views. To give a user the ability to manage views on
111  all buckets set their role to views_admin[*]. To give the user permission to
112  manage views on a single bucket named _default_ then specify the role as
113  views_admin[default]. If the user needs to be manage views for multiple
114  buckets, for example _default_ and _app_, then set the role as
115  views_admin[default],views_admin[app].
116
117.Data Service Roles:
118
119data_reader[...]::
120  Gives the user permission to read data through Couchbases key-value APIs.
121  To give a user read-only access for all buckets set their role to
122  data_reader[*]. To give the user read-only access to data on a single
123  bucket named _default_ then specify their role as data_reader[default].
124  If the user needs read-only access to data for multiple buckets, for example
125  _default_ and _app_, then set their role as
126  data_reader[default],data_reader[app].
127
128data_reader_writer[...]::
129  Gives the user permission to read and write data through Couchbases
130  key-value APIs. The user cannot however modify the settings of a bucket.
131  To give a user read-write access for all buckets set their role to
132  data_reader_writer[*]. To give the user read-write access to data on a
133  single bucket named _default_ then specify their role as
134  data_reader_writer[default]. If the user needs read-write access to data
135  for multiple buckets, for example _default_ and _app_, then set their role
136  as data_reader_writer[default],date_read_writer[app].
137
138data_dcp_reader[...]::
139  Gives the user permission to create Couchbase DCP connections. To give a
140  user the ability to create DCP connections for all buckets set their role to
141  data_dcp_reader[*]. To give the user the ability to create DCP connections
142  on a single bucket named _default_ then specify their role as
143  data_dcp_reader[default]. If the user needs to be able to create DCP
144  connections for multiple buckets, for example _default_ and _app_, then set
145  their role as data_dcp_reader[default],data_dcp_reader[app].
146
147data_backup[...]::
148  Gives the user permission to backup and restore data in Couchbase. To give a
149  user the ability to backup and restore data for all buckets set their role
150  to data_backup[*]. To give the user the ability to backup and restore data
151  on a single bucket named _default_ then specify their role as
152  data_backup[default]. If the user needs to be able to backup and restore
153  data for multiple buckets, for example _default_ and _app_, then set their
154  role as data_backup[default],data_backup[app].
155
156data_monitoring[...]::
157  Gives the user permission to read monitoring data related to the data
158  service in Couchbase. To give a user the ability to monitor data for all
159  buckets set their role to data_monitoring[*]. To give the user the ability
160  to monitor data on a single bucket named _default_ then specify their role
161  as data_monitoring[default]. If the user needs to be able to monitor data
162  for multiple buckets, for example _default_ and _app_, then set their role
163  as data_monitoring[default],data_monitoring[app].
164
165.Full Text Service Roles:
166
167fts_admin[...]::
168  Gives the user full administrator access for the Full Text Indexing service
169  for the specified buckets. To give a user full administrator access for FTS
170  on all buckets set their role to fts_admin[*]. To give the user full
171  administrator access for FTS on a single bucket named _default_ then specify
172  their role as fts_admin[default]. If the user needs full administrator
173  access for FTS for multiple buckets, for example _default_ and _app_, then
174  set their role as fts_admin[default],fts_admin[app].
175
176fts_searcher[...]::
177  Allows the user to query full text indexes for the specified buckets. To
178  give a user the ability to query full text indexes on all buckets set their
179  role to fts_searcher[*]. To give the ability to query FTS indexes on a
180  single bucket named _default_ then specify their role as
181  fts_searcher[default]. If the user needs to query FTS indexes on multiple
182  multiple buckets, for example _default_ and _app_, then set their role as
183  fts_searcher[default],fts_searcher[app].
184
185.Query Service Roles:
186
187manage_index[...]::
188  Allows the user to create and delete indexes on the specified buckets. To
189  give a user the ability to create and delete indexes on all buckets set
190  their role to manage_index[*]. To give the user permission to create and
191  delete indexes on a single bucket named _default_ then specify their role
192  as manage_index[default]. If the user needs to be create and delete indexes
193  for multiple buckets, for example _default_ and _app_, then set their role
194  as manage_index[default],manage_index[app].
195
196query_delete[...]::
197  Allows the user to execute DELETE query statements on the specified buckets.
198  To give a user the ability execute DELETE statements on all buckets set
199  their role to query_delete[*]. To give the user permission to execute
200  DELETE statements on a single bucket named _default_ then specify their role
201  as query_delete[default]. If the user needs to be execute DELETE statements
202  for multiple buckets, for example _default_ and _app_, then set their role
203  as query_delete[default],query_delete[app].
204
205query_insert[...]::
206  Allows the user to execute INSERT query statements on the specified buckets.
207  To give a user the ability execute INSERT statements on all buckets set
208  their role to query_insert[*]. To give the user permission to execute
209  INSERT statements on a single bucket named _default_ then specify their role
210  as query_insert[default]. If the user needs to be execute INSERT statements
211  for multiple buckets, for example _default_ and _app_, then set their role
212  as query_insert[default],query_insert[app].
213
214query_select[...]::
215  Allows the user to execute SELECT query statements on the specified buckets.
216  To give a user the ability execute SELECT statements on all buckets set
217  their role to query_select[*]. To give the user permission to execute
218  SELECT statements on a single bucket named _default_ then specify their role
219  as query_select[default]. If the user needs to be execute SELECT statements
220  for multiple buckets, for example _default_ and _app_, then set their role
221  as query_select[default],query_select[app].
222
223query_update[...]::
224  Allows the user to execute UPDATE query statements on the specified buckets.
225  To give a user the ability execute UPDATE statements on all buckets set
226  their role to query_update[*]. To give the user permission to execute
227  UPDATE statements on a single bucket named _default_ then specify their role
228  as query_update[default]. If the user needs to be execute UPDATE statements
229  for multiple buckets, for example _default_ and _app_, then set their role
230  as query_update[default],query_update[app].
231
232system_catalog[...]::
233  Allows the users to run queries against the system catalog on the specified
234  buckets. To give a user the ability to run queries against the system
235  catalog on all buckets set their role to system_catalog[*]. To give the user
236  permission to run queires against the system catalog on a single bucket
237  named _default_ then specify their role as system_catalog[default]. If the
238  user needs to be run queries against the system catalog for multiple
239  buckets, for example _default_ and _app_, then set their role as
240  system_catalog[default],system_catalog[app].
241
242== EXAMPLES
243
244To create an local RBAC user profile for a user named "John Doe" with username
245jdoe and password cbpass with roles to manage the _default_ bucket and all
246XDCR replication run the following command
247
248  $ couchbase-cli user-manage -c 127.0.0.1:8091 -u Administrator \
249   -p password --set --rbac-username jdoe --rbac-password cbpass \
250   --rbac-name "John Doe" --roles bucket_admin[default],replication_admin \
251   --auth-domain local
252
253If you have external user source setup in your cluster and you want to add a
254user "John Doe" with username jdoe who should have the ability to manage only
255views for all bucket run the following command
256
257  $ couchbase-cli user-manage -c 127.0.0.1:8091 -u Administrator \
258   -p password --set --rbac-username jdoe --rbac-name "John Doe" \
259   --roles view_admin[*] --auth-domain external
260
261To list the current RBAC user profiles run the following command.
262
263  $ couchbase-cli user-manage -c 127.0.0.1:8091 -u Administrator \
264   -p password --list
265
266To delete an external user named jdoe run the following command.
267
268  $ couchbase-cli user-manage -c 127.0.0.1:8091 -u Administrator \
269   -p password --delete --rbac-username jdoe --auth-domain external
270
271To delete a local user named jdoe run the following command.
272
273  $ couchbase-cli user-manage -c 127.0.0.1:8091 -u Administrator \
274   -p password --delete --rbac-username jdoe --auth-domain local
275
276To see the user profile for a user with the username jdoe and password cbpass
277run the following command.
278
279  $ couchbase-cli user-manage -c 127.0.0.1:8091 -u jdoe -p cbpass \
280   --my-roles
281
282== ENVIRONMENT AND CONFIGURATION VARIABLES
283
284include::{partialsdir}/cbcli/part-common-env.adoc[]
285
286== SEE ALSO
287
288man:couchbase-cli-setting-ldap[1]
289
290include::{partialsdir}/cbcli/part-footer.adoc[]
291