Internal Roles

Internal Roles

Couchbase Full Administrator can set up the internal role of the Read-Only Administrator.

Setting up of the Read-Only Administrator does not require that LDAP authentication is enabled. Couchbase Full Administrator can create this role using the Couchbase Web Console and REST API.

Read-Only Administrator

The Read-Only Administrator in Couchbase read-only access and cannot make any changes to the system, nor can it access N1QL. The user can only view existing servers, buckets, views and monitor stats.

The Read-Only Administrator can do the following:

  • Cluster Overview
  • Design documents and view definitions but cannot query views.
  • List of XDCR replications and remote clusters.
  • Logged events under the Log tab but the user cannot Generate Diagnostic Report.
  • Settings for a cluster.

The Read-Only Administrator cannot perform these tasks:

  • Create or edit buckets
  • Add nodes to clusters
  • Change XDCR settings
  • Create views or see any stored data.
  • Any REST API calls which require administrator privileges will fail and return an error for this user.
    The server sends an HTTP 401 error if an unauthorized user performs a REST POST or DELETE request that changes cluster, bucket, XDCR, or node settings:
    HTTP/1.1 401 Unauthorized WWW-Authenticate: Basic realm="Couchbase Server Admin / REST"
           ....
  • All SDKs require that a client connects with bucket-level credentials. Therefore, the Read-Only Administrator cannot set up a Couchbase SDK to connect to the server.

Add a Read-Only Administrator via UI

To assign the Read-Only Administrator's role to a user:
  1. Select Security > Internal User/Roles.

  2. In the dialog box, enter the Read-Only Administrator's credentials: username and password.
  3. Click on Create to create the user.