External Roles

External Roles

The Full Administrator can configure other Couchbase administrators when LDAP authentication is enabled.

Since the Couchbase Web Console can only read the LDAP database (and cannot write to it), all external administrators must be created on the LDAP server. After the user IDs of these administrators have been defined, they can be mapped to Couchbase Server using the Couchbase Web Console.

Enabling LDAP Authentication

Authentication with LDAP is disabled by default, and if you chose not to enable it, you wouldn't be able to set up the external administrative roles. The only administrative role that you can configure without LDAP authentication is the Read-Only Administrator.

To enable LDAP authentication for administrators, follow these steps:

  1. Select Security > External User/Roles.

  2. Click the enable link to turn on authentication. If a user doesn't want to associate the installation with LDAP, this option can be turned off. Without LDAP authentication enabled, the Full Administrator can only add a role of the Read-only Administrator as explained in Read-Only Administrator.

Add Administrators

With LDAP authentication enabled, the Full Administrator can add administrators by setting up their roles and credentials.

  1. Click on the Add User button on the right.
  2. In the Manage User: New dialog, enter the username and select the role from the drop-down list.

    The roles are:

    • Admin is the Full Administrator role, which can manage all cluster features including the security settings.
    • Read Only Admin can view all cluster features without being able to edit them.
    • Cluster Admin can manage all cluster features except for the security settings.
    • Bucket Admin can manage all bucket features for a specified bucket. When denoted with an asterisk [*], this role can manage all buckets in a cluster.
    • Views Admin can manage views for specified buckets. When denoted with an asterisk [*], this role can manage all views in a cluster.
    • Replication Admin can manage only the XDCR features on the cluster and bucket level.
  3. The Full Administrator can always manage all existing administrative roles in this same dialog and add a new role to particular users, or remove the roles from their list.

If you click on an administrative role, the pop-up will explain what this user can manage in the Couchbase system:

Note: Full administrators in Couchbase can manage user roles using the Couchbase CLI tools (as described in admin-role-manage) or REST API (as described in Role Based Admin Access (RBAC)).
Note: Full administrators in Couchbase can manage certificates using the Couchbase CLI tools (as described in ssl-manage) or REST API (as described in Security API ).

Test LDAP Settings

To test the LDAP settings:
  1. Sign out of the Couchbase Web Console.
  2. Try to log in with the new administrative credentials.
    • If you enter the credentials of the Full Administrator, the screen will provide full access to all functions available through the Couchbase Web Console (see the LDAP Auth Setup screen above).
    • If you enter credentials of the Read-only Administrator, a screen with the read-only view will become available. This screen doesn't allow the user to enable or disable LDAP, or to configure administrators.