Creating and Managing Users with the UI
Using the Couchbase Web Console, you can assign roles to users interactively.
Authorization for Full Administrators
The administrator who initially performs installation and configuration of Couchbase Server — the Full Administrator — is granted read-write access to the entire system. The user ID of this administrator can be either locally defined, or remotely; for example, by means of LDAP.
Once basic system-configuration has been completed, the Full Administrator is free to add additional administrators to the system, and assign them roles; thereby specifing their access-privileges.
As Full Administrator, to add users (each of which might be either an administrator or an application) to Couchbase Server, use the Couchbase Web Console. Access the Dashboard, and left-click on the Security tab, on the vertical navigation-bar, at the left. This brings up the Security view, as follows:
The Security view allows users to be defined, and roles to be allocated to them. It also allows management of the Root Certificate, and of Audit-processing. To add a user, left-click on the Add User control, at the upper right. The Add New User dialog now appears:
The Authentication Domain panel features two checkboxes: one specifying Couchbase, the other External. By default, Couchbase is checked: this means that the user will be defined locally, and that a user-password must therefore be created, using the Password fields displayed on the dialog. To define a user externally (for example, by accessing an LDAP server over the network), check the External checkbox. If you do so, no password need be specified, since one is assumed to have been defined elsewhere; and the Password fields therefore disappear from the dialog.
Define a Couchbase user, by adding appropriate entries into the Username and Password fields. The Full Name field may be left blank.
For more information on defining users locally and externally, see Authentication.
To specify one or more roles, scroll down, and review the Roles panel:
Each available role can be selected by means of a checkbox. Roles are arranged in a hierarchy: by left-clicking on right-pointing arrowheads, you open a lower level of this hierarchy, and are able to inspect either additional roles, or additional levels, or both. For example, left-click successively on the arrowheads for Data Roles, Data Reader, and Data Writer:
When opened, Data Reader, and Data Writer each reveal two checkboxes; which assign read and write permission respectively to all buckets, and to the travel-sample bucket alone. To assign the user a specific role, check each appropriate checkbox, by left-clicking. For example:
These role-assignments give the user read and write permission on the data in the travel-sample bucket.
Note that some roles are considered to be subsets of others. In such cases, manually checking one checkbox may trigger the automated checking of others — indicating that the corresponding roles are also assigned to the user. To demonstrate this, left-click on the Admin checkbox. The Roles panel now appears as follows:
As illustrated, selecting the Admin role causes all other roles also to become selected: this is because Admin stands at the top of the hierarchy, and is a superset of all other roles.
Saving and Making Changes
Whenever you have finished allocating roles to a particular user, left-click on Save. The dialog disappears, and the Security view now displays, on the row of the corresponding username, the roles you have allocated. For example, if you have allocated Data Reader and Data Writer, [travel-sample], the view is as follows:
Note that by left-clicking within the row, you display options for editing:
By left-clicking on Delete, you delete the user. By left-clicking on Edit, you bring up the Edit testUser dialog, with the options to redefine username, full name, and roles (the content of this dialog is very similar to that of the Add New User dialog, examined in detail above). The Reset Password button only appears when the selected user is locally defined. Left-clicking on the button brings up a dialog that allows redefinition of the user's password:
Role-Based Console Appearance
Role-assignment determines which features of Couchbase Web Console are available to the administrator. Non-available features are not displayed: therefore, the console's appearance changes, based on which roles have been assigned to the current user.
This can be demonstrated with reference to the role Cluster Admin, which is assigned by means of the Add New User dialog. Note once again that when the Cluster Admin checkbox is manually checked, the checkboxes for all other roles that are each considered a subset of Cluster Admin are themselves automatically checked.
When a user defined in this way logs into Couchbase Web Console, the console's appearance is as follows:
Note that the Security option has been removed from the vertical navigation-bar, at the left; since the Cluster Admin role is not privileged to read or write security-related data.
Other roles and role-combinations restrict feature-access in similar ways, and in consequence, produce different console-appearances for differently defined users.