User roles, types, and privileges

On this page you can find information about the different user roles and privileges relevant to CrateDB Cloud. The first section describes these for the users created within CrateDB Cloud: the organization roles. The second section describes a different type of users, namely CrateDB users, and their privileges and constraints.

In general, CrateDB Cloud users are created by the admins of their respective organizations, and their function is to support management for these organizations in CrateDB Cloud. By contrast, CrateDB users are either generated automatically or created as part of the CrateDB Cloud cluster deployment process, and support the operation of CrateDB Cloud clusters specifically.

CrateDB Cloud user roles

This section describes the roles that can be set for users within CrateDB Cloud. For information on how to do so, see the documentation on adding users

Organization roles

An organization admin can add users to and remove users from an organization. Admins can perform all available operations for any services. They have access to the organization’s Audit Log.

Each organization must have at least one admin.

An organization member is able to view the list of organization users but can’t edit, add, or remove users.

CrateDB user roles

This section covers users and privileges that derive from the architecture of CrateDB as it operates for CrateDB Cloud. There are different types of CrateDB database users that are relevant for CrateDB Cloud customers, and their nature and constraints are described below.

System user

In CrateDB Cloud, the backend uses a user called system in order to perform Cloud cluster upgrades, backups and scaling functions, among other things.

Warning

The user system is essential for CrateDB Cloud to function as intended. While it is not normally accessible through the CrateDB Cloud Console or the Croud CLI, it can be accessed through the CrateDB admin UI or any other SQL client. It is important not to edit or delete this user in any way. Otherwise, the functioning of Cloud clusters may be compromised.

Crate user

In CrateDB, when you create a cluster node (through whatever method), a crate user is automatically generated. crate is a superuser and can perform all possible operations. It is not possible to create additional superusers. Authentication for crate is restricted to localhost.

Regular database user

Next to the crate user there is the regular database user, created as part of the CrateDB Cloud cluster deployment wizard when deploying a cluster through AWS or Azure.

Because the regular database user has AL privileges, there are certain operations that they cannot perform. As of CrateDB 4.2.1, the list of such operations is as follows:

| `ALTER CLUSTER`
| `ANALYZE`
| `DISCARD`
| `KILL`
| `KILL ALL`
| `OPTIMIZE`
| `SET LICENSE`
| `SET TRANSACTION`

More information on CrateDB user privileges can be found in the CrateDB documentation on privileges.