Couchbase Server version 7.0 introduces some important changes as part of the role-based access control (RBAC) authorization system.  Couchbase Server has allowed fine-grained access controls to the platform with RBAC for administrators since version 4.5 and all users since version 5.0. In the previous blog post, I described how DBAs can control some roles to restrict access to a scope or collection level. In this post, I would like to show you some of the role changes and additional roles that have been created.

Here is a summary of the changes:

    • Security Admin has been replaced with Local or External User Security Admin
    • Two new Full Admin roles: Eventing Full Admin and Backup Full Admin
    • Eight new Functions roles for SQL++ Query User-Defined Functions
    • Two additional operational roles: Manage Scopes and External Stats Reader

Security Admin

We received some customer feedback that RBAC didn’t define the existing Security Admin role narrowly enough. We decided we could improve security to allow administrators to choose if a Security Admin could manage Local Users, External Users or both. With Couchbase Server 7.0, we split the role of Security Admin into two distinct roles: Local User Security Admin and External User Security Admin. 

Upon upgrading a cluster from a previous version where a user has the Security Admin role, their role definition will change to inherit both new roles instead of the legacy Security Admin role.

The new Local User Security Admin role allows an administrator to add/remove/modify users defined and stored locally in the cluster.  This role does not permit the administrator to change the external authentication settings.

The External User Security Admin role allows an administrator to add/remove/modify users defined and managed externally to the cluster in a system such as LDAP or Active Directory. Additionally, this role allows modification of the external authentication settings.

An administrator who possesses both Local User Security Admin and External User Security Admin can manage all non-admin users in the cluster.

New Full Admin Roles

We created two new roles in Couchbase Server 7.0 to facilitate cluster-wide operations for Eventing and Backups: Eventing Full Admin and Backup Full Admin.

Eventing Full Admin is a powerful administrator role. It has most of the same capabilities as a Full Admin, but it does not allow the modification of security settings such as adding or removing users or modification of XDCR. 

Backup Full Admin is also a powerful administrator role. It, too, has most of the same capabilities as a Full Admin, but it also does not allow modification of security settings.  Administrators wishing to backup Eventing Data will need to have this role or the Full Admin role.

New SQL++ Query User-Defined Function Roles

Eight new roles were added to Couchbase Server 7.0 to manage or execute the new SQL++ User-Defined Functions (N1QL UDFs) feature. These apply at both a Scope and Global level and at both an Inline and External level for the functions:

    • Manage Global Functions
    • Execute Global Functions
    • Manage Scope Functions
    • Execute Scope Functions
    • Manage Global External Functions
    • Execute Global External Functions
    • Manage Scope External Functions
    • Execute Scope External Functions

A Global function is created within a namespace at the same level as the buckets within the namespace; whereas a Scope function is created within a scope, at the same level as the collections within the scope. When creating a user-defined function, the current query context determines whether it is created as a Global function or a Scope function. You can also include the full path to the function when you specify the function name.

An inline function uses the SQL++ language to define the function’s capabilities whereas an External function uses an external language such as JavaScript. 

Here are some examples: 

By providing the granularity of managing or executing the SQL++ functions and allowing only specific scopes and execution languages, it allows administrators to provide only the minimum amount of privileges, in what is known as the principle of least privilege (PoLP). 

New Operational Roles

Last but not least, we’ve added two operational-type roles. The Manage Scopes role and the External Stats Reader role.

The Manage Scopes role allows a Cluster or Bucket administrator to delegate the adding/removing of Scopes and Collections at a Bucket Level or the adding/removing of Collections at a Scope level, depending on the parameter given when assigning the role to a user.

The External Stats Reader role allows access to the stats endpoints which provide data that is stored in the embedded Prometheus system stats storage.


In this article I’ve shown you what new RBAC roles have been added to Couchbase Server 7.0 and what they are used for.

If security is important to you, I recommend reading a few additional blog posts about our RBAC features that help keep your Couchbase data protected. 


Posted by Ian McCloy, Director Product Management

Ian McCloy is the Director of the Platform and Security Product Management Group for Couchbase and lives in the United Kingdom. His dedicated team is responsible for the Reliability, Availability, Serviceability and Security architecture of Couchbase Server and the SaaS Database, Capella. This team also own cloud-native platforms like the Couchbase Kubernetes Autonomous Operator. Ian has a vast range of experience as a Software Engineer, Technical Support Engineer, Quality Assurance Engineer and Systems Administrator. Ian has led global technical teams for the majority of his 20 year professional career and holds several patents in the areas of information security, virtualisation and hardware design.

Leave a reply