{"id":2997,"date":"2017-03-17T11:08:51","date_gmt":"2017-03-17T18:08:51","guid":{"rendered":"https:\/\/www.couchbase.com\/blog\/?p=2997"},"modified":"2025-06-13T19:29:14","modified_gmt":"2025-06-14T02:29:14","slug":"authentication-authorization-rbac","status":"publish","type":"post","link":"https:\/\/www.couchbase.com\/blog\/authentication-authorization-rbac\/","title":{"rendered":"Authentication and Authorization with RBAC"},"content":{"rendered":"<div class=\"paragraph\">\n<p>In March\u2019s developer build, you can start to see some major changes to authentication and authorization within Role Based Access Control (RBAC) coming to Couchbase Server. These changes are a work in progress: the developer build is essentially a nightly build that gets released to the public. But there\u2019s some good stuff in RBAC that\u2019s worth getting excited about!<\/p>\n<\/div>\n<div class=\"paragraph\">\n<p>Go <a href=\"https:\/\/www.couchbase.com\/downloads\/\">download the March 5.0.0 developer release of Couchbase Server<\/a> today. Make sure to click the &#8220;Developer&#8221; tab to get the developer build (DB), and check it out. You still have time to give us some feedback before the official release.<\/p>\n<\/div>\n<div class=\"paragraph\">\n<p><em>Keep in mind that I\u2019m writing this blog post on early builds, and some things may change in minor ways by the time you get the release, and some things may still be buggy.<\/em><\/p>\n<\/div>\n<div class=\"sect1\">\n<h2 id=\"_authentication_and_authorization\">Authentication and Authorization<\/h2>\n<div class=\"sectionbody\">\n<div class=\"paragraph\">\n<p>Just a quick reminder of the difference between authentication and authorization:<\/p>\n<\/div>\n<div class=\"ulist\">\n<ul>\n<li><strong>Authentication<\/strong> is the process of identifying that a user is who they say they are.<\/li>\n<li><strong>Authorization<\/strong> is the process of making sure the user has permission to do what they are trying to do.<\/li>\n<\/ul>\n<\/div>\n<div class=\"paragraph\">\n<p>If you\u2019ve used Couchbase before, you\u2019re familiar with the login to what we sometimes call the &#8220;Admin Web Console&#8221;.<\/p>\n<\/div>\n<div class=\"paragraph\">\n<p><span class=\"image\"><img decoding=\"async\" src=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2017\/03\/05901-Couchbase-Web-Console.png\" alt=\"Couchbase authentication screen\" \/><\/span><\/p>\n<\/div>\n<div class=\"paragraph\">\n<p>However, the Web Console is really not just for admins, it\u2019s for developers too. But until now, you didn\u2019t really have a lot of control built-in to Couchbase about who can log in and (more importantly) what they\u2019re allowed to do.<\/p>\n<\/div>\n<div class=\"paragraph\">\n<p>So, I\u2019d like to introduce you to Couchbase\u2019s new first-class user feature.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"sect1\">\n<h2 id=\"_users\">Users<\/h2>\n<div class=\"sectionbody\">\n<div class=\"paragraph\">\n<p>There\u2019s still a full administrator user. This is the login that you create when you first install Couchbase. This is the user who is unrestricted, and can do anything, including creating new users. So, for instance, a full administrator can see the &#8220;Security&#8221; link in the navigation, while other users can\u2019t.<\/p>\n<\/div>\n<div class=\"paragraph\">\n<p><span class=\"image\"><img decoding=\"async\" src=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2017\/03\/05902-Security-Link-Web-Console.gif\" alt=\"Security link to manage authentication and authorization\" \/><\/span><\/p>\n<\/div>\n<div class=\"paragraph\">\n<p>Now, once on this security page, you can add, edit, and delete users.<\/p>\n<\/div>\n<div class=\"paragraph\">\n<p>A <strong>user<\/strong> can identify a person, but it can also identify some service or process. For instance, if you\u2019re writing an ASP.NET application, you may want to create a user with a limited set of permissions called &#8220;web-service&#8221;. Therefore, the credentials for that &#8220;user&#8221; would not be for a person, but for an ASP.NET application.<\/p>\n<\/div>\n<div class=\"paragraph\">\n<p>Next, try adding a new Couchbase user by clicking &#8220;+ Add User&#8221;. I\u2019m going to create a user called &#8220;fts_admin&#8221;, with a name of &#8220;Full Text Search Admin&#8221;, a password, and a single role: FTS Admin of the travel-sample bucket (FTS = Full Text Search).<\/p>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"sect1\">\n<h2 id=\"_adding_a_new_user\">Adding a new User<\/h2>\n<div class=\"sectionbody\">\n<div class=\"paragraph\">\n<p>Here\u2019s an animation of adding that user:<\/p>\n<\/div>\n<div class=\"paragraph\">\n<p><span class=\"image\"><img decoding=\"async\" src=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2017\/03\/05903-Add-New-User.gif\" alt=\"Add a new user with Couchbase authentication\" \/><\/span><\/p>\n<\/div>\n<div class=\"paragraph\">\n<p>Some notes about the above animation:<\/p>\n<\/div>\n<div class=\"ulist\">\n<ul>\n<li>I selected &#8220;Couchbase&#8221; instead of &#8220;External&#8221;. External is meant for LDAP integration. Note that &#8220;Couchbase&#8221; (internal authentication) will likely become the default in future releases.<\/li>\n<li>FTS Admin gives the user permission to do everything with Full Text Searches: create, modify, delete, and execute them.<\/li>\n<li>I granted FTS Admin only for the travel-sample bucket. If I selected &#8220;all&#8221;, that would grant permission to all buckets, even ones created in the future.<\/li>\n<li>Users with the FTS Searcher role only have access to execute searches, not modify or create them.<\/li>\n<\/ul>\n<\/div>\n<div class=\"paragraph\">\n<p>More on the difference between FTS Admin and FTS Searcher later.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"sect1\">\n<h2 id=\"_logging_in_as_a_new_user\">Logging in as a new user<\/h2>\n<div class=\"sectionbody\">\n<div class=\"paragraph\">\n<p>Now that this user is created, I can login as fts_admin. This user\u2019s authentication is handled within Couchbase.<\/p>\n<\/div>\n<div class=\"paragraph\">\n<p><span class=\"image\"><img decoding=\"async\" src=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2017\/03\/05904-Login-as-new-user.gif\" alt=\"Login with Couchbase authentication\" \/><\/span><\/p>\n<\/div>\n<div class=\"paragraph\">\n<p>First, in the above animation, note that the fts_admin user has a much more limited set of options compared to the full admin user.<\/p>\n<\/div>\n<div class=\"paragraph\">\n<p>Next, it\u2019s worth pointing out that users can reset their password:<\/p>\n<\/div>\n<div class=\"paragraph\">\n<p><span class=\"image\"><img decoding=\"async\" src=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2017\/03\/05905-Reset-password.png\" alt=\"Reset password\" \/><\/span><\/p>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"sect1\">\n<h2 id=\"_creating_an_fts_index\">Creating an FTS index<\/h2>\n<div class=\"sectionbody\">\n<div class=\"paragraph\">\n<p>Since I\u2019ve already created an fts_admin user with the <strong>FTS Admin<\/strong> role, I\u2019ll create another user called fts_searcher that only has the <strong>FTS Searcher<\/strong> role for the travel-sample bucket.<\/p>\n<\/div>\n<div class=\"paragraph\">\n<p><span class=\"image\"><img decoding=\"async\" src=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2017\/03\/05906-List-of-users.png\" alt=\"List of users\" \/><\/span><\/p>\n<\/div>\n<div class=\"sect2\">\n<h3 id=\"_using_the_rest_api_for_fts\">Using the REST API for FTS<\/h3>\n<div class=\"paragraph\">\n<p>I\u2019m going to use the REST API to demonstrate that these users are limited by the roles I\u2019ve given them. <em>If you need a refresher on the REST API, you can refer to the <a href=\"https:\/\/developer.couchbase.com\/documentation\/server\/current\/rest-api\/rest-fts.html\">documentation of the Full Text Search API<\/a>. Also note that I\u2019m using the REST API because there are some bugs in the UI as I\u2019m writing this.<\/em><\/p>\n<\/div>\n<div class=\"paragraph\">\n<p>Let\u2019s start by creating a new Full Text Search (FTS) index. I\u2019ll do this via <a href=\"https:\/\/www.getpostman.com\/\">Postman<\/a>, but you can use <a href=\"https:\/\/curl.haxx.se\/\">curl<\/a> or <a href=\"https:\/\/www.telerik.com\/fiddler\">Fiddler<\/a> or whatever REST tool you prefer.<\/p>\n<\/div>\n<\/div>\n<div class=\"sect2\">\n<h3 id=\"_create_an_fts_index\">Create an FTS index<\/h3>\n<div class=\"paragraph\">\n<p>To create an index with the REST API, I need to make a PUT request to the <code>\/api\/index\/&lt;indexname&gt;<\/code> endpoint.<\/p>\n<\/div>\n<div class=\"ulist\">\n<ul>\n<li>First, I\u2019ll create an index for the &#8216;hotel&#8217; type in the travel-sample bucket, so I\u2019ll PUT to <code>\/api\/index\/hotels<\/code><\/li>\n<li>Also, credentials can be put in the URL to use basic authentication<\/li>\n<li>Furthermore, the REST endpoints are available on port 8094<\/li>\n<\/ul>\n<\/div>\n<div class=\"paragraph\">\n<p>Finally, the URL for the PUT request should look something like this:<\/p>\n<\/div>\n<div class=\"paragraph\">\n<p><code><a class=\"bare\" href=\"https:\/\/fts_searcher:password@192.168.1.10:8094\/api\/index\/hotels\">https:\/\/fts_searcher:password@192.168.1.10:8094\/api\/index\/hotels<\/a><\/code><\/p>\n<\/div>\n<div class=\"paragraph\">\n<p>The body of the PUT is a big JSON object. Below is part of it. You can find the <a href=\"https:\/\/github.com\/couchbaselabs\/blog-source-code\/blob\/master\/Groves\/059SpockRBAC\/src\/newsearchindex.json\">full version on GitHub<\/a> to try for yourself.<\/p>\n<\/div>\n<div class=\"listingblock\">\n<div class=\"content\">\n<pre class=\"highlight decode:true\"><code class=\"language-JavaScript\">{\r\n  \"type\": \"fulltext-index\",\r\n  \"name\": \"hotels\",\r\n  \"sourceType\": \"couchbase\",\r\n  \"sourceName\": \"travel-sample\",\r\n\r\n\/\/ ... snip ...\r\n\r\n}<\/code><\/pre>\n<\/div>\n<\/div>\n<div class=\"paragraph\">\n<p>Normally, you can create this via the UI instead of having to create JSON by hand. I\u2019m not going to go into FTS in much detail in this post, because my goal is to demonstrate the new authentication and authorization features, not FTS itself.<\/p>\n<\/div>\n<\/div>\n<div class=\"sect2\">\n<h3 id=\"_trying_to_create_an_index_without_authorization\">Trying to create an index without authorization<\/h3>\n<div class=\"paragraph\">\n<p>Notice that I\u2019m using fts_searcher as the user. I know that fts_searcher shouldn\u2019t have permission to create indexes, so I would expect a 403. And that\u2019s just what I get.<\/p>\n<\/div>\n<div class=\"listingblock\">\n<div class=\"content\">\n<pre class=\"highlight decode:true\"><code class=\"language-JavaScript\">{\r\n  \"message\": \"Forbidden. User needs one of the following permissions\",\r\n  \"permissions\": [\r\n    \"cluster.bucket[travel-sample].fts!write\"\r\n  ]\r\n}<\/code><\/pre>\n<\/div>\n<\/div>\n<div class=\"paragraph\">\n<p>So, while the authentication worked, that user doesn\u2019t have the necessary authorization.<\/p>\n<\/div>\n<\/div>\n<div class=\"sect2\">\n<h3 id=\"_creating_an_index_with_authorization\">Creating an index with authorization<\/h3>\n<div class=\"paragraph\">\n<p>I\u2019ll try again with fts_admin:<\/p>\n<\/div>\n<div class=\"paragraph\">\n<p><code><a class=\"bare\" href=\"https:\/\/fts_admin:password@192.168.1.10:8094\/api\/index\/hotels\">https:\/\/fts_admin:password@192.168.1.10:8094\/api\/index\/hotels<\/a><\/code><\/p>\n<\/div>\n<div class=\"paragraph\">\n<p>And assuming an index named &#8216;hotels&#8217; doesn\u2019t already exist, you\u2019ll get a 200, and this in the body of response:<\/p>\n<\/div>\n<div class=\"listingblock\">\n<div class=\"content\">\n<pre class=\"highlight decode:true\"><code class=\"language-JavaScript\">{\r\n  \"status\": \"ok\"\r\n}<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"sect1\">\n<h2 id=\"_using_the_fts_index\">Using the FTS index<\/h2>\n<div class=\"sectionbody\">\n<div class=\"paragraph\">\n<p>Next, let\u2019s use the REST API to search the index for the word &#8216;breakfast&#8217;.<\/p>\n<\/div>\n<div class=\"paragraph\">\n<p>First, make a POST to the <code>\/api\/index\/hotels\/query<\/code> endpoint, again with the proper credentials and port number.<\/p>\n<\/div>\n<div class=\"paragraph\">\n<p><code><a class=\"bare\" href=\"https:\/\/fts_admin:password@192.168.1.10:8094\/api\/index\/hotels\/query\">https:\/\/fts_admin:password@192.168.1.10:8094\/api\/index\/hotels\/query<\/a><\/code><\/p>\n<\/div>\n<div class=\"paragraph\">\n<p>or<\/p>\n<\/div>\n<div class=\"paragraph\">\n<p><code><a class=\"bare\" href=\"https:\/\/fts_searcher:password@192.168.1.10:8094\/api\/index\/hotels\/query\">https:\/\/fts_searcher:password@192.168.1.10:8094\/api\/index\/hotels\/query<\/a><\/code><\/p>\n<\/div>\n<div class=\"paragraph\">\n<p>Both users should be able to execute a search using that index.<\/p>\n<\/div>\n<div class=\"paragraph\">\n<p>Next, in the body of the POST should be a simple JSON object. Again, you don\u2019t normally have to create this by hand\u2009\u2014\u2009your SDK of choice or the Web Console UI can do this for you.<\/p>\n<\/div>\n<div class=\"listingblock\">\n<div class=\"content\">\n<pre class=\"highlight decode:true\"><code class=\"language-JavaScript\">{\r\n  \"explain\": true,\r\n  \"fields\": [\r\n    \"*\"\r\n  ],\r\n  \"highlight\": {},\r\n  \"query\": {\r\n    \"query\": \"breakfast\"\r\n  }\r\n}<\/code><\/pre>\n<\/div>\n<\/div>\n<div class=\"paragraph\">\n<p>Finally, the result of this search request will be a large JSON response. Look within the &#8220;hits&#8221; <a href=\"https:\/\/www.couchbase.com\/blog\/subdoc-explained\/\">sub-document<\/a> for &#8220;fragments&#8221; to verify that the search worked. Here\u2019s a snippet of my search for &#8220;breakfast&#8221;. Again, the <a href=\"https:\/\/github.com\/couchbaselabs\/blog-source-code\/blob\/master\/Groves\/059SpockRBAC\/src\/searchresults.json\">full result is on Github<\/a>.<\/p>\n<\/div>\n<div class=\"listingblock\">\n<div class=\"content\">\n<pre class=\"highlight decode:true\"><code class=\"language-JavaScript\">\/\/ ... snip ...\r\n\r\n        \"reviews.content\": [\r\n          \"\u00e2\u20ac\u00a6 to watch TV. &lt;mark&gt;Breakfast&lt;\/mark&gt; was served every morning along with a copy of the Times-Picayune. I took my &lt;mark&gt;breakfast&lt;\/mark&gt; downstairs in the patio, the coffee was very good. The continental &lt;mark&gt;breakfast&lt;\/mark&gt; is nothing to\u00e2\u20ac\u00a6\"\r\n        ]\r\n      },\r\n\r\n\/\/ ... snip ...<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"sect1\">\n<h2 id=\"_this_is_a_preview_expect_some_bugs\">This is a preview, expect some bugs!<\/h2>\n<div class=\"sectionbody\">\n<div class=\"paragraph\">\n<p>There are some bugs and some incomplete features.<\/p>\n<\/div>\n<div class=\"ulist\">\n<ul>\n<li>I\u2019ve shown FTS roles here on purpose. This is because the other roles are not yet fully formed. Please try them out, let us know what you think, but remember they are not in their final form. FTS is closest to ready.<\/li>\n<li>I\u2019ve seen some issues when logging in as a non-admin user causes the web console to behave badly. Because of this, I showed the REST example above instead of relying on the UI.<\/li>\n<li>Finally, there might be other bugs that we don\u2019t know about yet. Please let us know! You can file an issue in our <a href=\"https:\/\/issues.couchbase.com\">JIRA system at issues.couchbase.com<\/a> or submit a question on the <a href=\"https:\/\/www.couchbase.com\/forums\/\">Couchbase Forums<\/a>. Or, contact me with a description of the issue. I would be happy to help you or submit the bug for you (my Couchbase handlers send me a cake pop when I submit a good bug).<\/li>\n<\/ul>\n<\/div>\n<div class=\"paragraph\">\n<p>If you have questions, the best way to contact me is either <a href=\"https:\/\/twitter.com\/mgroves\">Twitter @mgroves<\/a> or email me <a href=\"mailto:matthew.groves@couchbase.com\">matthew.groves@couchbase.com<\/a>.<\/p>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>In March\u2019s developer build, you can start to see some major changes to authentication and authorization within Role Based Access Control (RBAC) coming to Couchbase Server. These changes are a work in progress: the developer build is essentially a nightly [&hellip;]<\/p>\n","protected":false},"author":71,"featured_media":10349,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"footnotes":""},"categories":[1816,1813],"tags":[1455,1456,1903],"ppma_author":[8937],"class_list":["post-2997","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-couchbase-server","category-security","tag-authentication","tag-authorization","tag-rbac"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v26.0 (Yoast SEO v26.0) - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Authentication and Authorization with RBAC - The Couchbase Blog<\/title>\n<meta name=\"description\" content=\"In March&#039;s developer build, you can start to see some major changes to authentication and authorization within RBAC coming to Couchbase Server.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.couchbase.com\/blog\/authentication-authorization-rbac\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Authentication and Authorization with RBAC\" \/>\n<meta property=\"og:description\" content=\"In March&#039;s developer build, you can start to see some major changes to authentication and authorization within RBAC coming to Couchbase Server.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.couchbase.com\/blog\/authentication-authorization-rbac\/\" \/>\n<meta property=\"og:site_name\" content=\"The Couchbase Blog\" \/>\n<meta property=\"article:published_time\" content=\"2017-03-17T18:08:51+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-06-14T02:29:14+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2017\/11\/blogbanner-2.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1575\" \/>\n\t<meta property=\"og:image:height\" content=\"628\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Matthew Groves\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@mgroves\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Matthew Groves\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"8 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.couchbase.com\/blog\/authentication-authorization-rbac\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.couchbase.com\/blog\/authentication-authorization-rbac\/\"},\"author\":{\"name\":\"Matthew Groves\",\"@id\":\"https:\/\/www.couchbase.com\/blog\/#\/schema\/person\/3929663e372020321b0152dc4fa65a58\"},\"headline\":\"Authentication and Authorization with RBAC\",\"datePublished\":\"2017-03-17T18:08:51+00:00\",\"dateModified\":\"2025-06-14T02:29:14+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.couchbase.com\/blog\/authentication-authorization-rbac\/\"},\"wordCount\":1303,\"commentCount\":5,\"publisher\":{\"@id\":\"https:\/\/www.couchbase.com\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.couchbase.com\/blog\/authentication-authorization-rbac\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2017\/11\/blogbanner-2.jpg\",\"keywords\":[\"authentication\",\"authorization\",\"RBAC\"],\"articleSection\":[\"Couchbase Server\",\"Security\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.couchbase.com\/blog\/authentication-authorization-rbac\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.couchbase.com\/blog\/authentication-authorization-rbac\/\",\"url\":\"https:\/\/www.couchbase.com\/blog\/authentication-authorization-rbac\/\",\"name\":\"Authentication and Authorization with RBAC - The Couchbase Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.couchbase.com\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.couchbase.com\/blog\/authentication-authorization-rbac\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.couchbase.com\/blog\/authentication-authorization-rbac\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2017\/11\/blogbanner-2.jpg\",\"datePublished\":\"2017-03-17T18:08:51+00:00\",\"dateModified\":\"2025-06-14T02:29:14+00:00\",\"description\":\"In March's developer build, you can start to see some major changes to authentication and authorization within RBAC coming to Couchbase Server.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.couchbase.com\/blog\/authentication-authorization-rbac\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.couchbase.com\/blog\/authentication-authorization-rbac\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.couchbase.com\/blog\/authentication-authorization-rbac\/#primaryimage\",\"url\":\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2017\/11\/blogbanner-2.jpg\",\"contentUrl\":\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2017\/11\/blogbanner-2.jpg\",\"width\":1575,\"height\":628},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.couchbase.com\/blog\/authentication-authorization-rbac\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.couchbase.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Authentication and Authorization with RBAC\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.couchbase.com\/blog\/#website\",\"url\":\"https:\/\/www.couchbase.com\/blog\/\",\"name\":\"The Couchbase Blog\",\"description\":\"Couchbase, the NoSQL Database\",\"publisher\":{\"@id\":\"https:\/\/www.couchbase.com\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.couchbase.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.couchbase.com\/blog\/#organization\",\"name\":\"The Couchbase Blog\",\"url\":\"https:\/\/www.couchbase.com\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.couchbase.com\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2023\/04\/admin-logo.png\",\"contentUrl\":\"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2023\/04\/admin-logo.png\",\"width\":218,\"height\":34,\"caption\":\"The Couchbase Blog\"},\"image\":{\"@id\":\"https:\/\/www.couchbase.com\/blog\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.couchbase.com\/blog\/#\/schema\/person\/3929663e372020321b0152dc4fa65a58\",\"name\":\"Matthew Groves\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.couchbase.com\/blog\/#\/schema\/person\/image\/ba51e6aacc53995c323a634e4502ef54\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/70feb1b28a099ad0112b8d21fe1e81e1a4524beed3e20b7f107d5370e85a07ab?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/70feb1b28a099ad0112b8d21fe1e81e1a4524beed3e20b7f107d5370e85a07ab?s=96&d=mm&r=g\",\"caption\":\"Matthew Groves\"},\"description\":\"Matthew D. Groves is a guy who loves to code. It doesn't matter if it's C#, jQuery, or PHP: he'll submit pull requests for anything. He has been coding professionally ever since he wrote a QuickBASIC point-of-sale app for his parent's pizza shop back in the 90s. He currently works as a Senior Product Marketing Manager for Couchbase. His free time is spent with his family, watching the Reds, and getting involved in the developer community. He is the author of AOP in .NET, Pro Microservices in .NET, a Pluralsight author, and a Microsoft MVP.\",\"sameAs\":[\"https:\/\/crosscuttingconcerns.com\",\"https:\/\/x.com\/mgroves\"],\"url\":\"https:\/\/www.couchbase.com\/blog\/author\/matthew-groves\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Authentication and Authorization with RBAC - The Couchbase Blog","description":"In March's developer build, you can start to see some major changes to authentication and authorization within RBAC coming to Couchbase Server.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.couchbase.com\/blog\/authentication-authorization-rbac\/","og_locale":"en_US","og_type":"article","og_title":"Authentication and Authorization with RBAC","og_description":"In March's developer build, you can start to see some major changes to authentication and authorization within RBAC coming to Couchbase Server.","og_url":"https:\/\/www.couchbase.com\/blog\/authentication-authorization-rbac\/","og_site_name":"The Couchbase Blog","article_published_time":"2017-03-17T18:08:51+00:00","article_modified_time":"2025-06-14T02:29:14+00:00","og_image":[{"width":1575,"height":628,"url":"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2017\/11\/blogbanner-2.jpg","type":"image\/jpeg"}],"author":"Matthew Groves","twitter_card":"summary_large_image","twitter_creator":"@mgroves","twitter_misc":{"Written by":"Matthew Groves","Est. reading time":"8 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.couchbase.com\/blog\/authentication-authorization-rbac\/#article","isPartOf":{"@id":"https:\/\/www.couchbase.com\/blog\/authentication-authorization-rbac\/"},"author":{"name":"Matthew Groves","@id":"https:\/\/www.couchbase.com\/blog\/#\/schema\/person\/3929663e372020321b0152dc4fa65a58"},"headline":"Authentication and Authorization with RBAC","datePublished":"2017-03-17T18:08:51+00:00","dateModified":"2025-06-14T02:29:14+00:00","mainEntityOfPage":{"@id":"https:\/\/www.couchbase.com\/blog\/authentication-authorization-rbac\/"},"wordCount":1303,"commentCount":5,"publisher":{"@id":"https:\/\/www.couchbase.com\/blog\/#organization"},"image":{"@id":"https:\/\/www.couchbase.com\/blog\/authentication-authorization-rbac\/#primaryimage"},"thumbnailUrl":"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2017\/11\/blogbanner-2.jpg","keywords":["authentication","authorization","RBAC"],"articleSection":["Couchbase Server","Security"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.couchbase.com\/blog\/authentication-authorization-rbac\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.couchbase.com\/blog\/authentication-authorization-rbac\/","url":"https:\/\/www.couchbase.com\/blog\/authentication-authorization-rbac\/","name":"Authentication and Authorization with RBAC - The Couchbase Blog","isPartOf":{"@id":"https:\/\/www.couchbase.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.couchbase.com\/blog\/authentication-authorization-rbac\/#primaryimage"},"image":{"@id":"https:\/\/www.couchbase.com\/blog\/authentication-authorization-rbac\/#primaryimage"},"thumbnailUrl":"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2017\/11\/blogbanner-2.jpg","datePublished":"2017-03-17T18:08:51+00:00","dateModified":"2025-06-14T02:29:14+00:00","description":"In March's developer build, you can start to see some major changes to authentication and authorization within RBAC coming to Couchbase Server.","breadcrumb":{"@id":"https:\/\/www.couchbase.com\/blog\/authentication-authorization-rbac\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.couchbase.com\/blog\/authentication-authorization-rbac\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.couchbase.com\/blog\/authentication-authorization-rbac\/#primaryimage","url":"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2017\/11\/blogbanner-2.jpg","contentUrl":"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/sites\/1\/2017\/11\/blogbanner-2.jpg","width":1575,"height":628},{"@type":"BreadcrumbList","@id":"https:\/\/www.couchbase.com\/blog\/authentication-authorization-rbac\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.couchbase.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Authentication and Authorization with RBAC"}]},{"@type":"WebSite","@id":"https:\/\/www.couchbase.com\/blog\/#website","url":"https:\/\/www.couchbase.com\/blog\/","name":"The Couchbase Blog","description":"Couchbase, the NoSQL Database","publisher":{"@id":"https:\/\/www.couchbase.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.couchbase.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.couchbase.com\/blog\/#organization","name":"The Couchbase Blog","url":"https:\/\/www.couchbase.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.couchbase.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2023\/04\/admin-logo.png","contentUrl":"https:\/\/www.couchbase.com\/blog\/wp-content\/uploads\/2023\/04\/admin-logo.png","width":218,"height":34,"caption":"The Couchbase Blog"},"image":{"@id":"https:\/\/www.couchbase.com\/blog\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.couchbase.com\/blog\/#\/schema\/person\/3929663e372020321b0152dc4fa65a58","name":"Matthew Groves","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.couchbase.com\/blog\/#\/schema\/person\/image\/ba51e6aacc53995c323a634e4502ef54","url":"https:\/\/secure.gravatar.com\/avatar\/70feb1b28a099ad0112b8d21fe1e81e1a4524beed3e20b7f107d5370e85a07ab?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/70feb1b28a099ad0112b8d21fe1e81e1a4524beed3e20b7f107d5370e85a07ab?s=96&d=mm&r=g","caption":"Matthew Groves"},"description":"Matthew D. Groves is a guy who loves to code. It doesn't matter if it's C#, jQuery, or PHP: he'll submit pull requests for anything. He has been coding professionally ever since he wrote a QuickBASIC point-of-sale app for his parent's pizza shop back in the 90s. He currently works as a Senior Product Marketing Manager for Couchbase. His free time is spent with his family, watching the Reds, and getting involved in the developer community. He is the author of AOP in .NET, Pro Microservices in .NET, a Pluralsight author, and a Microsoft MVP.","sameAs":["https:\/\/crosscuttingconcerns.com","https:\/\/x.com\/mgroves"],"url":"https:\/\/www.couchbase.com\/blog\/author\/matthew-groves\/"}]}},"authors":[{"term_id":8937,"user_id":71,"is_guest":0,"slug":"matthew-groves","display_name":"Matthew Groves","avatar_url":"https:\/\/secure.gravatar.com\/avatar\/70feb1b28a099ad0112b8d21fe1e81e1a4524beed3e20b7f107d5370e85a07ab?s=96&d=mm&r=g","author_category":"","last_name":"Groves","first_name":"Matthew","job_title":"","user_url":"https:\/\/crosscuttingconcerns.com","description":"Matthew D. Groves is a guy who loves to code.  It doesn't matter if it's C#, jQuery, or PHP: he'll submit pull requests for anything.  He has been coding professionally ever since he wrote a QuickBASIC point-of-sale app for his parent's pizza shop back in the 90s.  He currently works as a Senior Product Marketing Manager for Couchbase. His free time is spent with his family, watching the Reds, and getting involved in the developer community.  He is the author of AOP in .NET, Pro Microservices in .NET, a Pluralsight author, and a Microsoft MVP."}],"_links":{"self":[{"href":"https:\/\/www.couchbase.com\/blog\/wp-json\/wp\/v2\/posts\/2997","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.couchbase.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.couchbase.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.couchbase.com\/blog\/wp-json\/wp\/v2\/users\/71"}],"replies":[{"embeddable":true,"href":"https:\/\/www.couchbase.com\/blog\/wp-json\/wp\/v2\/comments?post=2997"}],"version-history":[{"count":0,"href":"https:\/\/www.couchbase.com\/blog\/wp-json\/wp\/v2\/posts\/2997\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.couchbase.com\/blog\/wp-json\/wp\/v2\/media\/10349"}],"wp:attachment":[{"href":"https:\/\/www.couchbase.com\/blog\/wp-json\/wp\/v2\/media?parent=2997"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.couchbase.com\/blog\/wp-json\/wp\/v2\/categories?post=2997"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.couchbase.com\/blog\/wp-json\/wp\/v2\/tags?post=2997"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.couchbase.com\/blog\/wp-json\/wp\/v2\/ppma_author?post=2997"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}