You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: modules/eventing/pages/eventing-rbac.adoc
+4-6Lines changed: 4 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -7,10 +7,10 @@
7
7
[#description]
8
8
== Description: What is RBAC
9
9
10
-
Couchbase provides _Role-Based Access Control_ (RBAC), in which access privileges are assigned to fixed roles, which are in turn assigned to users, (each of which may be an administrator or an application) either _directly_; or _indirectly_, by means of _user-groups_.
10
+
Couchbase provides _Role-Based Access Control_ (RBAC), in which access privileges are assigned to fixed roles; which are in turn assigned to users (each of which may be an administrator or an application) either _directly_; or _indirectly_, by means of _user-groups_.
11
11
12
12
Couchbase Server Enterprise Edition provides RBAC with multiple roles for finer access control.
13
-
Community Edition provides multiple users that can be assigned to a limited set of roles.
13
+
Community Edition provides multiple users that can be assigned to limited set of roles.
14
14
There are three fixed roles in the community edition of Couchbase providing coarser access control: Bucket Full Access (`bucket_full_access[*]`), Admin (`admin`), and Read Only Admin (`ro_admin`).
15
15
16
16
A Couchbase-Server _role_ permits one or more _resources_ to be accessed according to defined _privileges_.
@@ -27,11 +27,9 @@ For more information, see xref:learn:security/authorization-overview.adoc[Author
27
27
A bucket.scope combination is used for identifying functions belonging to the same group.
28
28
29
29
Only the "Eventing Full Admin" role and also the "Full Admin" role can set the bucket.scope to *+*+.+*+*; all other Eventing non-privileged users need to define a *Function Scope* for their Eventing functions that references an existing resource of bucket.scope.
30
-
This provides role-based isolation of Eventing functions between non-privileged users.
30
+
This provides rolebased isolation of Eventing functions between non-privileged users
Typically, you should set Function Scope to the bucket.scope that holds the collection that is the source of your mutations to your Eventing Function. This best practice ensures that you _do not_ inadvertently cause an Eventing Function to undeploy by removing a *Function Scope* pointing to a resource that is not required for the function to run.
32
+
Typically you should set Function Scope to the bucket.scope that holds the collection that is the source of your mutations to your Eventing Function. This best practice ensures that you _do not_ inadvertently cause an Eventing Function to undeploy by removing a *Function Scope* pointing to a resource that is not required for the function to run.
35
33
36
34
NOTE: A user can be assigned multiple "Eventing/Manage Scope Function" RBAC roles.
37
35
If any of these roles match an existing Eventing Function's *Function Scope*, then that user can manage, modify, or delete the Eventing Function even if it was created or imported by someone else.
0 commit comments