Documentation

Enterprise users and permissions reference

Important
Authentication must be enabled before authorization can be managed. If authentication is not enabled, permissions will not be enforced. See “Enable authentication”.

Users

Users have permissions and roles.

Roles

Roles are groups of permissions. A single role can belong to several users.

InfluxDB Enterprise clusters have two built-in roles:

Global Admin

The Global Admin role has all 16 cluster permissions.

Admin

The Admin role has all cluster permissions except for the permissions to:

  • Add/Remove Nodes
  • Copy Shard
  • Manage Shards
  • Rebalance

Permissions

A permission (also privilege) is the ability to access a resource in some way, including:

  • viewing the resource
  • copying the resource
  • dropping the resource
  • writing to the resource
  • full management capabilities

InfluxDB Enterprise clusters have 16 permissions:

PermissionDescriptionToken
View AdminPermission to view or edit admin screensViewAdmin
View ChronografPermission to use Chronograf toolsViewChronograf
Create DatabasesPermission to create databasesCreateDatabase
Create Users & RolesPermission to create users and rolesCreateUserAndRole
Add/Remove NodesPermission to add/remove nodes from a clusterAddRemoveNode
Drop DatabasesPermission to drop databasesDropDatabase
Drop DataPermission to drop measurements and seriesDropData
ReadPermission to read dataReadData
WritePermission to write dataWriteData
RebalancePermission to rebalance a clusterRebalance
Manage ShardsPermission to copy and delete shardsManageShard
Manage Continuous QueriesPermission to create, show, and drop continuous queriesManageContnuousQuery
Manage QueriesPermission to show and kill queriesManageQuery
Manage SubscriptionsPermission to show, add, and drop subscriptionsManageSubscription
MonitorPermission to show stats and diagnosticsMonitor
Copy ShardPermission to copy shardsCopyShard

In addition, two tokens govern Kapacitor permissions:

  • KapacitorAPI: Grants the user permission to create, read, update and delete tasks, topics, handlers and similar Kapacitor artifacts.
  • KapacitorConfigAPI: Grants the user permission to override the Kapacitor configuration dynamically using the configuration endpoint.

Permissions scope

Using the InfluxDB Enterprise Meta API, these permissions can be set at the cluster-wide level (for all databases at once) and for specific databases. For examples, see Manage authorization with the InfluxDB Enterprise Meta API.

Permission to Statement

The following table describes permissions required to execute the associated database statement.

PermissionStatement
CreateDatabasePermissionAlterRetentionPolicyStatement, CreateDatabaseStatement, CreateRetentionPolicyStatement, ShowRetentionPoliciesStatement
ManageContinuousQueryPermissionCreateContinuousQueryStatement, DropContinuousQueryStatement, ShowContinuousQueriesStatement
ManageSubscriptionPermissionCreateSubscriptionStatement, DropSubscriptionStatement, ShowSubscriptionsStatement
CreateUserAndRolePermissionCreateUserStatement, DropUserStatement, GrantAdminStatement, GrantStatement, RevokeAdminStatement, RevokeStatement, SetPasswordUserStatement, ShowGrantsForUserStatement, ShowUsersStatement
DropDataPermissionDeleteSeriesStatement, DeleteStatement, DropMeasurementStatement, DropSeriesStatement
DropDatabasePermissionDropDatabaseStatement, DropRetentionPolicyStatement
ManageShardPermissionDropShardStatement,ShowShardGroupsStatement, ShowShardsStatement
ManageQueryPermissionKillQueryStatement, ShowQueriesStatement
MonitorPermissionShowDiagnosticsStatement, ShowStatsStatement
ReadDataPermissionShowFieldKeysStatement, ShowMeasurementsStatement, ShowSeriesStatement, ShowTagKeysStatement, ShowTagValuesStatement, ShowRetentionPoliciesStatement
NoPermissionsShowDatabasesStatement
Determined by type of select statementSelectStatement

Statement to Permission

The following table describes database statements and the permissions required to execute them. It also describes whether these permissions apply the the database or cluster level.

StatementPermissionsScope
AlterRetentionPolicyStatementCreateDatabasePermissionDatabase
CreateContinuousQueryStatementManageContinuousQueryPermissionDatabase
CreateDatabaseStatementCreateDatabasePermissionCluster
CreateRetentionPolicyStatementCreateDatabasePermissionDatabase
CreateSubscriptionStatementManageSubscriptionPermissionDatabase
CreateUserStatementCreateUserAndRolePermissionDatabase
DeleteSeriesStatementDropDataPermissionDatabase
DeleteStatementDropDataPermissionDatabase
DropContinuousQueryStatementManageContinuousQueryPermissionDatabase
DropDatabaseStatementDropDatabasePermissionCluster
DropMeasurementStatementDropDataPermissionDatabase
DropRetentionPolicyStatementDropDatabasePermissionDatabase
DropSeriesStatementDropDataPermissionDatabase
DropShardStatementManageShardPermissionCluster
DropSubscriptionStatementManageSubscriptionPermissionDatabase
DropUserStatementCreateUserAndRolePermissionDatabase
GrantAdminStatementCreateUserAndRolePermissionDatabase
GrantStatementCreateUserAndRolePermissionDatabase
KillQueryStatementManageQueryPermissionDatabase
RevokeAdminStatementCreateUserAndRolePermissionDatabase
RevokeStatementCreateUserAndRolePermissionDatabase
SelectStatementDetermined by type of select statementn/a
SetPasswordUserStatementCreateUserAndRolePermissionDatabase
ShowContinuousQueriesStatementManageContinuousQueryPermissionDatabase
ShowDatabasesStatementNoPermissionsClusterThe user’s grants determine which databases are returned in the results.
ShowDiagnosticsStatementMonitorPermissionDatabase
ShowFieldKeysStatementReadDataPermissionDatabase
ShowGrantsForUserStatementCreateUserAndRolePermissionDatabase
ShowMeasurementsStatementReadDataPermissionDatabase
ShowQueriesStatementManageQueryPermissionDatabase
ShowRetentionPoliciesStatementCreateDatabasePermissionDatabase
ShowSeriesStatementReadDataPermissionDatabase
ShowShardGroupsStatementManageShardPermissionCluster
ShowShardsStatementManageShardPermissionCluster
ShowStatsStatementMonitorPermissionDatabase
ShowSubscriptionsStatementManageSubscriptionPermissionDatabase
ShowTagKeysStatementReadDataPermissionDatabase
ShowTagValuesStatementReadDataPermissionDatabase
ShowUsersStatementCreateUserAndRolePermissionDatabase

Was this page helpful?

Thank you for your feedback!


The future of Flux

Flux is going into maintenance mode. You can continue using it as you currently are without any changes to your code.

Read more

InfluxDB v3 enhancements and InfluxDB Clustered is now generally available

New capabilities, including faster query performance and management tooling advance the InfluxDB v3 product line. InfluxDB Clustered is now generally available.

InfluxDB v3 performance and features

The InfluxDB v3 product line has seen significant enhancements in query performance and has made new management tooling available. These enhancements include an operational dashboard to monitor the health of your InfluxDB cluster, single sign-on (SSO) support in InfluxDB Cloud Dedicated, and new management APIs for tokens and databases.

Learn about the new v3 enhancements


InfluxDB Clustered general availability

InfluxDB Clustered is now generally available and gives you the power of InfluxDB v3 in your self-managed stack.

Talk to us about InfluxDB Clustered