Details
-
New Feature
-
Status: Patch Available
-
Normal
-
Resolution: Unresolved
-
None
-
Operability
-
Normal
-
All
-
None
-
Description
This ticket is about enabling a sort of security admin role.
Think of a hospital with patient data which is very sensitive information. IT should be able to grant/revoke/restrict access to the data without having access to the data itself. This is the clear separation of duties between admins and users of the database we're after.
An example is along the lines:
As a superuser: CREATE KEYSPACE patientdata …; CREATE ROLE security_admin; GRANT security_admin TO admin_guy; GRANT AUTHORIZE FOR SELECT, MODIFY, EXECUTE ON patientdata TO security_admin; RESTRICT SELECT, MODIFY, EXECUTE ON KEYSPACE patientdata TO security_admin; As a security admin: GRANT SELECT ON patientdata TO new_nurse; GRANT SELECT, MODIFY ON patientdata TO doctor_house;
Original idea of snazy