I am developing a multi-tenant service.
Every tenant has its own user, keyspace and can access only his keyspace.
As new tenants are provisioned there is a need to create new users and keyspaces.
Only a superuser can issue CREATE USER requests, so we must have a super user account in the system. On the other hand super users have access to all the keyspaces, which poses a security risk.
For tenant provisioning I would like to have a restricted account which can only create new users, without read access to keyspaces.