Create Privilege Group

To streamline the process of granting privileges, it is recommended that you combine multiple privileges into a privilege group.

Privilege group vs. privileges

A privilege group consists of multiple privileges.

Privilege group illustrated

As shown in the figure above, suppose you need to grant three different privileges to a role.

• If you do not use a privilege group, you need to grant the privileges three times.

• If you use a privilege group, you only need to create a privilege group and add the three privileges to this privilege group and grant the privilege group to Role A.

By using a privilege group, you can grant multiple privileges in bulk to a role.

Built-in privilege groups

For ease-of-use, Milvus provides a total of 9 built-in privileges on the collection, database, and instance level: COLL_RO, COLL_RW, COLL_ADMIN, DB_RO, DB_RW, DB_Admin, Cluster_RO, Cluster_RW and Cluster_Admin.

The following tables explains the privileges includes in each of the built-in privilege group.

Collection level

• COLL_RO: includes privileges to read collection data

• COLL_RW: includes privileges to read and write collection data

• COLL_ADMIN: includes privileges to read and write collection data and manage collections.

The table below lists the specific privileges included in the three built-in privilege groups at the collection level:

Privilege	CollectionReadOnly	CollectionReadWrite	CollectionAdmin
Query	✔️	✔️	✔️
Search	✔️	✔️	✔️
IndexDetail	✔️	✔️	✔️
GetFlushState	✔️	✔️	✔️
GetLoadState	✔️	✔️	✔️
GetLoadingProgress	✔️	✔️	✔️
HasPartition	✔️	✔️	✔️
ShowPartitions	✔️	✔️	✔️
ListAliases	✔️	✔️	✔️
DescribeCollection	✔️	✔️	✔️
DescribeAlias	✔️	✔️	✔️
GetStatistics	✔️	✔️	✔️
CreateIndex	❌	✔️	✔️
DropIndex	❌	✔️	✔️
CreatePartition	❌	✔️	✔️
DropPartition	❌	✔️	✔️
Load	❌	✔️	✔️
Release	❌	✔️	✔️
Insert	❌	✔️	✔️
Delete	❌	✔️	✔️
Upsert	❌	✔️	✔️
Import	❌	✔️	✔️
Flush	❌	✔️	✔️
Compaction	❌	✔️	✔️
LoadBalance	❌	✔️	✔️
CreateAlias	❌	❌	✔️
DropAlias	❌	❌	✔️

Database level

• DB_RO: includes privileges to read database data

• DB_RW: includes privileges to read and write database data

• DB_Admin: includes privileges to read and write database data and manage databases.

The table below lists the specific privileges included in the three built-in privilege groups at the database level:

Privilege	DatabaseReadOnly	DatabaseReadWrite	DatabaseAdmin
ShowCollections	✔️	✔️	✔️
DescribeDatabase	✔️	✔️	✔️
CreateCollection	❌	❌	✔️
DropCollection	❌	❌	✔️
AlterDatabase	❌	✔️	✔️

Cluster level

• Cluster_RO: includes privileges to read instnace data

• Cluster_RW: includes privileges to read and write instance data

• Cluster_Admin: includes privileges to read and write instance data and manage instances.

The table below lists the specific privileges included in the three built-in privilege groups at the instance level:

Privilege	ClusterReadOnly	ClusterReadWrite	ClusterAdmin
ListDatabases	✔️	✔️	✔️
RenameCollection	❌	❌	✔️
CreateOwnership	❌	❌	✔️
UpdateUser	❌	❌	✔️
DropOwnership	❌	❌	✔️
SelectOwnership	✔️	✔️	✔️
ManageOwnership	❌	❌	✔️
SelectUser	✔️	✔️	✔️
BackupRBAC	❌	❌	✔️
RestoreRBAC	❌	❌	✔️
CreateResourceGroup	❌	❌	✔️
DropResourceGroup	❌	❌	✔️
UpdateResourceGroups	❌	✔️	✔️
DescribeResourceGroup	✔️	✔️	✔️
ListResourceGroups	✔️	✔️	✔️
TransferNode	❌	✔️	✔️
TransferReplica	❌	✔️	✔️
CreateDatabase	❌	❌	✔️
DropDatabase	❌	❌	✔️
FlushAll	❌	✔️	✔️
CreatePrivilegeGroup	❌	❌	✔️
DropPrivilegeGroup	❌	❌	✔️
ListPrivilegeGroups	❌	❌	✔️
OperatePrivilegeGroup	❌	❌	✔️

Procedures

You can create a privilege group and then add privileges to the privilege group.

Create a privilege group

The following example demonstrates how to create a privilege group named privilege_group_1.

from pymilvus import MilvusClient
client.create_privileg_group(group_name='privilege_group_1'）

import io.milvus.v2.service.rbac.request.CreatePrivilegeGroupReq;

client.createPrivilegeGroup(CreatePrivilegeGroupReq.builder()
        .groupName("privilege_group_1")
        .build());

import "github.com/milvus-io/milvus-sdk-go/v2/client"

client.CreatePrivilegeGroup(context.Background(), "privilege_group_1")

curl --request POST \
--url "${CLUSTER_ENDPOINT}/v2/vectordb/privilege_groups/create" \
--header "Authorization: Bearer ${TOKEN}" \
--header "Content-Type: application/json" \
-d '{
    "privilegeGroupName":"privilege_group_1"
}'

Add privileges to a privilege group

The following example demonstrates how to add privileges PrivilegeBackupRBAC and PrivilegeRestoreRBAC to the privilege group privilege_group_1 that is just created.

from pymilvus import MilvusClient
client.add_privileges_to_group(group_name='privilege_group_1', privileges=['Query', 'Search'])

import io.milvus.v2.service.rbac.request.AddPrivilegesToGroupReq;

client.addPrivilegesToGroup(AddPrivilegesToGroupReq.builder()
        .groupName("privilege_group_1")
        .privileges(Arrays.asList("Query", "Search"))
        .build());

import "github.com/milvus-io/milvus-sdk-go/v2/client"

client.AddPrivilegesToGroup(context.Background(), "privilege_group_1", []string{"Query", "Search"})

curl --request POST \
--url "${CLUSTER_ENDPOINT}/v2/vectordb/privilege_groups/add_privileges_to_group" \
--header "Authorization: Bearer ${TOKEN}" \
--header "Content-Type: application/json" \
-d '{
    "privilegeGroupName":"privilege_group_1",
    "privileges":["Query", "Search"]
}'

Remove privileges from a privilege group

The following example demonstrates how to remove the privilege PrivilegeRestoreRBAC from the privilege group privilege_group_1.

from pymilvus import MilvusClient
client.remove_privileges_from_group(group_name='privilege_group_1', privileges='Search')

import io.milvus.v2.service.rbac.request.RemovePrivilegesFromGroupReq;

client.removePrivilegesFromGroup(RemovePrivilegesFromGroupReq.builder()
        .groupName("privilege_group_1")
        .privileges(Collections.singletonList("Search"))
        .build());

import "github.com/milvus-io/milvus-sdk-go/v2/client"

client.RemovePrivilegesFromGroup(context.Background(), "privilege_group_1", []string{"Search"})

curl --request POST \
--url "${CLUSTER_ENDPOINT}/v2/vectordb/privilege_groups/remove_privileges_from_group" \
--header "Authorization: Bearer ${TOKEN}" \
--header "Content-Type: application/json" \
-d '{
    "privilegeGroupName":"privilege_group_1",
    "privileges":["Search"]
}'

List privilege groups

The following example demonstrates how to list all existing privilege groups.

from pymilvus import MilvusClient
client.list_privilege_groups()

import io.milvus.v2.service.rbac.PrivilegeGroup;
import io.milvus.v2.service.rbac.request.ListPrivilegeGroupsReq;
import io.milvus.v2.service.rbac.response.ListPrivilegeGroupsResp;

ListPrivilegeGroupsResp resp = client.listPrivilegeGroups(ListPrivilegeGroupsReq.builder()
        .build());
List<PrivilegeGroup> groups = resp.getPrivilegeGroups();

import "github.com/milvus-io/milvus-sdk-go/v2/client"

client.ListPrivilegeGroups(context.Background())

curl --request POST \
--url "${CLUSTER_ENDPOINT}/v2/vectordb/privilege_groups/list" \
--header "Authorization: Bearer ${TOKEN}" \
--header "Content-Type: application/json" \
-d '{}'

Below is an example output.

PrivilegeGroupItem: <privilege_group:privilege_group_1>, <privileges:('Search', 'Query')>

Drop a privilege group

The following example demonstrates how to drop the privilege group privilege_group_1.

from pymilvus import MilvusClient
client.drop_privilege_group(group_name='privilege_group_1')

import io.milvus.v2.service.rbac.request.DropPrivilegeGroupReq;

client.dropPrivilegeGroup(DropPrivilegeGroupReq.builder()
        .groupName("privilege_group_1")
        .build());

import "github.com/milvus-io/milvus-sdk-go/v2/client"

client.DropPrivilegeGroup(context.Background(), "privilege_group_1")

curl --request POST \
--url "${CLUSTER_ENDPOINT}/v2/vectordb/privilege_groups/drop" \
--header "Authorization: Bearer ${TOKEN}" \
--header "Content-Type: application/json" \
-d '{
    "privilegeGroupName":"privilege_group_1"
}'