Users and Roles
This topic explains the definition of users, roles, objects, and privileges in role-based access control (RBAC).
Object: An object to grant or deny access to. The object can be a collection, a partition, etc.
User: A user identity with a username and a corresponding password.
Privilege: A privilege defines the actions that can be performed and resources that can be accessed. A privilege cannot be granted to a user directly. It has to be granted to a role first.
Role: A role defines the privilege(s) a user has to certain objects. After binding a role to a user, the user inherits all the privileges that are granted to this role.
The following figure illustrates the relationship between objects, privileges, roles, and users.
users_and_roles
The relationship between object, privilege, role and user.
Milvus creates a root user by default with a default password Milvus. The root user is granted the admin privileges, which means that this root user can have access to all resources and perform all actions.
If a user is bind with a public role, this user is entitled to the privileges of DescribeCollection, ShowCollections, and IndexDetail.
The following table lists the values you can choose when enabling RBAC.
| Object name | Privilege name | Relevant API description on the client side |
|---|---|---|
| Collection | CreateIndex | CreateIndex |
| Collection | DropIndex | DropIndex |
| Collection | IndexDetail | DescribeIndex/GetIndexState/GetIndexBuildProgress |
| Collection | Load | LoadCollection |
| Collection | GetLoadingProgress | GetLoadingProgress |
| Collection | Release | ReleaseCollection |
| Collection | Insert | Insert |
| Collection | Delete | Delete |
| Collection | Search | Search |
| Collection | Flush | Flush |
| Collection | Query | Query |
| Collection | GetStatistics | GetCollectionStatistics |
| Collection | Compaction | Compact |
| Collection | Alias | CreateAlias/DropAlias/AlterAlias |
| Collection | Import | BulkInsert/Import |
| Collection | LoadBalance | LoadBalance |
| Global | All | All API operation permissions in this table |
| Global | CreateCollection | CreateCollection |
| Global | DropCollection | DropCollection |
| Global | DescribeCollection | DescribeCollection |
| Global | ShowCollections | ShowCollections |
| Global | CreateOwnership | CreateUser CreateRole |
| Global | DropOwnership | DeleteCredential DropRole |
| Global | SelectOwnership | SelectRole/SelectGrant |
| Global | ManageOwnership | OperateUserRole OperatePrivilege |
| Global | CreateResourceGroup | CreateResourceGroup |
| Global | DropResourceGroup | DropResourceGroup |
| Global | DescribeResourceGroup | DescribeResourceGroup |
| Global | ListResourceGroups | ListResourceGroups |
| Global | TransferNode | TransferNode |
| Global | TransferReplica | TransferReplica |
| Global | RenameCollection | RenameCollection |
| Global | CreateDatabase | CreateDatabase |
| Global | ListDatabases | ListDatabases |
| User | UpdateUser | UpdateCredential |
| User | SelectUser | SelectUser |
Whatโs next
- Learn how to enable RBAC.