From ffc9014506788c33c9453911e0842240be9e43fd Mon Sep 17 00:00:00 2001 From: TimLFletcher Date: Tue, 18 Nov 2025 12:07:51 +0000 Subject: [PATCH] Added delete notes to the query system catalog role --- modules/learn/pages/security/roles.adoc | 30 ++++++++++++++++++++----- 1 file changed, 24 insertions(+), 6 deletions(-) diff --git a/modules/learn/pages/security/roles.adoc b/modules/learn/pages/security/roles.adoc index 8c6bc9311e..ecfffc5e57 100644 --- a/modules/learn/pages/security/roles.adoc +++ b/modules/learn/pages/security/roles.adoc @@ -1117,9 +1117,9 @@ Cannot use the Query Workbench in Couchbase Server Web Console. [#query-system-catalog] === Query System Catalog -The Query System Catalog role lets the user query the system catalog using {sqlpp}. -This access include querying `system:indexes`, `system:prepareds`, and tables listing current and past queries. -Assign this role to developers who need to query these tables when troubleshooting and debugging queries. +The Query System Catalog role lets the user query the system catalog using {sqlpp}. Importantly, this role also grants permissions to **delete** from certain in-memory system tables, which is useful for clearing caches and historical query logs without restarting a server. + +This access includes querying `system:indexes` and `system:prepareds`, as well as tables listing current and past queries. Assign this role to developers who need to query these tables when troubleshooting and debugging. The role grants Couchbase Server Web Console access. @@ -1142,12 +1142,30 @@ Cannot add, failover, remove, modify services, or rebalance servers. | Cannot list scopes or collections, create, drop, edit settings, read or write data | *Query* -| Can query system tables -| Cannot perform any other query actions. -Cannot use the Query Workbench in Couchbase Server Web Console. +| +*SELECT* from all system catalog tables. + + +Querying certain keyspaces like `system:indexes`, `system:keyspaces`, and `system:scopes` is subject to row-based filtering. The user must also have the appropriate `SELECT` privilege on the underlying keyspace or collection to see the corresponding entries. + +*DELETE* from the following in-memory system tables to clear caches and logs: +`system:active_requests` +`system:completed_requests` +`system:completed_requests_history` +`system:prepareds` +`system:functions_cache` +`system:dictionary_cache` +`system:tasks_cache` +`system:aus_settings` + +| +* Cannot perform any other query actions. +* Cannot use the Query Workbench in Couchbase Server Web Console. +* Cannot `INSERT` or `UPDATE` system catalog tables. For this functionality (available from 8.0+), see the `manage_system_catalog` role. |=== + [#manage-global-functions] === Manage Global Functions