Details
-
Improvement
-
Resolution: Unresolved
-
Major
-
None
-
5.0.0
-
None
Description
In the new RBAC scheme, running a N1QL query requires two types of permission: data permission (to access the data) and query permission (to run the statement itself). Preparing a statement or explaining a statement currently require the same permissions as running the query directly.
But should we actually require the data permission to merely prepare or explain the statement? These actions doesn't access any data, and doesn't return any. So why require data permission?
The thinking here is that some debugging and troubleshooting roles requires the ability to work with queries, but not necessarily to run them.