Skip to main content

Access Control

ApertureDB supports role-based access control. Roles can be created and users have one or more roles assigned to it.


A role defines permissions over objects, indexes, and users/roles <access_control>. The different supported permissions are for Create, Read, Update, and Delete (CRUD) over the objects, indexes, and users/roles:

  • Objects: elements in the database (app-defined entities, images, videos, etc)
  • Indexes: indexes over the properties of the objects.
  • Users/Roles: access control information.

Each role has certain permissions assigned on whether or not it can perform actions on users and roles, this is, Create, Read, Update, and Delete users or roles.

Each role has a name.

An example of a role can be "researcher", "user", or "datascientist". Users with "researcher" role assigned to them could be allowed to read objects in the database but not allowed to perform any change to the objects, indexes, and users/roles.

By default, the database always has an "admin" role that has permissions to perform any action on the database, as well as an "admin" user that is assigned the "admin" role. The "admin" user can, thus, perform any action in the database.


A user defines access credentials for a database user.

Each user has a username, a password, and, optionally, a set of tokens assigned to it.

A password is a combination or characters only known to the user, represented as a string. Accepted characters are: uppercase, lowercase, numeric, and the following special characters: ! @ # \$ % ^ & * ( ) _ + , - = \< > ? . , [ ] { }

A password must be at least 10 characters long, and contain letters, numbers, and symbols.

A token is a string that can be used instead of the password. This allows a user to define different tokens for different use-cases, if needed.