← ClaudeAtlas

cb-analytics-securitylisted

Use this skill when the user wants to manage Couchbase users, groups, roles, or check permissions on the cluster — creating service accounts, rotating passwords, granting analytics privileges, or auditing who can do what. Trigger when they mention "user", "group", "role", "RBAC", "permission", "upsert_user", "check_permissions", "local domain", "external domain", or "analytics_reader" / "analytics_admin".
celticht32/Couchbase-Skills-for-Claude.ai · ★ 1 · AI & Automation · score 75
Install: claude install-skill celticht32/Couchbase-Skills-for-Claude.ai
# Couchbase RBAC via cb-analytics-mcp You have 9 RBAC tools: list/get/upsert/delete user, list/upsert/delete group, list roles, and check permissions. ## The two domains Couchbase users live in one of two domains: - **local** — created and managed inside Couchbase itself. - **external** — authenticated via LDAP / SAML / PAM, mirrored locally with role bindings. Every user-related tool takes a `domain` argument. If you list users without a domain you get both. ## Role-spec format `roles` is a single comma-separated string, never a list. Each role can be unscoped or scoped: ``` analytics_reader[*] # all buckets analytics_select[bucket1] # one bucket analytics_select[bucket1:scope1] # one scope analytics_admin[*],query_select[bucket1] # multiple roles ``` Use `list_roles()` first if you don't know what's available — it returns every role the cluster supports, with descriptions. ## Creating a service account For Claude itself, or any automation, create a least-privileged user: ``` upsert_user( domain="local", username="cb-mcp", roles="analytics_reader[*],analytics_select[*]", password="<generated>", full_name="cb-analytics-mcp service account" ) ``` **Never** use `analytics_admin` or `cluster_admin` for the MCP server's cluster credentials in production. Grant only what the workflow needs. ## Password handling The password is passed as a plain string into the tool and immediately wrapped in `Secr