Role-based access control (RBAC) lets you define roles with specific sets of permissions. You can then assign users to these roles to provide appropriate levels of access.

RBAC effectively lets you implement the principle of least privilege. For example, you can provide read-only access to an application whose only job is to display Redis data. Similarly, you can prevent new developers from running dangerous administrative commands.

Prerequisites

To use role-based access control, your Redis Cloud database needs to support Redis version 6.0.0 or later.

The Redis version of a database is displayed in the General section of the Configuration tab of the database detail screen.

The Redis version appears in the General section of the Configuration tab on the database details screen.

Set up RBAC

To set up RBAC, first navigate to the Data Access Control screen.

There are three tabs on this screen: Users, Roles, and Redis ACLs.

In the Redis ACLs tab, you define named permissions for specific Redis commands, keys, and pub/sub channels.

Data access control screen.

In the Roles tab, you create roles. Each role consists of a set of permissions for one or more Redis Cloud databases.

Data access control screen.

Finally, in the Users tab, you create users and assign each user a role.

Data access control screen.

OSS Redis ACLs vs. Redis Enterprise Cloud RBAC

In open source Redis, you can create users and assign ACLs to them using the ACL command. However, open source Redis does not support generic roles.

In Redis Enterprise Cloud, you configure RBAC using the admin console. As a result, certain open source Redis ACL subcommands are not available in Redis Cloud. The following table shows which ACL commands are supported.

Command Supported
ACL CAT ✅ Supported
ACL DELUSER ❌ Not supported
ACL GENPASS ❌ Not supported
ACL GETUSER ✅ Supported
ACL HELP ✅ Supported
ACL LIST ✅ Supported
ACL LOAD ❌ Not supported
ACL LOG ❌ Not supported
ACL SAVE ❌ Not supported
ACL SETUSER ❌ Not supported
ACL USERS ✅ Supported
ACL WHOAMI ✅ Supported

In open source Redis, you must explicitly provide access to the MULTI, EXEC, and DISCARD commands. In Redis Cloud, these commands, which are used in transactions, are always permitted. However, the commands run within the transaction block are subject to RBAC permissions.

When you run multi-key commands on multi-slot keys, the return value is failure but the command runs on the keys that are allowed.