couchbase · ggray-cb · Aug 15, 2025 · Aug 15, 2025 · Aug 15, 2025 · Aug 15, 2025
diff --git a/modules/introduction/partials/new-features-80.adoc b/modules/introduction/partials/new-features-80.adoc
@@ -158,7 +158,6 @@ When Hybrid is selected:
 This mode enhances flexibility for clients while enforcing strict security for node-to-node communication.
 +
 For more information, see xref:manage:manage-security/enable-client-certificate-handling.adoc[Enable Client Certificate Handling].
-=======
 
 https://jira.issues.couchbase.com/browse/MB-11575[MB-11575]::
 XDCR now supports the identification of Incoming Replications on a cluster.
@@ -253,6 +252,15 @@ The Backup Service in  Couchbase Sever 8.0 or later also performs these changes
 +
 NOTE: If the user restoring a backup does not have a role that allows them to restore specific roles to a user in the backup, the backup server skips restoring that user. 
 
+[#MB-67164]
+https://jira.issues.couchbase.com/browse/MB-67164[MB-67164 Add Read-Only Security Admin Role and Remove Security Privileges from Read-Only Admin]::
+To better segment security privileges, Couchbase Server 8.0 removes the security privileges from the Read-Only Admin (`ro_admin`) role. 
+It also adds a new Read-Only Security Admin (`ro_security_admin`) role that lets the user view security details except for listing users and groups.
+
++
+When you upgrade to Couchbase Server 8.0, the upgrade process automatically grants the Read-Only Security Admin role to users who have the Read-Only Admin role.
+This grant lets users with the Read-Only Admin role still have the same privileges they had before the upgrade.
+
 See xref:learn:security/roles.adoc[] for more information.
 
 [#section-new-feature-800--tools]

diff --git a/modules/learn/pages/security/certificates.adoc b/modules/learn/pages/security/certificates.adoc
@@ -31,7 +31,7 @@ This page provides a general overview of using certificates with Couchbase Serve
 It assumes you know the basics of Transport Layer Security (TLS) and certificates. 
 To learn more about these topics, see the Wikipedia article on  https://en.wikipedia.org/wiki/Public_key_certificate[Public key certificate^],  and OpenSSL's https://wiki.openssl.org/index.php/Command_Line_Utilities[Command Line Utilities] page.
 
-Managing certificates requires Full Admin, Local User Security Admin, or External User Security Admin privileges.
+Managing certificates requires the Full Admin or Security Admin roles.
 
 For step-by-step instructions for creating and deploying certificate for Couchbase Server and clients, see xref:manage:manage-security/configure-server-certificates.adoc[Configure Server Certificates] and xref:manage:manage-security/configure-client-certificates.adoc[Configure Client Certificates].
 

diff --git a/modules/learn/pages/security/roles.adoc b/modules/learn/pages/security/roles.adoc
@@ -100,13 +100,20 @@ This role is also available in Couchbase Server Community Edition.
 === Read-Only Admin
 
 The Read-Only Admin role lets the user read Couchbase Server settings and statistics. 
-This information includes registered usernames with roles and authentication domains, but excludes passwords.
 Users with this role can also read Backup Service data to monitor backup plans and tasks.
 
 The role lets the user log into the Couchbase Server Web Console.
 
 This role is also available in Couchbase Server Community Edition.
 
+NOTE: Prior to Couchbase Server 8.0, this role allowed the user to read security information including listing users and groups.
+In 8.0, these permissions were split off into the <<#ro-security-admin>> role.
+The Read-Only Admin role now does not allow access to any of the security information.
+
++
+When you upgrade Couchbase Server from a version earlier than 8.0 to 8.0 or later, the upgrade process grants any user with this role the <<#ro-security-admin>> role as well.
+Granting this role lets the user retain the privileges they had in prior versions.
+
 [#table_read_only_admin_role,cols="1,2,2,hrows=2"]
 |===
 3+^|  Role: Read-Only Admin (`ro_admin`)
@@ -132,8 +139,8 @@ h| Restrictions
 | Cannot list incoming replications, or add or edit replications.
 
 | *Security* 
-| Can view settings for SAML, certificates, encryption at rest, audits, and other settings.
-| Cannot change settings.
+| None.
+| All.
 
 | *Settings*
 | View all settings
@@ -235,6 +242,78 @@ h| Restrictions
 |===
 
 
+[#ro-security-admin]
+=== Read-Only Security Admin
+
+The Read-Only Security Admin role lets the user view all security settings except for listing users and groups.
+
+This role lets the user log into the Couchbase Server Web Console.
+
+NOTE: This role is new in Couchbase Server 8.0. 
+It was created to separate security privileges from the Read-Only Admin role.
+The upgrade process from prior versions to Couchbase Server 8.0 or later grants this role to users that had the Read-Only Admin.
+This grant ensures the user retains the privileges they had in prior versions.
+
+[#table_ro_security_admin_role,cols="1,2,2,hrows=2"]
+|===
+3+^| Role: Read-Only Security Admin (`ro_security_admin`)
+
+h| Resource
+h| Permissions
+h| Restrictions
+
+| *Servers* 
+| View configuration and statistics
+| Cannot add, failover, remove, modify services, or rebalance
+
+| *Buckets*
+| List buckets, scopes, and collections
+| Cannot create, drop, or edit settings, or read or write data
+
+| *Backup*
+| None
+| All 
+
+| *XDCR* 
+| List outgoing replications
+| Cannot create, start, alter connections
+
+| *Security* 
+| View LDAP, SAML, certificates, encryption at rest, audit, and logging settings.
+| Cannot make any changes to security settings.
+Cannot view or change users or groups.
+
+| *Settings*
+| View
+| Change
+
+| *Logs*
+| View
+| Collect Information
+
+| *Query*
+| None
+| All
+
+| *Search*
+| None
+| All
+
+| *Analytics*
+| None
+| All
+
+| *Eventing*
+| None
+| All
+
+| *Views*
+| None
+| All
+
+|===
+
+
 [#local-user-security-admin]
 === Local User Admin
 
@@ -530,7 +609,6 @@ Cannot add or edit replications.
 
 |===
 
-
 [#backup-full-admin]
 === Backup Full Admin
 
@@ -1146,7 +1224,7 @@ Cannot use the Query Workbench in Couchbase Server Web Console.
 
 
 [#manage-scope-functions]
-=== Manage Scope Functions (Query and Index)
+=== Manage Scope Functions
 
 The Manage Scope Functions role lets the user create and drop user-defined {sqlpp} functions for one or more scopes.
 When granting this role, You select the scopes where  the user can manage user-defined functions.
@@ -1347,7 +1425,7 @@ Cannot use the Query Workbench in Couchbase Server Web Console.
 
 
 [#query-sequential-scan]
-=== Query Use Sequential Scan
+=== Query Use Sequential Scans
 
 The Query Use Sequential Scan role allows users' queries to perform a sequential scan of a keyspace.
 The query planner only uses a sequential scan when no suitable index exists for the keyspace. 
@@ -1360,7 +1438,7 @@ This role does not let the user log into Couchbase Server Web Console.
 
 [#table_query_use_sequential_scans_role,cols="1,2,2,hrows=2]
 |===
-3+^|  Role: Query Use Sequential Scan (`query_use_sequential_scans`)
+3+^|  Role: Query Use Sequential Scans (`query_use_sequential_scans`)
 
 h| Resource
 h| Permissions
@@ -1624,7 +1702,7 @@ Cannot use the Query Workbench in Couchbase Server Web Console.
 |===
 
 [#query_manage_sequences]
-=== Query Manage Sequences
+=== Manage Sequences
 
 This role lets the user manage sequences for one or more scopes. 
 See xref:n1ql:n1ql-language-reference/sequenceops.adoc[] for more information about sequences.
@@ -1635,7 +1713,7 @@ This role lets the user log into Couchbase Server Web Console.
 [#table_query_manage_sequences_role,cols="1,2,2,hrows=2]
 |===
 
-3+^| Role: Query Manage Sequences (`query_manage_sequences`)
+3+^| Role: Manage Sequences (`query_manage_sequences`)
 
 h| Resource
 h| Permissions
@@ -1660,7 +1738,7 @@ Cannot manage sequences in buckets they do have not assigned to them.
 
 
 [#query_use_sequences]
-=== Query Use Sequences
+=== Use Sequences
 
 This role lets the user incorporate sequences into their queries in one or more scopes.
 When you grant this role, you choose the scopes where the user can use sequences.
@@ -1671,7 +1749,7 @@ This role lets the user log into Couchbase Server Web Console.
 [#table_query_use_sequences_role,cols="1,2,2,hrows=2]
 |===
 
-3+^| Role: Query Manage Sequences (`query_use_sequences`)
+3+^| Role: Manage Sequences (`query_use_sequences`)
 
 h| Resource
 h| Permissions
@@ -1730,7 +1808,6 @@ Cannot use the Query Workbench in Couchbase Server Web Console.
 |===
 
 
-
 == Search Roles
 
 The following roles give users privileges to the xref:learn:services-and-indexes/services/search-service.adoc[] features.

diff --git a/modules/manage/pages/manage-security/manage-auditing.adoc b/modules/manage/pages/manage-security/manage-auditing.adoc
@@ -13,8 +13,8 @@ The records created by the Couchbase Auditing facility capture information on _w
 The records are created by Couchbase Server-processes, which run asynchronously.
 Each record is stored as a JSON document, which can be retrieved and inspected.
 
-Auditing can be configured by the *Full Admin* and the *Local User Security Admin* roles.
-The auditing configuration can be read by the *Full Admin*, the *Local User Security Admin*, and the *Read-Only Admin* roles.
+Users with the Full Admin or Security Admin roles can configure Auditing.
+Users with the Full Admin, Security Admin, or Read-Only Security Admin roles can view the audit configuration.
 
 A conceptual overview of event auditing can be found in xref:learn:security/auditing.adoc[Auditing].
 See the reference page xref:audit-event-reference:audit-event-reference.adoc[Audit Event Reference], for a complete list of the events that can be audited.

diff --git a/modules/manage/pages/manage-statistics/manage-statistics.adoc b/modules/manage/pages/manage-statistics/manage-statistics.adoc
@@ -47,11 +47,12 @@ Additional information can be displayed by left-clicking on the *Node Resources*
 === Dashboard Access
 
 All chart-content is provided by _bucket_.
-Users whose roles allow them both to access Couchbase Web Console _and_ see administrative details on one or more buckets are able to see the default chart-content for those buckets.
-For example, the *Full Admin*, *Cluster Admin*, *Read Only Admin*, *Local User Security Admin*, and *External User Security Admin* roles permit display of charts for all buckets defined on the cluster; while the *Bucket Admin* role permits display of charts only for those buckets to which the role has been applied.
+Users whose roles grant them access to Couchbase Web Console and see administrative details on one or more buckets are able to see the default chart-content for those buckets.
+For example, users with the Full Admin, Cluster Admin, Read Only Admin, Security Admin, or Read-Only Security Admin roles can display the charts for all buckets in the cluster.
+The Bucket Admin role allows a user to display of charts of buckets to which they were granted administrator access.
 
 Users who can see the default content for some or all buckets can also create their own, customized content for those buckets.
-Note that customized content is saved on Couchbase Server only on a _per user_ basis: therefore, for example, when a *Full Admin* creates customized content, it is visible only to the *Full Admin*, not to any other user.
+Note that customized content is saved on Couchbase Server only on a _per user_ basis: therefore, for example, when a Full Admin creates customized content, it is visible only to the Full Admin, not to any other user.
 
 [#dashboard-controls]
 === Dashboard Controls

diff --git a/modules/rest-api/pages/change-master-password.adoc b/modules/rest-api/pages/change-master-password.adoc
@@ -14,7 +14,7 @@ POST /node/controller/changeMasterPassword
 == Description
 
 This command sets the master password for the current node.
-The *Full Admin*, *Local User Security Admin*, or *External User Security Admin* role is required.
+
 
 For a full description of system secrets and their management, see xref:manage:manage-security/manage-system-secrets.adoc[Manage System Secrets].
 
@@ -26,6 +26,13 @@ curl -X POST http://127.0.0.1:8091/node/controller/changeMasterPassword
  -d newPassword=<new-password>
 ----
 
+== Required Privileges
+
+You must have one of the following roles to change the master password:
+
+* xref:learn:security/roles.adoc#full-admin[Full Admin]
+* xref:learn:security/roles.adoc#security-admin[Security Admin]
+
 == Responses
 
 Success returns `200 OK`.

diff --git a/modules/rest-api/pages/get-trusted-cas.adoc b/modules/rest-api/pages/get-trusted-cas.adoc
@@ -20,9 +20,7 @@ Note that this list is therefore _complete_ and _cluster-wide_.
 
 Note that although support of multiple root certificates is only available in versions of Couchbase Server that are 7.1 and later, this API _can_ be used on clusters that are running different versions of Couchbase Server, some of which are prior to 7.1.
 
-This method and endpoint can be used by unauthorized users: however, cluster-private details are redacted from the output.
-For all details to be returned, the user must have the Full Admin, the Local User Security Admin, or the External User Security Admin role.
-See the examples provided in xref:#output-redaction[Output Redaction], below.
+
 
 [#curl-syntax]
 == Curl Syntax
@@ -34,6 +32,19 @@ curl -X GET http://<ip-address-or-domain-name>:8091/pools/default/trustedCAs
  -u <username>:<password>
 ----
 
+== Required Privileges
+
+Any user can call this method and endpoint.
+However, they will only see a redacted version which does not include cluster-private details.
+See the examples <<#output-redaction>> to see what is omitted.
+
+
+To see all details of the returned objects, the user must have one of the following roles:
+
+* xref:learn:security/roles.adoc#full-admin[Full Admin]
+* xref:learn:security/roles.adoc#security-admin[Security Admin]
+* xref:learn:security/roles.adoc#ro-security-admin[Read-Only Security Admin]
+
 [#responses]
 == Responses
 

diff --git a/modules/rest-api/pages/load-trusted-cas.adoc b/modules/rest-api/pages/load-trusted-cas.adoc
@@ -19,7 +19,7 @@ Loads trusted certificates into the Couchbase-Server trust store.
 All loaded certificates can be accessed by all nodes.
 Loaded CA (or _root_) certificates can be used to provide authority to the cluster's nodes, and can be used to authenticate clients' access-attempts.
 
-The Full Admin, the Local User Security Admin, or the External User Security Admin role is required.
+
 
 Note the following:
 
@@ -66,6 +66,13 @@ curl -X POST http://<ip-address-or-domain-name>:8091/node/controller/loadTrusted
  -u <username>:<password>
 ----
 
+== Required Privileges
+
+To load trusted CA certificates, you must have one of the following roles:
+
+* xref:learn:security/roles.adoc#full-admin[Full Admin]
+* xref:learn:security/roles.adoc#security-admin[Security Admin]
+
 [#responses]
 == Responses
 

diff --git a/modules/rest-api/pages/rest-auditing.adoc b/modules/rest-api/pages/rest-auditing.adoc
@@ -28,8 +28,18 @@ A _filterable_ event is an event that can be individually disabled, even when ev
 Events that are not filterable are not included in the list returned by `GET /settings/audit/descriptors`. +
 Events that are not filterable can be retrieved using the `GET` method `/settings/audit/nonFilterableDescriptors`
 
-Auditing can be configured by the *Full Admin* and the *Local User Security Admin* roles.
-The auditing configuration can be read by the *Full Admin*, the *Local User Security Admin*, and the *Read-Only Admin* roles.
+== Required Privileges
+
+To read auditing settings, you must have one of the following roles:
+
+* xref:learn:security/roles.adoc#full-admin[Full Admin]
+* xref:learn:security/roles.adoc#ro-security-admin[Read-Only Security Admin]
+* xref:learn:security/roles.adoc#security-admin[Security Admin]
+
+To change auditing settings, you must have one of the following roles:
+
+* xref:learn:security/roles.adoc#full-admin[Full Admin]
+* xref:learn:security/roles.adoc#security-admin[Security Admin]
 
 == Curl Syntax
 

diff --git a/modules/rest-api/pages/rest-cluster-autofailover-settings.adoc b/modules/rest-api/pages/rest-cluster-autofailover-settings.adoc
@@ -17,7 +17,7 @@ GET /settings/autoFailover
 The `GET /settings/autoFailover` HTTP method and URI retrieve auto-failover settings for the cluster.
 
 Auto-failover settings are global, and apply to all nodes in the cluster.
-To read auto-failover settings, one of the following roles is required: Full Admin, Cluster Admin, Read-Only Admin, Backup Full Admin, Eventing Full Admin, Local User Security Admin, External User Security Admin.
+
 
 == Curl Syntax
 
@@ -27,6 +27,23 @@ curl -X GET http://<ip-address-or-hostname>:8091/settings/autoFailover
   -u <username>:<password>
 ----
 
+== Required Privileges
+
+You must have one of the following roles to retrieve auto-failover settings:
+
+* xref:learn:security/roles.adoc#full-admin[Full Admin]
+* xref:learn:security/roles.adoc#backup-full-admin[Backup Full Admin]
+* xref:learn:security/roles.adoc#bucket-admin[Bucket Admin]
+* xref:learn:security/roles.adoc#cluster-admin[Cluster Admin]
+* xref:learn:security/roles.adoc#eventing-full-admin[Eventing Full Admin]
+* xref:learn:security/roles.adoc#xdcr-admin[XDCR Admin]
+* xref:learn:security/roles.adoc#read-only-admin[Read-Only Admin]
+* xref:learn:security/roles.adoc#ro-security-admin[Read-Only Security Admin]
+* xref:learn:security/roles.adoc#security-admin[Security Admin]
+* xref:learn:security/roles.adoc#external-user-security-admin[External User Admin]
+* xref:learn:security/roles.adoc#local-user-security-admin[Local User Admin]
+* xref:learn:security/roles.adoc#views-admin[Views Admin]
+
 == Responses
 
 Success returns `200 OK`, and an object that contains the following parameters: