Enterprise Access Control

Manage users, roles, and LDAP integration for Redis Enterprise.

Users

List Users

redisctl enterprise user list [OPTIONS]

Examples:

# List all users
redisctl enterprise user list

# Table format
redisctl enterprise user list -o table

# Get usernames and roles
redisctl enterprise user list -q "[].{name:name,role:role,email:email}"

Get User

redisctl enterprise user get <ID> [OPTIONS]

Create User

redisctl enterprise user create --data <JSON>

Examples:

# Create admin user
redisctl enterprise user create --data '{
  "name": "admin",
  "email": "admin@example.com",
  "password": "SecurePass123!",
  "role": "admin"
}'

# Create viewer user
redisctl enterprise user create --data '{
  "name": "viewer",
  "email": "viewer@example.com",
  "password": "ViewPass123!",
  "role": "db_viewer"
}'

Update User

redisctl enterprise user update <ID> --data <JSON>

Examples:

# Change password
redisctl enterprise user update 2 --data '{"password": "NewPass123!"}'

# Update role
redisctl enterprise user update 2 --data '{"role": "db_member"}'

Delete User

redisctl enterprise user delete <ID>

Roles

List Roles

redisctl enterprise role list

Get Role

redisctl enterprise role get <ID>

Create Role

redisctl enterprise role create --data <JSON>

Example:

redisctl enterprise role create --data '{
  "name": "custom-role",
  "management": "db_member"
}'

Built-in Roles

Redis ACLs

Manage Redis ACL rules for database-level access control.

List ACLs

redisctl enterprise acl list

Get ACL

redisctl enterprise acl get <ID>

Create ACL

redisctl enterprise acl create --data <JSON>

Examples:

# Read-only ACL
redisctl enterprise acl create --data '{
  "name": "readonly",
  "acl": "+@read ~*"
}'

# Write to specific keys
redisctl enterprise acl create --data '{
  "name": "app-writer",
  "acl": "+@all ~app:*"
}'

Common ACL Patterns

LDAP Integration

Get LDAP Configuration

redisctl enterprise ldap get-config

Update LDAP Configuration

redisctl enterprise ldap update-config --data <JSON>

Example:

redisctl enterprise ldap update-config --data '{
  "protocol": "ldaps",
  "servers": [
    {"host": "ldap.example.com", "port": 636}
  ],
  "bind_dn": "cn=admin,dc=example,dc=com",
  "bind_pass": "password",
  "base_dn": "dc=example,dc=com",
  "user_dn_query": "(uid=%u)"
}'

LDAP Mappings

Map LDAP groups to Redis Enterprise roles.

# List mappings
redisctl enterprise ldap list-mappings

# Create mapping
redisctl enterprise ldap create-mapping --data '{
  "name": "admins-mapping",
  "ldap_group_dn": "cn=admins,ou=groups,dc=example,dc=com",
  "role": "admin"
}'

Examples

Set Up Service Account

# Create user for application
redisctl enterprise user create --data '{
  "name": "myapp",
  "email": "myapp@service.local",
  "password": "ServicePass123!",
  "role": "db_member"
}'

Audit User Access

# List all users with their roles
redisctl enterprise user list \
  -q "[].{name:name,email:email,role:role,auth_method:auth_method}" \
  -o table

Rotate All Passwords

for user in $(redisctl enterprise user list -q '[].uid' --raw); do
  NEW_PASS=$(openssl rand -base64 16)
  redisctl enterprise user update $user --data "{\"password\": \"$NEW_PASS\"}"
  echo "User $user: $NEW_PASS"
done

Troubleshooting

"Authentication failed"

• Check username/password
• Verify user exists: redisctl enterprise user list
• Check user role has required permissions

"LDAP connection failed"

• Verify LDAP server is reachable
• Check bind credentials
• Verify SSL certificates for LDAPS

"ACL denied"

• Check ACL rules: redisctl enterprise acl get <id>
• Verify user is associated with correct ACL

API Reference

REST endpoints:

• GET/POST /v1/users - User management
• GET/POST /v1/roles - Role management
• GET/POST /v1/redis_acls - Redis ACL management
• GET/PUT /v1/cluster/ldap - LDAP configuration
• GET/POST /v1/ldap_mappings - LDAP mappings

For direct API access: redisctl api enterprise get /v1/users