Arctic Privileges
The following sections describe the supported privileges for Arctic catalogs and each type of securable object in an Arctic catalog.
Catalog Privileges
Organization owners and users with the MANAGE GRANTS privilege can grant the following privileges on Arctic catalogs:
| Privilege | Description |
|---|---|
| ALTER REFLECTION | Create, edit, and view reflections on tables and views in the Arctic catalog. Includes all interfaces including reflection pages, admin reflection pages, REST API endpoints (both individual reflections and list all reflections), and job history for reflections. |
| COMMIT | Perform write operations on an Arctic catalog, including insert, update, delete, merge, and truncate on tables in the catalog, merge branches, and assign branches and tags to other references. |
| CREATE BRANCH | Create branches in the Arctic catalog. |
| CREATE FOLDER | Create folders in the Arctic catalog. |
| CREATE TABLE | Create tables in the Arctic catalog. |
| CREATE TAG | Create tags in the Arctic catalog. |
| CREATE VIEW | Create views in the Arctic catalog. |
| MANAGE GRANTS | Grant and revoke privileges on an Arctic catalog. |
| MODIFY | Edit the Arctic catalog's settings, including its compute settings. |
| OWNERSHIP | Take any action on the Arctic catalog and the objects it contains, including transferring catalog ownership to another user or role, modifying catalog settings, granting and revoking user and role access, and deleting the catalog and its objects. |
| SELECT | Run SELECT queries on the tables and views in the Arctic catalog and read their schema definitions, lineages, wikis, and labels. |
| USAGE | Minimum privilege required to perform any operation on an Arctic catalog. By itself, USAGE grants access to view a catalog and its underlying folders and datasets. Additional privileges may be required for other operations; for example, users need the CREATE TABLE privilege to create tables in the catalog and the SELECT privilege to run SELECT queries on the tables and views in the catalog. Revoking the USAGE privilege effectively prevents any operation on the Arctic catalog, including operations made possible by other privileges. |
| VIEW REFLECTION | View reflections on the tables or views in the Arctic catalog. Includes all interfaces including the reflection pages, admin reflection pages, REST API endpoints (both individual reflections and list all reflections), and job history for reflections. |
| WRITE | Run INSERT, UPDATE, DELETE, TRUNCATE, ALTER, ALTER REFLECTION, REFRESH METADATA, and FORGET METADATA queries on the tables and views in the catalog as well as edit their wikis and labels. |
Required Privileges for Optimization Actions
The following table lists the privileges required to perform optimization actions for an Arctic catalog:
| Action | Required Arctic Catalog-Level Privileges |
|---|---|
| Create and edit optimization compute settings | USAGE and MODIFY |
| Retrieve optimization compute settings | USAGE |
| Trigger data optimization jobs | USAGE and COMMIT |
| Cancel data optimization jobs | USAGE plus one of the following:
|
| Retrieve details about data optimization jobs with the Arctic Jobs API | USAGE plus one of the following:
|
| List data optimization jobs | USAGE plus one of the following:
|
| Create and edit data optimization schedules | USAGE and COMMIT |
| Delete data optimization schedules | USAGE plus one of the following:
|
| List data optimization schedules | USAGE plus one of the following:
|
Folder Privileges
Organization owners and users with the MANAGE GRANTS privilege can grant the following privileges on folders in Arctic catalogs:
| Privilege | Description |
|---|---|
| ALTER REFLECTION | Create, edit, and view reflections on tables and views in the folder and any subfolders. Includes all interfaces including reflection pages, admin reflection pages, REST API endpoints (both individual reflections and list all reflections), and job history for reflections. |
| CREATE FOLDER | Create subfolders in the folder. |
| CREATE TABLE | Create tables in the folder and any subfolders. |
| CREATE VIEW | Create views in the folder and any subfolders. |
| MANAGE GRANTS | Grant and revoke privileges on the folder. |
| OWNERSHIP | Take any action on the folder and the objects it contains, including transferring folder ownership to another user or role, modifying folder settings, granting and revoking user and role access, and deleting the folder and its objects. |
| SELECT | Run SELECT queries on the tables and views in the folder and any subfolders and read their schema definitions, lineages, wikis, and labels. |
| VIEW REFLECTION | View reflections on the tables or views in the folder and any subfolders. Includes all interfaces including the reflection pages, admin reflection pages, REST API endpoints (both individual reflections and list all reflections), and job history for reflections. |
| WRITE | Run INSERT, UPDATE, DELETE, TRUNCATE, ALTER, ALTER REFLECTION, REFRESH METADATA, and FORGET METADATA queries on the tables and views in the folder and any subfolders as well as edit their wikis. |
Table Privileges
Organization owners and users with the MANAGE GRANTS privilege can grant the following privileges on tables in Arctic catalogs:
| Privilege | Description |
|---|---|
| ALTER REFLECTION | Create, edit, and view reflections on the table. Includes all interfaces including the table reflection pages, the admin reflection pages, the REST API endpoints (both individual reflections and list all reflections), and job history for reflections. |
| MANAGE GRANTS | Grant and revoke privileges on the table. |
| OWNERSHIP | Take any action on the table, including transferring ownership to another user or role, modifying settings, granting and revoking user and role access, and deleting the table. |
| SELECT | Run SELECT queries on the table and read the the table's schema definition, lineage, wiki, and labels. |
| VIEW REFLECTION | View reflections on the table. Includes all interfaces including the table reflection pages, the admin reflection pages, the REST API endpoints (both individual reflections and list all reflections), and job history for reflections. |
| WRITE | Run INSERT, UPDATE, DELETE, TRUNCATE, ALTER, ALTER REFLECTION, REFRESH METADATA, and FORGET METADATA queries on the table as well as edit the table's wiki. |
View Privileges
Organization owners and users with the MANAGE GRANTS privilege can grant the following privileges on views in Arctic catalogs:
| Privilege | Description |
|---|---|
| ALTER REFLECTION | Create, edit, and view reflections on the view. Includes all interfaces including the view reflection pages, the admin reflection pages, the REST API endpoints (both individual reflections and list all reflections), and job history for reflections. |
| MANAGE GRANTS | Grant and revoke privileges on the view. |
| OWNERSHIP | Take any action on the view, including transferring ownership to another user or role, modifying settings, granting and revoking user and role access, and deleting the view. |
| SELECT | Run SELECT queries on the view and read the the view's schema definition, lineage, wiki, and labels. |
| VIEW REFLECTION | View reflections on the view. Includes all interfaces including the view reflection pages, the admin reflection pages, the REST API endpoints (both individual reflections and list all reflections), and job history for reflections. |
| WRITE | Edit the view's definition and wiki. |