Skip to main content

Access Control

Access control lets you manage and regulate access to Arctic catalogs and the objects and data they contain by determining who can access specific objects and what actions or operations they can perform on those objects.

Access control mechanisms are fundamental to preventing unauthorized access, enforcing security policies, minimizing risks, protecting sensitive information, maintaining compliance with regulations, and ensuring that users have the appropriate level of access based on their roles and responsibilities within an organization.

Privileges

Use role-based access control (RBAC) privileges to manage which users and roles can access Arctic catalogs and the tables and views they contain, as well as the actions they can take on the catalogs, tables, and views. You can configure and manage Arctic catalog privileges in the Dremio console and grant privileges on a per-user or per-role basis.

By default, the organization owner and the catalog owner have complete access to an Arctic catalog and the tables and views it contains. All other users must be granted privileges on the Arctic catalog and its tables and views by the organization owner, the catalog owner, or a user with the MANAGE GRANTS privilege.

Granting Privileges

Arctic catalog, table, and view owners, users and roles that belong to the ADMIN role, and the organization owner can grant privileges to other users and roles in the Dremio console or with the GRANT TO USER and GRANT TO ROLE SQL commands.

note

See Transferring Ownership to learn how to manage OWNERSHIP for an Arctic catalog, table, or view.

To grant privileges on an Arctic catalog in the Dremio console:

  1. On the Organization home page, click the Arctic tile.

  2. Find the card that represents the Arctic catalog whose privileges you want to update.

  3. Click This is the icon that represents the Arctic catalog settings. in the top-right corner of the catalog card.

  4. Select the Privileges tab in the catalog settings sidebar.

  5. In the search field under Add User/Role, enter the name of a user or role.

  6. In the list of search results, click to select the user or role you want to assign privileges for.

  7. Click the Add to Privileges button.

  8. Select the checkboxes for the desired privileges you want to assign for each user or role.

  9. Click Save.

To grant privileges on a table or view in an Arctic catalog or source:

  1. Click This is the icon that represents the table or view settings. at the right side of the row for the table or view in the Arctic catalog or source.

  2. Select the Privileges tab in the dataset settings sidebar.

  3. In the search field under Add User/Role, enter a username or role. In the list of search results, click to select the user or role to which you want to transfer ownership.

  4. Click the Add to Privileges button.

  5. Select the checkboxes for the desired privileges you want to assign for each user or role.

  6. Click Save.

Revoking Privileges

Arctic catalog, table, and view owners, users and roles that belong to the ADMIN role, and the organization owner can revoke privileges from other users and roles in the Dremio console or with the REVOKE FROM USER and REVOKE FROM ROLE SQL commands.

To revoke privileges on an Arctic catalog in the Dremio console:

  1. On the Organization home page, click the Arctic tile.

  2. Find the card that represents the Arctic catalog whose privileges you want to update.

  3. Click This is the icon that represents the Arctic catalog settings. in the top-right corner of the catalog card.

  4. Select the Privileges tab in the catalog settings sidebar.

    • To revoke only some privileges for a user or role, uncheck the checkboxes for the privileges you want to revoke.

    • To revoke all privileges for a user or role, click This is the icon that represents options for the Arctic catalog privileges. to the right of the user or role name and select Remove.

      • In the Remove user/role? confirmation dialog window, click Yes.
  5. Click Save.

To revoke privileges on a table or view in an Arctic catalog or source:

  1. Click This is the icon that represents the table or view settings. at the right side of the row for the table or view in the Arctic catalog or source.

  2. Select the Privileges tab in the dataset settings sidebar.

    • To revoke only some privileges for a user or role, uncheck the checkboxes for the privileges you want to revoke.

    • To revoke all privileges for a user or role, click This is the icon that represents options for the table or view privileges. to the right of the user or role name and select Remove.

      • In the Remove user/role? confirmation dialog window, click Yes.
  3. Click Save.

Scope

Scope refers to the objects a user or role can access. Privileges assigned at the Arctic catalog level determine the actions users and roles can take for the catalog. In addition to catalog-level privileges, users must assign privileges on the tables and views in Arctic catalogs to determine the actions users and roles can take for the tables and views.

For example, if a user is granted the USAGE privilege on an Arctic catalog, the user can view the catalog but cannot view or query any tables or views in the catalog. The user may not access other Arctic catalogs or the objects they contain. To run SELECT queries on tables and views in the catalog, the user needs the USAGE privilege on the Arctic catalog as well as the SELECT privilege on the tables and views.

Privileges that are granted on a table or view on any branch in an Arctic catalog apply to all branches where the table or view exists. For example, suppose Table1 exists on the main, staging, and qa branches of Catalog1. If User1 is granted the SELECT privilege on Table1 on the main branch, User1 also has the SELECT privilege on Table1 on the staging and qa branches.

Ownership

Each Arctic catalog and each object the catalog contains has only one owner.

Ownership is granted to the catalog or object's creator by default. The owner can transfer ownership to another user or role.

Owners implicitly possess all supported privileges on the catalogs and objects they own. Only the owner can delete an Arctic catalog or objects in an Arctic catalog.

Ownership of an Arctic catalog does not extend to the objects in the catalog. For example, suppose the user Alice creates Catalog 1, and the user Bob then creates Table 1 inside Catalog 1. Bob is the owner of Table 1, not Alice. Alice does not have any privileges on Table 1 even though Alice owns the Arctic catalog that contains Table 1.

Viewing Ownership

To view the owner for an Arctic catalog:

  1. On the Organization home page, click the Arctic tile.

  2. Find the row (for list view) or card (for card view) that represents the Arctic catalog whose ownership you want to view. The owner is listed in the Owner column (for list view) or in the card (for card view).

To view the owner of a table or view in an Arctic catalog or source:

  1. Click This is the icon that represents the table or view settings. at the right side of the row for the table or view in the Arctic catalog or source.

  2. Select the Privileges tab in the settings sidebar. The owner is listed at the top of the Privileges window.

Transferring Ownership

Arctic catalog, table, and view owners can transfer their ownership to another user or role in the Dremio console or with the GRANT TO USER and GRANT TO ROLE SQL commands.

caution

Ownership transfers take effect immediately, and catalogs, tables, and views have only one owner. Only the user or role to which you granted ownership, users and roles that belong to the ADMIN role, and the organization owner can make ownership changes.

To use the Dremio console to transfer ownership on an Arctic catalog to another user or role:

  1. On the Organization home page, click the Arctic tile.

  2. Find the row (for list view) or card (for card view) that represents the Arctic catalog whose ownership you want to transfer.

  3. Click This is the icon that represents the Arctic catalog settings. at the right side of the row or in the top-right corner of the catalog card.

  4. Select the Privileges tab in the catalog settings sidebar.

  5. At the top of the Privileges page, click Transfer Ownership. A search field appears under Owner.

  6. In the search field under Owner, find the user or role to which you want to transfer ownership and click the user or role name to select it.

  7. Click Transfer.

  8. In the Transfer ownership to this user/role? confirmation dialog, click Transfer.

To transfer ownership on a table or view in an Arctic catalog to another user or role:

  1. Click This is the icon that represents the table or view settings. at the right side of the row for the table or view in the Arctic catalog or source.

  2. Select the Privileges tab in the dataset settings sidebar.

  3. At the top of the Privileges page, click Transfer Ownership. A search field appears under Owner.

  4. In the search field under Owner, find the user or role to which you want to transfer ownership and click the user or role name to select it.

  5. Click Transfer.

  6. In the Transfer ownership to this user/role? confirmation dialog, click Transfer.

View Delegation

View delegation means that tables with restricted access may be shared with other Dremio users through the creation of views. When a user with SELECT access to a table creates a view, that user automatically becomes the owner of the new view.

Upon creating the view, the same rules of ownership apply to the view. The owner or delegation identity does not change when a view is edited or queried, but must be manually changed via the GRANT TO USER or GRANT TO ROLE commands. To identify the owner of a view, query the sys.views table.

note

The shared view still selects from the underlying dataset using the view owner's permissions at the time of the view's last modification, even if the end user querying the view lacks privileges to modify the underlying table. This applies to each table on the data graph and chain of datasets.

View delegation is different from privilege assignment. View delegation is implicit delegation of the SELECT privilege on underlying objects. For example, suppose user1 has the SELECT privilege on Table1 and creates View1 based on Table1. If user1 grants the SELECT privilege on View1 to user2, then the SELECT privilege that user1 has on Table1 is implicitly granted to user2. user2 can see the data in Table1 even though they lack explicit SELECT privileges on Table1. Privilege assignment is an explicit delegation: the owner of an object or a user who belongs to the ADMIN role grants privileges on the object to other users.