Access Control
Access control lets you manage and regulate access to Arctic catalogs and the objects and data they contain by determining who can access specific objects and what actions or operations they can perform on those objects.
Access control mechanisms are fundamental to preventing unauthorized access, enforcing security policies, minimizing risks, protecting sensitive information, maintaining compliance with regulations, and ensuring that users have the appropriate level of access based on their roles and responsibilities within an organization.
Privileges
Use role-based access control (RBAC) privileges to manage which users and roles can access Arctic catalogs and the tables and views they contain, as well as the actions they can take on the catalogs, tables, and views. You can configure and manage Arctic catalog privileges in the Dremio console and grant privileges on a per-user or per-role basis.
By default, the organization owner and the catalog owner have complete access to an Arctic catalog and the tables and views it contains. All other users must be granted privileges on the Arctic catalog and its tables and views by the organization owner, the catalog owner, or a user with the MANAGE GRANTS privilege.
Granting Privileges
Arctic catalog, table, and view owners, users and roles that belong to the ADMIN role, and the organization owner can grant privileges to other users and roles in the Dremio console or with the GRANT TO USER and GRANT TO ROLE SQL commands.
See Transferring Ownership to learn how to manage OWNERSHIP for an Arctic catalog, table, or view.
To grant privileges on an Arctic catalog in the Dremio console:
On the Organization home page, click the Arctic tile.
Find the card that represents the Arctic catalog whose privileges you want to update.
Click
in the top-right corner of the catalog card.Select the Privileges tab in the catalog settings sidebar.
In the search field under Add User/Role, enter the name of a user or role.
In the list of search results, click to select the user or role you want to assign privileges for.
Click the Add to Privileges button.
Select the checkboxes for the desired privileges you want to assign for each user or role.
Click Save.
To grant privileges on a table or view in an Arctic catalog or source:
Click
at the right side of the row for the table or view in the Arctic catalog or source.Select the Privileges tab in the dataset settings sidebar.
In the search field under Add User/Role, enter a username or role. In the list of search results, click to select the user or role to which you want to transfer ownership.
Click the Add to Privileges button.
Select the checkboxes for the desired privileges you want to assign for each user or role.
Click Save.
Revoking Privileges
Arctic catalog, table, and view owners, users and roles that belong to the ADMIN role, and the organization owner can revoke privileges from other users and roles in the Dremio console or with the REVOKE FROM USER and REVOKE FROM ROLE SQL commands.
To revoke privileges on an Arctic catalog in the Dremio console:
On the Organization home page, click the Arctic tile.
Find the card that represents the Arctic catalog whose privileges you want to update.
Click
in the top-right corner of the catalog card.Select the Privileges tab in the catalog settings sidebar.
To revoke only some privileges for a user or role, uncheck the checkboxes for the privileges you want to revoke.
To revoke all privileges for a user or role, click
to the right of the user or role name and select Remove.- In the Remove user/role? confirmation dialog window, click Yes.
Click Save.
To revoke privileges on a table or view in an Arctic catalog or source:
Click
at the right side of the row for the table or view in the Arctic catalog or source.Select the Privileges tab in the dataset settings sidebar.
To revoke only some privileges for a user or role, uncheck the checkboxes for the privileges you want to revoke.
To revoke all privileges for a user or role, click
to the right of the user or role name and select Remove.- In the Remove user/role? confirmation dialog window, click Yes.
Click Save.
Scope
Scope refers to the objects a user or role can access. Privileges assigned at the Arctic catalog level determine the actions users and roles can take for the catalog. In addition to catalog-level privileges, users must assign privileges on the tables and views in Arctic catalogs to determine the actions users and roles can take for the tables and views.
For example, if a user is granted the USAGE privilege on an Arctic catalog, the user can view the catalog but cannot view or query any tables or views in the catalog. The user may not access other Arctic catalogs or the objects they contain. To run SELECT queries on tables and views in the catalog, the user needs the USAGE privilege on the Arctic catalog as well as the SELECT privilege on the tables and views.
Privileges that are granted on a table or view on any branch in an Arctic catalog apply to all branches where the table or view exists. For example, suppose Table1 exists on the main, staging, and qa branches of Catalog1. If User1 is granted the SELECT privilege on Table1 on the main branch, User1 also has the SELECT privilege on Table1 on the staging and qa branches.
Ownership
Each Arctic catalog and each object the catalog contains has only one owner.
Ownership is granted to the catalog or object's creator by default. The owner can transfer ownership to another user or role.
Owners implicitly possess all supported privileges on the catalogs and objects they own. Only the owner can delete an Arctic catalog or objects in an Arctic catalog.
Ownership of an Arctic catalog does not extend to the objects in the catalog. For example, suppose the user Alice creates Catalog 1, and the user Bob then creates Table 1 inside Catalog 1. Bob is the owner of Table 1, not Alice. Alice does not have any privileges on Table 1 even though Alice owns the Arctic catalog that contains Table 1.
Viewing Ownership
To view the owner for an Arctic catalog:
On the Organization home page, click the Arctic tile.
Find the row (for list view) or card (for card view) that represents the Arctic catalog whose ownership you want to transfer. The owner is listed in the Owner column (for list view) or in the card (for card view).
Transferring Ownership
Arctic catalog, table, and view owners can transfer their ownership to another user or role in the Dremio console or with the GRANT TO USER and GRANT TO ROLE SQL commands.
Ownership transfers take effect immediately, and catalogs, tables, and views have only one owner. Only the user or role to which you granted ownership, users and roles that belong to the ADMIN role, and the organization owner can make ownership changes.
To use the Dremio console to transfer ownership on an Arctic catalog to another user or role:
On the Organization home page, click the Arctic tile.
Find the row (for list view) or card (for card view) that represents the Arctic catalog whose ownership you want to transfer.
Click
at the right side of the row or in the top-right corner of the catalog card.Select the Privileges tab in the catalog settings sidebar.
At the top of the Privileges page, click Transfer Ownership. A search field appears under Owner.
In the search field under Owner, find the user or role to which you want to transfer ownership and click the user or role name to select it.
Click Transfer.
In the Transfer ownership to this user/role? confirmation dialog, click Transfer.
To transfer ownership on a table or view in an Arctic catalog to another user or role:
Click
at the right side of the row for the table or view in the Arctic catalog or source.Select the Privileges tab in the dataset settings sidebar.
At the top of the Privileges page, click Transfer Ownership. A search field appears under Owner.
In the search field under Owner, find the user or role to which you want to transfer ownership and click the user or role name to select it.
Click Transfer.
In the Transfer ownership to this user/role? confirmation dialog, click Transfer.