Arctic Privileges
The following sections describe the supported privileges for Arctic catalogs and each type of securable object in an Arctic catalog.
Catalog Privileges
Organization owners and users with the MANAGE GRANTS privilege can grant the following privileges on Arctic catalogs:
| Privilege | Description |
|---|---|
| ALTER REFLECTION | Create, edit, and view reflections on tables and views in the Arctic catalog. Includes all interfaces including reflection pages, admin reflection pages, REST API endpoints (both individual reflections and list all reflections), and job history for reflections. |
| COMMIT | Perform write operations on an Arctic catalog, including insert, update, delete, merge, and truncate on tables in the catalog, merge branches, and assign branches and tags to other references. |
| CREATE BRANCH | Create branches in the Arctic catalog. |
| CREATE FOLDER | Create folders in the Arctic catalog. |
| CREATE FUNCTION | Create user-defined functions (UDFs) in the Arctic catalog. |
| CREATE TABLE | Create tables in the Arctic catalog. |
| CREATE TAG | Create tags in the Arctic catalog. |
| CREATE VIEW | Create views in the Arctic catalog. |
| MANAGE GRANTS | Grant and revoke privileges on an Arctic catalog. |
| MODIFY | Edit the Arctic catalog's settings, including its compute settings. |
| OWNERSHIP | Take any action on the Arctic catalog and the objects it contains, including transferring catalog ownership to another user or role, modifying catalog settings, granting and revoking user and role access, and deleting the catalog and its objects. |
| SELECT | View child folders, tables, and views in the Arctic catalog and run SELECT queries on the tables and views and read their schema definitions, lineages, wikis, and labels. |
| USAGE | Minimum privilege required to perform any operation on an Arctic catalog. By itself, USAGE grants access to view a catalog but not the catalog's child folders and datasets. Additional privileges are required for operations on child folders and datasets; for example, users need the CREATE TABLE privilege to create tables in the catalog and the SELECT privilege to view the catalog's child folders and datasets and run SELECT queries on the tables and views. Revoking the USAGE privilege effectively prevents any operation on the Arctic catalog or the objects it contains, including operations made possible by other privileges. |
| VIEW REFLECTION | View reflections on the tables or views in the Arctic catalog. Includes all interfaces including the reflection pages, admin reflection pages, REST API endpoints (both individual reflections and list all reflections), and job history for reflections. |
| WRITE | Run INSERT, UPDATE, DELETE, TRUNCATE, ALTER, ALTER REFLECTION, REFRESH METADATA, and FORGET METADATA queries on the tables and views in the catalog as well as edit their wikis and labels. |
Required Privileges for Optimization Actions
The following table lists the privileges required to perform optimization actions for an Arctic catalog:
| Action | Required Arctic Catalog-Level Privileges |
|---|---|
| Create and edit optimization compute settings | USAGE and MODIFY |
| Retrieve optimization compute settings | USAGE |
| Trigger data optimization jobs | USAGE and COMMIT |
| Cancel data optimization jobs | USAGE plus one of the following:
|
| Retrieve details about data optimization jobs with the Arctic Jobs API | USAGE plus one of the following:
|
| List data optimization jobs | USAGE plus one of the following:
|
| Create and edit data optimization schedules | USAGE and COMMIT |
| Delete data optimization schedules | USAGE plus one of the following:
|
| List data optimization schedules | USAGE plus one of the following:
|
Folder Privileges
Organization owners and users with the MANAGE GRANTS privilege can grant the following privileges on folders in Arctic catalogs:
| Privilege | Description |
|---|---|
| ALTER REFLECTION | Create, edit, and view reflections on tables and views in the folder and any subfolders. Includes all interfaces including reflection pages, admin reflection pages, REST API endpoints (both individual reflections and list all reflections), and job history for reflections. |
| CREATE FOLDER | Create subfolders in the folder. |
| CREATE FUNCTION | Create user-defined functions (UDFs) in the folder. |
| CREATE TABLE | Create tables in the folder and any subfolders. |
| CREATE VIEW | Create views in the folder and any subfolders. |
| MANAGE GRANTS | Grant and revoke privileges on the folder. |
| OWNERSHIP | Take any action on the folder and the objects it contains, including transferring folder ownership to another user or role, modifying folder settings, granting and revoking user and role access, and deleting the folder and its objects. |
| SELECT | View and navigate to the folder and all of the subfolders, tables, and views it contains in the Dremio console, as well as run SELECT queries on the tables and views in the folder and read their schema definitions, lineages, wikis, and labels. |
| SHOW | View and navigate to the folder in the Dremio console. SHOW is only available on folders and is NOT inherited for any subfolders, tables, or views in a folder on which SHOW is granted. |
| VIEW REFLECTION | View reflections on the tables or views in the folder and any subfolders. Includes all interfaces including the reflection pages, admin reflection pages, REST API endpoints (both individual reflections and list all reflections), and job history for reflections. |
| WRITE | Run INSERT, UPDATE, DELETE, TRUNCATE, ALTER, ALTER REFLECTION, REFRESH METADATA, and FORGET METADATA queries on the tables and views in the folder and any subfolders as well as edit their wikis. |
Table Privileges
Organization owners and users with the MANAGE GRANTS privilege can grant the following privileges on tables in Arctic catalogs:
| Privilege | Description |
|---|---|
| ALTER REFLECTION | Create, edit, and view reflections on the table. Includes all interfaces including the table reflection pages, the admin reflection pages, the REST API endpoints (both individual reflections and list all reflections), and job history for reflections. |
| MANAGE GRANTS | Grant and revoke privileges on the table. |
| OWNERSHIP | Take any action on the table, including transferring ownership to another user or role, modifying settings, granting and revoking user and role access, and deleting the table. |
| SELECT | Run SELECT queries on the table and read the table's schema definition, lineage, wiki, and labels. |
| VIEW REFLECTION | View reflections on the table. Includes all interfaces including the table reflection pages, the admin reflection pages, the REST API endpoints (both individual reflections and list all reflections), and job history for reflections. |
| WRITE | Run INSERT, UPDATE, DELETE, TRUNCATE, ALTER, ALTER REFLECTION, REFRESH METADATA, and FORGET METADATA queries on the table as well as edit the table's wiki. |
UDF (User-Defined Function) Privileges
| Privilege | Description |
|---|---|
| OWNERSHIP | Grant ownership of an UDF to a user/role. The ownership can be transferred to a different user/role using the GRANT OWNERSHIP command by the owner.
|
| SELECT | Run SELECT queries on the UDF and read the UDF's schema definition, lineage, wiki, and labels. |
| WRITE | Run REPLACE FUNCTION if the UDF already exists. Edit the UDF's definition and wiki. |
View Privileges
Organization owners and users with the MANAGE GRANTS privilege can grant the following privileges on views in Arctic catalogs:
| Privilege | Description |
|---|---|
| ALTER REFLECTION | Create, edit, and view reflections on the view. Includes all interfaces including the view reflection pages, the admin reflection pages, the REST API endpoints (both individual reflections and list all reflections), and job history for reflections. |
| MANAGE GRANTS | Grant and revoke privileges on the view. |
| OWNERSHIP | Take any action on the view, including transferring ownership to another user or role, modifying settings, granting and revoking user and role access, and deleting the view. |
| SELECT | Run SELECT queries on the view and read the view's schema definition, lineage, wiki, and labels. |
| VIEW REFLECTION | View reflections on the view. Includes all interfaces including the view reflection pages, the admin reflection pages, the REST API endpoints (both individual reflections and list all reflections), and job history for reflections. |
| WRITE | Edit the view's definition and wiki. |