Arctic Privileges
The following sections describe the supported privileges for Arctic catalogs and each type of securable object in an Arctic catalog.
Catalog Privileges
Organization owners and users with the MANAGE GRANTS privilege can grant the following privileges on Arctic catalogs:
Privilege | Description |
---|---|
COMMIT | Perform write operations on an Arctic catalog. COMMIT allows users and roles to create tables and views, perform write operations (for example, insert, update, delete, merge, and truncate) on tables in the catalog, merge branches, and assign branches and tags to other references. |
CREATE BRANCH | Create branches and tables in the Arctic catalog. |
CREATE TAG | Create tags in the Arctic catalog. |
MANAGE GRANTS | Modify privileges on an Arctic catalog. |
OWNERSHIP | Take any action on the Arctic catalog and the objects it contains, including transferring catalog ownership to another user or role, modifying catalog settings, granting and revoking user and role access, and deleting the catalog and its objects. |
USAGE | Minimum privilege required to perform any operation on an Arctic catalog. By itself, USAGE grants access to view a catalog and its underlying datasets as well as to run SELECT queries on the catalog and its datasets. Additional privileges may be required for other operations; for example, users need the CREATE BRANCH privilege to create branches and tables in the catalog. Revoking the USAGE privilege effectively prevents any operation on the Arctic catalog, including operations made possible by other privileges. |
MODIFY | Edit the Arctic catalog's settings, including its compute settings. The MODIFY privilege does not grant access to edit the tables and views in the Arctic catalog. |
Required Privileges for Optimization Actions
The following table lists the privileges required to perform optimization actions for an Arctic catalog:
Action | Required Arctic Catalog-Level Privileges |
---|---|
Create and edit optimization compute settings | USAGE and MODIFY |
Retrieve optimization compute settings | USAGE |
Trigger data optimization jobs | USAGE and COMMIT |
Cancel data optimization jobs | USAGE plus one of the following:
|
Retrieve details about data optimization jobs with the Arctic Jobs API | USAGE plus one of the following:
|
List data optimization jobs | USAGE plus one of the following:
|
Create and edit data optimization schedules | USAGE and COMMIT |
Delete data optimization schedules | USAGE plus one of the following:
|
List data optimization schedules | USAGE plus one of the following:
|
Table Privileges
Organization owners and users with the MANAGE GRANTS privilege can grant the following privileges on tables in Arctic catalogs:
Privilege | Description |
---|---|
ALTER REFLECTION | Create, edit, and view reflections on the table. Includes all interfaces including the table reflection pages, the admin reflection pages, the REST API endpoints (both individual reflections and list all reflections), and job history for reflections. The user or role must also have the USAGE privilege on the Arctic catalog that contains the table and the SELECT privilege on the table. |
MANAGE GRANTS | Modify privileges on the table. |
OWNERSHIP | Take any action on the table, including transferring ownership to another user or role, modifying settings, granting and revoking user and role access, and deleting the table. The user or role must also have the USAGE privilege on the Arctic catalog that contains the table. |
SELECT | Run SELECT queries on the table and read the the table's schema definition, lineage, wiki, and labels. The user or role must also have the USAGE privilege on the Arctic catalog that contains the table. |
VIEW REFLECTION | View reflections on the table. Includes all interfaces including the table reflection pages, the admin reflection pages, the REST API endpoints (both individual reflections and list all reflections), and job history for reflections. The user or role must also have the USAGE privilege on the Arctic catalog that contains the table. |
WRITE | Run INSERT, UPDATE, DELETE, TRUNCATE, ALTER (Iceberg tables only), ALTER REFLECTION, REFRESH METADATA, and FORGET METADATA queries on the table as well as edit the table's wiki. The user or role must also have USAGE and COMMIT privileges on the Arctic catalog that contains the table. |
View Privileges
Organization owners and users with the MANAGE GRANTS privilege can grant the following privileges on views in Arctic catalogs:
Privilege | Description |
---|---|
ALTER REFLECTION | Create, edit, and view reflections on the view. Includes all interfaces including the view reflection pages, the admin reflection pages, the REST API endpoints (both individual reflections and list all reflections), and job history for reflections. The user or role must also have the USAGE privilege on the Arctic catalog that contains the view and the SELECT privilege on the view. |
MANAGE GRANTS | Modify privileges on the view. |
OWNERSHIP | Take any action on the view, including transferring ownership to another user or role, modifying settings, granting and revoking user and role access, and deleting the view. The user or role must also have the USAGE privilege on the Arctic catalog that contains the view. |
SELECT | Run SELECT queries on the view and read the the view's schema definition, lineage, wiki, and labels. The user or role must also have the USAGE privilege on the Arctic catalog that contains the view. |
VIEW REFLECTION | View reflections on the view. Includes all interfaces including the view reflection pages, the admin reflection pages, the REST API endpoints (both individual reflections and list all reflections), and job history for reflections. The user or role must also have the USAGE privilege on the Arctic catalog that contains the view. |
WRITE | Edit the view's definition and wiki. The user or role must also have USAGE and COMMIT privileges on the Arctic catalog that contains the view. |