Skip to main content

Privileges

The following sections describe the supported privileges for each type of securable object.

note

Privileges that are inheritable also implicitly apply to child objects through inheritance.

  • For organizations, child objects include clouds; projects; engines; identity providers; sources and the folders, tables, and views they contain; scripts; users; and roles.
  • For sources, child objects include the folders, tables, and views the source contains.
  • For folders, child objects include the tables and views the folder contains, as well as any nested folders and their contents.

Organization Privileges

PRIVILEGEDESCRIPTION
CONFIGURE SECURITYConfigure security-related features for the organization: set up social logins and identity providers for authentication; enable single sign-on (SSO) for BI applications like Tableau and Power BI; configure Dremio to honor tokens issued by external identity providers; and create custom OAuth applications.
CONFIGURE BILLINGCreate billing accounts, which are used to manage usage invoices for Enterprise users. Each account's creator is its default owner.
CREATE CATALOGCreate Arctic catalogs. Each catalog's creator is its default owner.
CREATE CLOUDCreate clouds. Each cloud's creator is its default owner.
CREATE PROJECTCreate projects. Each project's creator is its default owner.
CREATE ROLECreate roles. Each role's creator is its default owner.
CREATE USERCreate users. Each user's creator is its default owner. See Managing Other Users for details on management operations.
MANAGE GRANTSGrant or revoke privileges on the organization and all objects it contains.
OWNERSHIPOwnership of the organization. Take all actions on the organization and all objects it contains.
  • Only one user or role (not both) can hold this privilege on the organization at a time.
  • The owner and any user or role member with the MANAGE GRANTS privilege can transfer ownership using the GRANT OWNERSHIP command.

Cloud Privileges

PRIVILEGEDESCRIPTION
MANAGE GRANTSGrant and revoke privileges on the cloud.
MODIFYAccess and modify settings for the cloud.
MONITORView all settings for the cloud.
OWNERSHIPOwnership of the cloud. Take all actions on the cloud, including modifying settings, granting and revoking user and role access, and deleting the cloud.
  • Only one user or role (not both) can hold this privilege on the cloud at a time.
  • The owner and any user or role member with the MANAGE GRANTS privilege can transfer ownership using the GRANT OWNERSHIP command.

Sonar Project Privileges

PRIVILEGEDESCRIPTION
ALTER
  • Edit the wikis of all sources, folders, tables, and views in the project.
  • Edit the definitions and settings of all tables and views in the project.
  • Promote and demote all tables in the project.
  • Create and delete views in the project.
  • Add and remove folders in the project.
  • Issue ALTER SOURCE <source_name> REFRESH STATUS commands.
  • Issue commands to manage metadata (including REFRESH and FORGET) for all tables in the project.
ALTER REFLECTIONCreate, edit, and view reflections on all tables and views in the project. Includes table and view reflection pages, admin reflection pages, the API endpoints for listing individual reflections and all reflections), and job history for reflections.
CREATE SOURCECreate new sources in the project.
CREATE TABLECreate tables using CREATE TABLE and CREATE TABLE AS SELECT (CTAS).
  • This privilege is only supported for project sources that support mutability.
DELETEExecute the delete operation on all Apache Iceberg tables in the project.
DROPRemove tables from the project.
  • This privilege is only supported for sources that support mutability.
EXTERNAL QUERYRun external queries on sources in the project.
  • This privilege is only supported for Amazon Redshift, Microsoft SQL Server, MySQL, and PostgreSQL sources and Dremio Hub connectors that use advanced relational pushdown (ARP).
INSERTExecute the insert operation on all Apache Iceberg tables in the project.
MANAGE GRANTSGrant and revoke privileges on the project and the objects it contains.
MODIFYAccess, create, modify, and delete workload management settings in a project, including engines, engine routing, and queues, and view node activity.
MONITORView all settings for the project.
OPERATEStart/enable and stop/disable all engines in the project.
OWNERSHIPOwnership of the project. Take all actions on the project and all objects it contains.
  • Only one user or role (not both) can hold this privilege on the project at a time.
  • The owner and any user or role member with the MANAGE GRANTS privilege can transfer ownership using the GRANT OWNERSHIP command.
SELECT
  • View data from all tables and views in the project.
  • View the schema definitions of all tables and views in the project.
  • View the wikis of all sources, folders, tables, and views in the project.
  • View the labels of all tables and views in the project.
  • View the graphs of all tables and views in the project.
  • Promote and demote all tables in the project.
TRUNCATEExecute the truncate operation on all Apache Iceberg tables in the project.
UPDATEExecute the update operation on all Apache Iceberg tables in the project.
USAGEAccess the project. Users with direct privileges on objects in the project, including OWNERSHIP, cannot access the objects unless they also have the USAGE privilege on the project.
VIEW JOB HISTORYView the job history tables from the Jobs page for all users in the project.
VIEW REFLECTIONView table metadata and reflections on all tables and views in the project, including the Reflections tab on the Edit Dataset page for the table or view, the Reflections sidebar in the project settings, reflection API endpoints for listing individual reflections and all reflections, and job history for reflections.

Engine Privileges

PRIVILEGEDESCRIPTION
MODIFYAccess and modify settings for the engine, including replica settings, replica auto-stop settings, time limits, and tags.
MONITORView all settings for the engine, including replica settings, replica auto-stop settings, time limits, and tags.
OPERATEStart/enable and stop/disable the engine.
USAGERun queries against the engine.
  • The PUBLIC role is granted the USAGE privilege on all engines by default, but the privilege can be revoked.
MANAGE GRANTSGrant and revoke privileges on the engine.
OWNERSHIPOwnership of the engine. Take all actions on the engine.
  • Only one user or role (not both) can hold this privilege on the engine at a time.
  • The owner and any user or role member with the MANAGE GRANTS privilege can transfer ownership using the GRANT OWNERSHIP command.

Identity Provider Privileges

PRIVILEGEDESCRIPTION
MODIFYAccess and modify settings for the identity provider.
MONITORView all settings for the identity provider.
OWNERSHIPOwnership of the identity provider. Take all actions on the identity provider, including modifying settings and deleting the identity provider.
  • Only one user or role (not both) can hold this privilege on the identity provider at a time.
  • The owner can transfer ownership using the GRANT OWNERSHIP command.

Source Privileges

PRIVILEGEDESCRIPTION
ALTER
  • Edit the wikis of the source and the folders and tables it contains.
  • Edit the definitions and settings of all tables in the source.
  • Promote and demote all tables in the source.
  • Add and remove folders in the source.
  • Issue ALTER SOURCE <source_name> REFRESH STATUS commands.
  • Issue commands to manage metadata (including REFRESH and FORGET) for all tables in the source.
ALTER REFLECTIONCreate, edit, and view reflections on all tables in the source. Includes table reflection pages, admin reflection pages, API endpoints for listing all reflections and individual reflections, and job history for reflections.
CREATE TABLECreate tables using CREATE TABLE and CREATE TABLE AS SELECT (CTAS) in the source.
  • This privilege is only supported for project sources that support mutability.
DELETEExecute the delete operation on all Apache Iceberg tables in the source.
DROPRemove tables from the source.
  • This privilege is only supported for sources that support mutability.
EXTERNAL QUERYRun external queries on the source.
  • This privilege is only supported for Amazon Redshift, Microsoft SQL Server, MySQL, and PostgreSQL sources and Dremio Hub connectors that use advanced relational pushdown (ARP).
INSERTExecute the insert operation on all Apache Iceberg tables in the source.
MODIFYAccess and modify settings on the source.
MANAGE GRANTSGrant and revoke privileges on the source and the objects it contains.
OWNERSHIPAllows all actions on the source and all objects it contains.
  • Only one user or role (not both) can hold this privilege on the source at a time.
  • Source owners cannot query the source unless they have the USAGE privilege on the project that contains the source. Once they are granted the USAGE privilege on the project, source owners have all other implicit privileges on the source and the objects it contains.
  • The owner and any user or role member with the MANAGE GRANTS privilege can transfer ownership using the GRANT OWNERSHIP command.
SELECT
  • View data from all folders and tables in the source.
  • View the schema definition of all tables in the source.
  • View the wikis of all folders in the source.
  • View the wikis and labels of all tables in the source.
  • View the graphs of all tables in the source.
  • Promote tables in the source.
TRUNCATEExecute the truncate operation on all Apache Iceberg tables in the source.
UPDATEExecute the update operation on all Apache Iceberg tables in the source.
VIEW REFLECTIONView reflections on all tables in the source. Includes table reflection pages, admin reflection pages, API endpoints for listing all reflections and individual reflections, and job history for reflections.

Folder Privileges

PRIVILEGEDESCRIPTION
ALTER
  • Edit the wikis of the folder and the subfolders, tables, and views it contains.
  • Edit the definitions and settings of all tables and views in the folder.
  • Promote and demote all tables in the folder.
  • Create and delete tables and views in the folder.
  • Create and delete subfolders in the folder.
  • Issue commands to manage metadata (including REFRESH and FORGET) for all tables in the folder.
ALTER REFLECTIONCreate, edit, and view reflections on all tables in the source. Includes table reflection pages, admin reflection pages, API endpoints for listing all reflections and individual reflections, and job history for reflections.
DELETEExecute the delete operation on all Apache Iceberg tables in the folder.
DROPRemove tables from the source.
  • This privilege is only supported for folders in sources that support mutability.
INSERTExecute the insert operation on all Apache Iceberg tables in the folder.
MANAGE GRANTSGrant and revoke privileges on the folder and the objects it contains.
OWNERSHIPAllows all actions on the folder and all objects it contains.
  • Only one user or role (not both) can hold this privilege on the folder at a time.
  • Folder owners cannot access the folder or the object it contains unless they have the USAGE privilege on the project that contains the folder. Once they are granted the USAGE privilege on the project, folder owners have all other implicit privileges on the folder and the objects it contains.
  • The owner and any user or role member with the MANAGE GRANTS privilege can transfer ownership using the GRANT OWNERSHIP command.
SELECT
  • View data from the folder and the objects it contains.
  • View the schema definition of all tables in the folder.
  • View the wikis of the folders and any subfolders it contains.
  • View the wikis and labels of all tables in the folder.
  • View the graph of all tables in the folder.
  • Promote tables in the folder.
TRUNCATEExecute the truncate operation on all Apache Iceberg tables in the folder.
UPDATEExecute the update operation on all Apache Iceberg tables in the folder.
VIEW REFLECTIONView reflections on all tables and views in the folder. Includes reflection pages, admin reflection pages, API endpoints for listing all reflections and individual reflections, and job history for reflections.

Table Privileges

PRIVILEGEDESCRIPTION
ALTEREdit the table's wiki, definitions, and settings and issue commands to manage metadata (including REFRESH and FORGET) for the table.
DELETEExecute the delete operation (Apache Iceberg tables only).
INSERTExecute the insert operation (Apache Iceberg tables only).
MANAGE GRANTSGrant and revoke privileges on the table.
OWNERSHIPAllows all actions on the table.
  • Only one user or role (not both) can hold this privilege on the table at a time.
  • Table owners cannot access the table unless they have the USAGE privilege on the project that contains the table. Once they are granted the USAGE privilege on the project, table owners have all other implicit privileges on the table.
  • The owner and any user or role member with the MANAGE GRANTS privilege can transfer ownership using the GRANT OWNERSHIP command.
SELECT
  • View data from the table.
  • View the schema definition of the table.
  • View the table's wiki and labels.
  • View the table's graph.
TRUNCATEExecute the truncate operation (Apache Iceberg tables only).
UPDATEExecute the update operation (Apache Iceberg tables only).

View Privileges

PRIVILEGEDESCRIPTION
ALTEREdit the view's wiki, definitions, and settings.
DELETEExecute the delete operation (views created from Apache Iceberg tables only).
INSERTExecute the insert operation (views created from Apache Iceberg tables only).
MANAGE GRANTSGrant and revoke privileges on the view.
OWNERSHIPAllows all actions on the view.
  • Only one user or role (not both) can hold this privilege on the view at a time.
  • View owners cannot access the view unless they have the USAGE privilege on the project that contains the view. Once they are granted the USAGE privilege on the project, view owners have all other implicit privileges on the view.
  • The owner and any user or role member with the MANAGE GRANTS privilege can transfer ownership using the GRANT OWNERSHIP command.
SELECT
  • View data from the view.
  • View the schema definition of the view.
  • View the view's wiki and labels.
  • View the view's graph.
TRUNCATEExecute the truncate operation (views created from Apache Iceberg tables only).
UPDATEExecute the update operation (views created from Apache Iceberg tables only).

Script Privileges

PRIVILEGEDESCRIPTION
VIEWView the script.
MODIFYModify the script.
DELETEDelete the script.
MANAGE GRANTSGrant and revoke privileges on the script.

User Privileges

PRIVILEGEDESCRIPTION
OWNERSHIPTake all actions on the user, including setting a new password, changing the user type from local (internal) to external, granting and revoking user privileges, and transferring ownership using the GRANT OWNERSHIP SQL command.
  • Only one user or role (not both) can hold this privilege on the user at a time.

Role Privileges

PRIVILEGEDESCRIPTION
OWNERSHIPTake all actions on the role, including adding and removing role members, granting and revoking role privileges, and transferring ownership using the GRANT OWNERSHIP SQL command.
  • Only one user or role (not both) can hold this privilege on the role at a time.

ALL Privilege

The ALL privilege is available on all objects in Dremio. Granting the ALL privilege on an object grants the user or role all possible privileges, except OWNERSHIP, on the object.

The ALL privilege grants a static set of privileges that includes only the privileges that exist when you run the grant command. ALL privilege grants are not automatically updated to include new privileges that become available later.

Revoking the ALL privilege on a parent object does not change any privileges that are directly assigned on child objects. For example, if you grant the SELECT privilege on Table 1 in Organization A to User 1 and then grant the ALL privilege on Organization A to User 1, User 1 inherits all privileges on Table 1. If you later revoke the ALL privilege on Organization A for User 1, User 1 retains the SELECT privilege on Table 1.