Privileges
The following sections describe the supported privileges for each type of securable object.
Privileges that are inheritable also implicitly apply to child objects through inheritance.
- For organizations, child objects include clouds; projects; engines; identity providers; sources and the folders, tables, and views they contain; scripts; users; and roles.
- For sources, child objects include the folders, tables, and views the source contains.
- For folders, child objects include the tables and views the folder contains, as well as any nested folders and their contents.
Organization Privileges
PRIVILEGE | DESCRIPTION |
---|---|
CONFIGURE SECURITY | Configure security-related features for the organization: set up social logins and identity providers for authentication; enable single sign-on (SSO) for BI applications like Tableau and Power BI; configure Dremio to honor tokens issued by external identity providers; and create custom OAuth applications. |
CONFIGURE BILLING | Create billing accounts, which are used to manage usage invoices for Enterprise users. Each account's creator is its default owner. |
CREATE CATALOG | Create Arctic catalogs. Each catalog's creator is its default owner. |
CREATE CLOUD | Create clouds. Each cloud's creator is its default owner. |
CREATE PROJECT | Create projects. Each project's creator is its default owner. |
CREATE ROLE | Create roles. Each role's creator is its default owner. |
CREATE USER | Create users. Each user's creator is its default owner. See Managing Other Users for details on management operations. |
MANAGE GRANTS | Grant or revoke privileges on the organization and all objects it contains. |
OWNERSHIP | Ownership of the organization. Take all actions on the organization and all objects it contains.
|
Cloud Privileges
PRIVILEGE | DESCRIPTION |
---|---|
MANAGE GRANTS | Grant and revoke privileges on the cloud. |
MODIFY | Access and modify settings for the cloud. |
MONITOR | View all settings for the cloud. |
OWNERSHIP | Ownership of the cloud. Take all actions on the cloud, including modifying settings, granting and revoking user and role access, and deleting the cloud.
|
Sonar Project Privileges
PRIVILEGE | DESCRIPTION |
---|---|
ALTER |
|
ALTER REFLECTION | Create, edit, and view reflections on all tables and views in the project. Includes table and view reflection pages, admin reflection pages, the API endpoints for listing individual reflections and all reflections), and job history for reflections. |
CREATE SOURCE | Create new sources in the project. |
CREATE TABLE | Create tables using CREATE TABLE and CREATE TABLE AS SELECT (CTAS).
|
DELETE | Execute the delete operation on all Apache Iceberg tables in the project. |
DROP | Remove tables from the project.
|
EXTERNAL QUERY | Run external queries on sources in the project.
|
INSERT | Execute the insert operation on all Apache Iceberg tables in the project. |
MANAGE GRANTS | Grant and revoke privileges on the project and the objects it contains. |
MODIFY | Access, create, modify, and delete workload management settings in a project, including engines, engine routing, and queues, and view node activity. |
MONITOR | View all settings for the project. |
OPERATE | Start/enable and stop/disable all engines in the project. |
OWNERSHIP | Ownership of the project. Take all actions on the project and all objects it contains.
|
SELECT |
|
TRUNCATE | Execute the truncate operation on all Apache Iceberg tables in the project. |
UPDATE | Execute the update operation on all Apache Iceberg tables in the project. |
USAGE | Access the project. Users with direct privileges on objects in the project, including OWNERSHIP, cannot access the objects unless they also have the USAGE privilege on the project. |
VIEW JOB HISTORY | View the job history tables from the Jobs page for all users in the project. |
VIEW REFLECTION | View table metadata and reflections on all tables and views in the project, including the Reflections tab on the Edit Dataset page for the table or view, the Reflections sidebar in the project settings, reflection API endpoints for listing individual reflections and all reflections, and job history for reflections. |
Engine Privileges
PRIVILEGE | DESCRIPTION |
---|---|
MODIFY | Access and modify settings for the engine, including replica settings, replica auto-stop settings, time limits, and tags. |
MONITOR | View all settings for the engine, including replica settings, replica auto-stop settings, time limits, and tags. |
OPERATE | Start/enable and stop/disable the engine. |
USAGE | Run queries against the engine.
|
MANAGE GRANTS | Grant and revoke privileges on the engine. |
OWNERSHIP | Ownership of the engine. Take all actions on the engine.
|
Identity Provider Privileges
PRIVILEGE | DESCRIPTION |
---|---|
MODIFY | Access and modify settings for the identity provider. |
MONITOR | View all settings for the identity provider. |
OWNERSHIP | Ownership of the identity provider. Take all actions on the identity provider, including modifying settings and deleting the identity provider.
|
Source Privileges
PRIVILEGE | DESCRIPTION |
---|---|
ALTER |
|
ALTER REFLECTION | Create, edit, and view reflections on all tables in the source. Includes table reflection pages, admin reflection pages, API endpoints for listing all reflections and individual reflections, and job history for reflections. |
CREATE TABLE | Create tables using CREATE TABLE and CREATE TABLE AS SELECT (CTAS) in the source.
|
DELETE | Execute the delete operation on all Apache Iceberg tables in the source. |
DROP | Remove tables from the source.
|
EXTERNAL QUERY | Run external queries on the source.
|
INSERT | Execute the insert operation on all Apache Iceberg tables in the source. |
MODIFY | Access and modify settings on the source. |
MANAGE GRANTS | Grant and revoke privileges on the source and the objects it contains. |
OWNERSHIP | Allows all actions on the source and all objects it contains.
|
SELECT |
|
TRUNCATE | Execute the truncate operation on all Apache Iceberg tables in the source. |
UPDATE | Execute the update operation on all Apache Iceberg tables in the source. |
VIEW REFLECTION | View reflections on all tables in the source. Includes table reflection pages, admin reflection pages, API endpoints for listing all reflections and individual reflections, and job history for reflections. |
Folder Privileges
PRIVILEGE | DESCRIPTION |
---|---|
ALTER |
|
ALTER REFLECTION | Create, edit, and view reflections on all tables in the source. Includes table reflection pages, admin reflection pages, API endpoints for listing all reflections and individual reflections, and job history for reflections. |
DELETE | Execute the delete operation on all Apache Iceberg tables in the folder. |
DROP | Remove tables from the source.
|
INSERT | Execute the insert operation on all Apache Iceberg tables in the folder. |
MANAGE GRANTS | Grant and revoke privileges on the folder and the objects it contains. |
OWNERSHIP | Allows all actions on the folder and all objects it contains.
|
SELECT |
|
TRUNCATE | Execute the truncate operation on all Apache Iceberg tables in the folder. |
UPDATE | Execute the update operation on all Apache Iceberg tables in the folder. |
VIEW REFLECTION | View reflections on all tables and views in the folder. Includes reflection pages, admin reflection pages, API endpoints for listing all reflections and individual reflections, and job history for reflections. |
Table Privileges
PRIVILEGE | DESCRIPTION |
---|---|
ALTER | Edit the table's wiki, definitions, and settings and issue commands to manage metadata (including REFRESH and FORGET ) for the table. |
DELETE | Execute the delete operation (Apache Iceberg tables only). |
INSERT | Execute the insert operation (Apache Iceberg tables only). |
MANAGE GRANTS | Grant and revoke privileges on the table. |
OWNERSHIP | Allows all actions on the table.
|
SELECT |
|
TRUNCATE | Execute the truncate operation (Apache Iceberg tables only). |
UPDATE | Execute the update operation (Apache Iceberg tables only). |
View Privileges
PRIVILEGE | DESCRIPTION |
---|---|
ALTER | Edit the view's wiki, definitions, and settings. |
DELETE | Execute the delete operation (views created from Apache Iceberg tables only). |
INSERT | Execute the insert operation (views created from Apache Iceberg tables only). |
MANAGE GRANTS | Grant and revoke privileges on the view. |
OWNERSHIP | Allows all actions on the view.
|
SELECT |
|
TRUNCATE | Execute the truncate operation (views created from Apache Iceberg tables only). |
UPDATE | Execute the update operation (views created from Apache Iceberg tables only). |
Script Privileges
PRIVILEGE | DESCRIPTION |
---|---|
VIEW | View the script. |
MODIFY | Modify the script. |
DELETE | Delete the script. |
MANAGE GRANTS | Grant and revoke privileges on the script. |
User Privileges
PRIVILEGE | DESCRIPTION |
---|---|
OWNERSHIP | Take all actions on the user, including setting a new password, changing the user type from local (internal) to external, granting and revoking user privileges, and transferring ownership using the GRANT OWNERSHIP SQL command.
|
Role Privileges
PRIVILEGE | DESCRIPTION |
---|---|
OWNERSHIP | Take all actions on the role, including adding and removing role members, granting and revoking role privileges, and transferring ownership using the GRANT OWNERSHIP SQL command.
|
ALL Privilege
The ALL privilege is available on all objects in Dremio. Granting the ALL privilege on an object grants the user or role all possible privileges, except OWNERSHIP, on the object.
The ALL privilege grants a static set of privileges that includes only the privileges that exist when you run the grant command. ALL privilege grants are not automatically updated to include new privileges that become available later.
Revoking the ALL privilege on a parent object does not change any privileges that are directly assigned on child objects. For example, if you grant the SELECT privilege on Table 1 in Organization A to User 1 and then grant the ALL privilege on Organization A to User 1, User 1 inherits all privileges on Table 1. If you later revoke the ALL privilege on Organization A for User 1, User 1 retains the SELECT privilege on Table 1.