Privileges

The following sections describe the supported privileges for each type of securable object.

note

Privileges that are inheritable also implicitly apply to child objects through inheritance.

For organizations, child objects include clouds; projects; engines; identity providers; sources and the folders, tables, and views they contain; scripts; users; and roles.
For sources, child objects include the folders, tables, and views the source contains.
For folders, child objects include the tables and views the folder contains, as well as any nested folders and their contents.

Organization Privileges

PRIVILEGE	DESCRIPTION
CONFIGURE SECURITY	Configure security-related features for the organization: set up social logins and identity providers for authentication; enable single sign-on (SSO) for BI applications like Tableau and Power BI; configure Dremio to honor tokens issued by external identity providers; and create custom OAuth applications.
CONFIGURE BILLING	Create billing accounts, which are used to manage usage invoices for Enterprise users. Each account's creator is its default owner.
CREATE CATALOG	Create Arctic catalogs. Each catalog's creator is its default owner.
CREATE CLOUD	Create clouds. Each cloud's creator is its default owner.
CREATE PROJECT	Create projects. Each project's creator is its default owner.
CREATE ROLE	Create roles. Each role's creator is its default owner.
CREATE USER	Create users. Each user's creator is its default owner.
MANAGE GRANTS	Grant or revoke privileges on the organization and all objects it contains.
OWNERSHIP	Ownership of the organization. Take all actions on the organization and all objects it contains. Only one user or role (not both) can hold this privilege on the organization at a time. The owner and any user or role member with the MANAGE GRANTS privilege can transfer ownership using the `GRANT OWNERSHIP` command.

Cloud Privileges

PRIVILEGE	DESCRIPTION
MANAGE GRANTS	Grant and revoke privileges on the cloud.
MODIFY	Access and modify settings for the cloud.
MONITOR	View all settings for the cloud.
OWNERSHIP	Ownership of the cloud. Take all actions on the cloud, including modifying settings, granting and revoking user and role access, and deleting the cloud. Only one user or role (not both) can hold this privilege on the cloud at a time. The owner and any user or role member with the MANAGE GRANTS privilege can transfer ownership using the `GRANT OWNERSHIP` command.

Sonar Project Privileges

PRIVILEGE	DESCRIPTION
ALTER	Edit the wikis of all sources, folders, tables, and views in the project. Edit the definitions and settings of all tables and views in the project. Promote and demote all tables in the project. Create and delete views in the project. Add and remove folders in the project. Issue `ALTER SOURCE <source_name> REFRESH STATUS` commands. Issue commands to manage metadata (including `REFRESH` and `FORGET`) for all tables in the project.
ALTER REFLECTION	Create, edit, and view reflections on all tables and views in the project. Includes table and view reflection pages, admin reflection pages, the API endpoints for listing individual reflections and all reflections), and job history for reflections.
CREATE SOURCE	Create new sources in the project.
CREATE TABLE	Create tables using `CREATE TABLE` and `CREATE TABLE AS SELECT` (CTAS). This privilege is only supported for project sources that support mutability.
DELETE	Execute the delete operation on all Apache Iceberg tables in the project.
DROP	Remove tables from the project. This privilege is only supported for sources that support mutability.
EXTERNAL QUERY	Run external queries on sources in the project. This privilege is only supported for Amazon Redshift, Microsoft SQL Server, MySQL, and PostgreSQL sources and Dremio Hub connectors that use advanced relational pushdown (ARP).
INSERT	Execute the insert operation on all Apache Iceberg tables in the project.
MANAGE GRANTS	Grant and revoke privileges on the project and the objects it contains.
MODIFY	Access, create, modify, and delete workload management settings in a project, including engines, engine routing, and queues, and view node activity.
MONITOR	View all settings for the project.
OPERATE	Start/enable and stop/disable all engines in the project.
OWNERSHIP	Ownership of the project. Take all actions on the project and all objects it contains. Only one user or role (not both) can hold this privilege on the project at a time. The owner and any user or role member with the MANAGE GRANTS privilege can transfer ownership using the `GRANT OWNERSHIP` command.
SELECT	View data from all tables and views in the project. View the schema definitions of all tables and views in the project. View the wikis of all sources, folders, tables, and views in the project. View the labels of all tables and views in the project. View the graphs of all tables and views in the project. Promote and demote all tables in the project.
TRUNCATE	Execute the truncate operation on all Apache Iceberg tables in the project.
UPDATE	Execute the update operation on all Apache Iceberg tables in the project.
USAGE	Access the project. Users with direct privileges on objects in the project, including OWNERSHIP, cannot access the objects unless they also have the USAGE privilege on the project.
VIEW JOB HISTORY	View the job history tables from the Jobs page for all users in the project.
VIEW REFLECTION	View table metadata and reflections on all tables and views in the project, including the Reflections tab on the Edit Dataset page for the table or view, the Reflections sidebar in the project settings, reflection API endpoints for listing individual reflections and all reflections, and job history for reflections.

Engine Privileges

PRIVILEGE	DESCRIPTION
MODIFY	Access and modify settings for the engine, including replica settings, replica auto-stop settings, time limits, and tags.
MONITOR	View all settings for the engine, including replica settings, replica auto-stop settings, time limits, and tags.
OPERATE	Start/enable and stop/disable the engine.
USAGE	Run queries against the engine. The PUBLIC role is granted the USAGE privilege on all engines by default, but the privilege can be revoked.
MANAGE GRANTS	Grant and revoke privileges on the engine.
OWNERSHIP	Ownership of the engine. Take all actions on the engine. Only one user or role (not both) can hold this privilege on the engine at a time. The owner and any user or role member with the MANAGE GRANTS privilege can transfer ownership using the `GRANT OWNERSHIP` command.

Identity Provider Privileges

PRIVILEGE	DESCRIPTION
MODIFY	Access and modify settings for the identity provider.
MONITOR	View all settings for the identity provider.
OWNERSHIP	Ownership of the identity provider. Take all actions on the identity provider, including modifying settings and deleting the identity provider. Only one user or role (not both) can hold this privilege on the identity provider at a time. The owner can transfer ownership using the `GRANT OWNERSHIP` command.

Source Privileges

PRIVILEGE	DESCRIPTION
ALTER	Edit the wikis of the source and the folders and tables it contains. Edit the definitions and settings of all tables in the source. Promote and demote all tables in the source. Add and remove folders in the source. Issue `ALTER SOURCE <source_name> REFRESH STATUS` commands. Issue commands to manage metadata (including `REFRESH` and `FORGET`) for all tables in the source.
ALTER REFLECTION	Create, edit, and view reflections on all tables in the source. Includes table reflection pages, admin reflection pages, API endpoints for listing all reflections and individual reflections, and job history for reflections.
CREATE TABLE	Create tables using `CREATE TABLE` and `CREATE TABLE AS SELECT` (CTAS) in the source. This privilege is only supported for project sources that support mutability.
DELETE	Execute the delete operation on all Apache Iceberg tables in the source.
DROP	Remove tables from the source. This privilege is only supported for sources that support mutability.
EXTERNAL QUERY	Run external queries on the source. This privilege is only supported for Amazon Redshift, Microsoft SQL Server, MySQL, and PostgreSQL sources and Dremio Hub connectors that use advanced relational pushdown (ARP).
INSERT	Execute the insert operation on all Apache Iceberg tables in the source.
MODIFY	Access and modify settings on the source.
MANAGE GRANTS	Grant and revoke privileges on the source and the objects it contains.
OWNERSHIP	Allows all actions on the source and all objects it contains. Only one user or role (not both) can hold this privilege on the source at a time. Source owners cannot query the source unless they have the USAGE privilege on the project that contains the source. Once they are granted the USAGE privilege on the project, source owners have all other implicit privileges on the source and the objects it contains. The owner and any user or role member with the MANAGE GRANTS privilege can transfer ownership using the `GRANT OWNERSHIP` command.
SELECT	View data from all folders and tables in the source. View the schema definition of all tables in the source. View the wikis of all folders in the source. View the wikis and labels of all tables in the source. View the graphs of all tables in the source. Promote tables in the source.
TRUNCATE	Execute the truncate operation on all Apache Iceberg tables in the source.
UPDATE	Execute the update operation on all Apache Iceberg tables in the source.
VIEW REFLECTION	View reflections on all tables in the source. Includes table reflection pages, admin reflection pages, API endpoints for listing all reflections and individual reflections, and job history for reflections.

Folder Privileges

PRIVILEGE	DESCRIPTION
ALTER	Edit the wikis of the folder and the subfolders, tables, and views it contains. Edit the definitions and settings of all tables and views in the folder. Promote and demote all tables in the folder. Create and delete tables and views in the folder. Create and delete subfolders in the folder. Issue commands to manage metadata (including `REFRESH` and `FORGET`) for all tables in the folder.
ALTER REFLECTION	Create, edit, and view reflections on all tables in the source. Includes table reflection pages, admin reflection pages, API endpoints for listing all reflections and individual reflections, and job history for reflections.
DELETE	Execute the delete operation on all Apache Iceberg tables in the folder.
DROP	Remove tables from the source. This privilege is only supported for folders in sources that support mutability.
INSERT	Execute the insert operation on all Apache Iceberg tables in the folder.
MANAGE GRANTS	Grant and revoke privileges on the folder and the objects it contains.
OWNERSHIP	Allows all actions on the folder and all objects it contains. Only one user or role (not both) can hold this privilege on the folder at a time. Folder owners cannot access the folder or the object it contains unless they have the USAGE privilege on the project that contains the folder. Once they are granted the USAGE privilege on the project, folder owners have all other implicit privileges on the folder and the objects it contains. The owner and any user or role member with the MANAGE GRANTS privilege can transfer ownership using the `GRANT OWNERSHIP` command.
SELECT	View data from the folder and the objects it contains. View the schema definition of all tables in the folder. View the wikis of the folders and any subfolders it contains. View the wikis and labels of all tables in the folder. View the graph of all tables in the folder. Promote tables in the folder.
TRUNCATE	Execute the truncate operation on all Apache Iceberg tables in the folder.
UPDATE	Execute the update operation on all Apache Iceberg tables in the folder.
VIEW REFLECTION	View reflections on all tables and views in the folder. Includes reflection pages, admin reflection pages, API endpoints for listing all reflections and individual reflections, and job history for reflections.

Table Privileges

PRIVILEGE	DESCRIPTION
ALTER	Edit the table's wiki, definitions, and settings and issue commands to manage metadata (including `REFRESH` and `FORGET`) for the table.
DELETE	Execute the delete operation (Apache Iceberg tables only).
INSERT	Execute the insert operation (Apache Iceberg tables only).
MANAGE GRANTS	Grant and revoke privileges on the table.
OWNERSHIP	Allows all actions on the table. Only one user or role (not both) can hold this privilege on the table at a time. Table owners cannot access the table unless they have the USAGE privilege on the project that contains the table. Once they are granted the USAGE privilege on the project, table owners have all other implicit privileges on the table. The owner and any user or role member with the MANAGE GRANTS privilege can transfer ownership using the `GRANT OWNERSHIP` command.
SELECT	View data from the table. View the schema definition of the table. View the table's wiki and labels. View the table's graph.
TRUNCATE	Execute the truncate operation (Apache Iceberg tables only).
UPDATE	Execute the update operation (Apache Iceberg tables only).

View Privileges

PRIVILEGE	DESCRIPTION
ALTER	Edit the view's wiki, definitions, and settings.
DELETE	Execute the delete operation (views created from Apache Iceberg tables only).
INSERT	Execute the insert operation (views created from Apache Iceberg tables only).
MANAGE GRANTS	Grant and revoke privileges on the view.
OWNERSHIP	Allows all actions on the view. Only one user or role (not both) can hold this privilege on the view at a time. View owners cannot access the view unless they have the USAGE privilege on the project that contains the view. Once they are granted the USAGE privilege on the project, view owners have all other implicit privileges on the view. The owner and any user or role member with the MANAGE GRANTS privilege can transfer ownership using the `GRANT OWNERSHIP` command.
SELECT	View data from the view. View the schema definition of the view. View the view's wiki and labels. View the view's graph.
TRUNCATE	Execute the truncate operation (views created from Apache Iceberg tables only).
UPDATE	Execute the update operation (views created from Apache Iceberg tables only).

Script Privileges

PRIVILEGE	DESCRIPTION
VIEW	View the script.
MODIFY	Modify the script.
DELETE	Delete the script.
MANAGE GRANTS	Grant and revoke privileges on the script.

User Privileges

PRIVILEGE	DESCRIPTION
OWNERSHIP	Take all actions on the user, including setting a new password, changing the user type from local (internal) to external, granting and revoking user privileges, and transferring ownership using the `GRANT OWNERSHIP` SQL command. Only one user or role (not both) can hold this privilege on the user at a time.

Role Privileges

PRIVILEGE	DESCRIPTION
OWNERSHIP	Take all actions on the role, including adding and removing role members, granting and revoking role privileges, and transferring ownership using the `GRANT OWNERSHIP` SQL command. Only one user or role (not both) can hold this privilege on the role at a time.

ALL Privilege

The ALL privilege is available on all objects in Dremio. Granting the ALL privilege on an object grants the user or role all possible privileges, except OWNERSHIP, on the object.

The ALL privilege grants a static set of privileges that includes only the privileges that exist when you run the grant command. ALL privilege grants are not automatically updated to include new privileges that become available later.

Revoking the ALL privilege on a parent object does not change any privileges that are directly assigned on child objects. For example, if you grant the SELECT privilege on Table 1 in Organization A to User 1 and then grant the ALL privilege on Organization A to User 1, User 1 inherits all privileges on Table 1. If you later revoke the ALL privilege on Organization A for User 1, User 1 retains the SELECT privilege on Table 1.

Organization Privileges​

Cloud Privileges​

Sonar Project Privileges​

Engine Privileges​

Identity Provider Privileges​

Source Privileges​

Folder Privileges​

Table Privileges​

View Privileges​

Script Privileges​

User Privileges​

Role Privileges​

ALL Privilege​