Privileges

The following sections describe the supported privileges for each type of securable object.

Organization Privileges

PRIVILEGE	DESCRIPTION
ALL	Grant the user/role all possible privileges for an organization, except OWNERSHIP. This includes all possible privileges for the projects, clouds, Arctic catalog, and Identity Providers within the organization.
CONFIGURE SECURITY	Grants privileges to configure security-related features for the organization: set up social logins and identity providers for authentication; enable single sign-on (SSO) for BI applications like Tableau and Power BI; configure Dremio to honor tokens issued by external identity providers; and create custom OAuth applications.
CREATE BILLING ACCOUNT	Grants the privilege to create a new billing account, which is used to handle usage invoices if you are using Enterprise edition. The account creator is the default owner.
CREATE CATALOG	Grants the privilege to create a new Dremio Arctic catalog. The catalog creator is the default owner.
CREATE CLOUD	Grants the privilege to create a new cloud. The cloud creator is the default owner for the cloud.
CREATE PROJECT	Grants the privilege to create a new project. The project creator is the default owner of the project.
CREATE USER	Grants the privilege to create a user. The user responsible for its creation automatically becomes its owner.
CREATE ROLE	Grants the privilege to create a role. The user responsible for its creation automatically becomes its owner.
MANAGE GRANTS	Grants the ability to grant or revoke privileges of an organization and its child objects.
OWNERSHIP	Grants ownership of an organization to a user/role. The ownership can be transferred to a different user/role using the GRANT OWNERSHIP command by the owner, or any user/role with the MANAGE GRANTS privilege on the organization. Only a single entity (user/role) can hold this privilege on a specific object at a time. Allows all actions on the organization and child objects within the organization (projects, clouds, Arctic catalogs, and Identity Providers). Actions include modifying object settings, granting/revoking privileges to users and roles, deleting the object, and more.

User Privileges

PRIVILEGE	DESCRIPTION
OWNERSHIP	Grants ownership of a user to a user/role. Only a single entity (user/role) can hold this privilege on a specific object at a time.

Role Privileges

PRIVILEGE	DESCRIPTION
OWNERSHIP	Grants ownership of a role over to a user/role. Only a single entity (user/role) can hold this privilege on a specific object at a time.

Sonar Project Privileges

PRIVILEGE	DESCRIPTION
ALL	Grant the user all possible privileges for a project, except OWNERSHIP. This includes all possible privileges for the sources within the project.
ALTER	Grants the ALTER privilege on all sources in the project. This enables users/roles to: Edit the wikis of all sources, folders, tables, and views in the project. Edit table or view definitions or settings of all tables and views in the object. If a Space or folder in a space: Create & Delete views in scope. Add or Remove a folder in the object. If a Source or folder in a source: Promote & demote tables. On sources allows “ALTER SOURCE name REFRESH STATUS”. If a table dataset: Issue commands to manage metadata (including refresh and forget).
ALTER REFLECTION	Grants privileges to Create, Edit and View Reflections on all tables and views in a project. Includes all interfaces including the table/view reflection pages, the admin reflection pages and the REST API endpoints (both individual reflections and list all reflections), and job history for reflections.
VIEW REFLECTION	Grants privileges to View Reflections on all tables and views in a project. Includes all interfaces including the table/view reflection pages, the admin reflection pages and the Rest API endpoints (both individual reflections and list all reflections), includes job history for reflection.
CREATE SOURCE	Grants privileges to create new data sources in a project.
UPLOAD	Grants privileges to allow a user to upload files into their home space.
INSERT UPDATE DELETE TRUNCATE	Grant privileges to execute the associated DML operation on all tables in a project. Note: This is only supported with Apache Iceberg tables.
SELECT	Grants the SELECT privilege on all sources in the project. This enables users/roles to: Read data from all tables and views in the project. View schema definition of all tables and views in the project. View the wikis of all sources and folders in the project. View the wiki and labels of all tables and views in the project. View the graph of all tables and views in the project. Promote tables.
CREATE TABLE	Grant privileges to: Create tables using CREATE TABLE SQL in sources. Creates tables using CREATE TABLE AS SELECT (CTAS) SQL in sources. Note: Only for specific sources such as Arctic, object storage, Glue, and filesystem sources.
EXTERNAL QUERY	Grant privilege to run the external_query table function on external non-datalake sources in a project. Note: This privilege applies to only Oracle, SQL Server, MySQL, AWS Redshift, PostgresSQL sources and Dremio Hub connectors that use ARP(Advanced Relational Pushdown).
VIEW JOB HISTORY	Grant privilege to view the job history tables (for all users) of a project from the Jobs page.
MODIFY	Grant privileges to access and modify workload management settings in a project including: create/modify/delete engines. engine routing. queues. view node activity.
MONITOR	Grant privileges to read all current project settings.
OPERATE	Grant privilege to start/enable and stop/disable all engines in a project.
USAGE	Grant privilege to access the project. Users with direct privileges on objects in a project, including ownership, cannot query the objects unless they have the USAGE privilege on the project.
MANAGE GRANTS	Grants the ability to grant or revoke privileges of a project and its child objects (sources).
OWNERSHIP	Grants ownership of a project to a user/role. The ownership can be transferred to a different user/role using the GRANT OWNERSHIP command by the owner, or any user/role with the MANAGE GRANTS privilege on the project. Only a single entity (user/role) can hold this privilege on a specific object at a time. Allows all actions on the project and sources within the project. Actions include modifying object settings, granting/revoking privileges to users and roles, deleting the object, and more.

Cloud Privileges

PRIVILEGE	DESCRIPTION
ALL	Grant the user all possible privileges for a cloud, except OWNERSHIP.
MODIFY	Grant privileges to access and modify cloud settings.
MONITOR	Grant privileges to read all cloud settings.
MANAGE GRANTS	Grants the ability to grant or revoke privileges of a cloud.
OWNERSHIP	Grants ownership of a cloud to a user/role. The ownership can be transferred to a different user/role using the GRANT OWNERSHIP command by the owner, or any user/role with the MANAGE GRANTS privilege on the cloud. Only a single entity (user/role) can hold this privilege on a specific object at a time. Allows all actions on the cloud including modifying cloud settings, granting/revoking user and role access, and deleting the cloud.

Identity Provider Privileges

PRIVILEGE	DESCRIPTION
ALL	Grant the user all possible privileges for an Identity Provider, except OWNERSHIP.
MODIFY	Grant privileges to access and modify Identity Provider settings.
MONITOR	Grant privileges to read all Identity Provider settings.
OWNERSHIP	Grants ownership of an Identity Provider to a user/role. The ownership can be transferred to a different user/role using the GRANT OWNERSHIP command by the owner. Only a single entity (user/role) can hold this privilege on a specific object at a time. Allows all actions on the Identity Provider including modifying settings and deleting the Identity Provider.

Engine Privileges

PRIVILEGE	DESCRIPTION
ALL	Grant the user all possible privileges for an engine, except OWNERSHIP.
MODIFY	Grant privileges to access and modify engine settings including: Setting replicas. Replica Auto-Stop. Time Limits. Tags.
MONITOR	Grant privileges to read all engine settings including: Viewing Replicas. Viewing Replica Auto-Stop. Viewing Time Limits. Viewing Tags.
OPERATE	Grant privilege to start/enable and stop/disable an engine.
USAGE	Grant privilege to run queries against the engine. By default, USAGE privilege on all engines is granted to the PUBLIC role, but this can be revoked manually.
MANAGE GRANTS	Grants the ability to grant or revoke privileges of an engine.
OWNERSHIP	Grants ownership of an engine to a user/role. The ownership can be transferred to a different user/role using the GRANT OWNERSHIP command by the owner, or any user/role with the MANAGE GRANTS privilege on the engine. Only a single entity (user/role) can hold this privilege on a specific object at a time. Allows all actions on the engine.

Source Privileges

PRIVILEGE	DESCRIPTION
ALL	Grant the user all possible privileges for a source, except OWNERSHIP. This includes all possible privileges for the folders and tables within the source.
ALTER	Grants the ALTER privilege on the source, including the folders and tables within the source. This enables users/roles to: Edit the source's wiki and the wikis of all folders and tables in the source. Edit table definitions or settings of all tables in the source. If a Source or folder in a source: Promote & demote tables. On sources allows “ALTER SOURCE name REFRESH STATUS”. If a table dataset: Issue commands to manage metadata (including refresh and forget).
ALTER REFLECTION	Grants privileges to Create, Edit and View Reflections on all tables in a source. Includes all interfaces including the table reflection pages, the admin reflection pages and the REST API endpoints (both individual reflections and list all reflections), and job history for reflections.
VIEW REFLECTION	Grants privileges to View Reflections on all tables in a source. Includes all interfaces including the table reflection pages, the admin reflection pages and the Rest API endpoints (both individual reflections and list all reflections), includes job history for reflection.
INSERT, UPDATE, DELETE, TRUNCATE	Grant privileges to execute the associated DML operation on all tables in a source. Note: This is only supported with Apache Iceberg tables.
SELECT	Grants SELECT on all folders and tables within the source. This enables the user/role to: Read data from all tables. View schema definition of all tables. View the wikis of all folders. View the wiki and labels of all tables. View the graph of all tables. Promote tables.
CREATE TABLE	Grant privileges to: Create a table using CREATE TABLE AS SELECT (CTAS) in source. Create tables using CREATE TABLE in source. Note: Only for specific sources such as Arctic, object storage, Glue, and filesystem sources.
EXTERNAL QUERY	Grant privilege to run the external_query table function on the source. Note:This privilege applies to only Oracle, SQL Server, MySQL, AWS Redshift, PostgresSQL sources and Dremio Hub connectors that use ARP(Advanced Relational Pushdown).
MODIFY	Grant privileges to access and modify source settings.
MANAGE GRANTS	Grants the ability to grant or revoke privileges of a source and its child objects (folders and tables).
OWNERSHIP	Grants ownership of a source to a user/role. The ownership can be transferred to a different user/role using the GRANT OWNERSHIP command by the owner, or any user/role with the MANAGE GRANTS privilege on the source. Only a single entity (user/role) can hold this privilege on a specific object at a time. Source owners cannot query the source unless they have the USAGE privilege on the project that contains the source. Once they are granted the USAGE privilege on the project, source owners have all other implicit privileges on the source and folders and tables within the source. Actions include modifying source settings, granting/revoking privileges to users and roles, deleting the source, and more.

Folder Privileges

PRIVILEGE	DESCRIPTION
ALL	Grant the user all possible privileges for a folder, except OWNERSHIP. This includes all possible privileges for the folders, tables, and views within the folder.
ALTER	Grants the ALTER privilege on all folders, tables, and views in the folder. This enables users/roles to: Edit the wikis of the folder and all tables and views in the folder. Edit table or view definitions or settings of all tables and views. If a folder in a space: Create & Delete tables and views. Add or Remove a folder in the object. If a table dataset: Issue commands to manage metadata (including refresh and forget).
ALTER REFLECTION	Grants privileges to Create, Edit and View Reflections on all tables and views in a folder. Includes all interfaces including the table/view reflection pages, the admin reflection pages and the REST API endpoints (both individual reflections and list all reflections), and job history for reflections.
VIEW REFLECTION	Grants privileges to View Reflections on all tables and views in a folder. Includes all interfaces including the table/view reflection pages, the admin reflection pages and the Rest API endpoints (both individual reflections and list all reflections), includes job history for reflection.
INSERT, UPDATE, DELETE, TRUNCATE	Grant privileges to execute the associated DML operation on all tables and views in a folder. Note: This is only supported with Apache Iceberg tables.
SELECT	Grants the SELECT privilege on all folders, tables, and views in the folder. This enables users/roles to: Read data from all tables and views. View schema definition of all tables and views. View the folder's wiki and the wikis and labels of all tables and views. View the graph of all tables and views. Promote tables in folders.
MANAGE GRANTS	Grants the ability to grant or revoke privileges of a folder and its child objects (folders, tables, and views).
OWNERSHIP	Grants ownership of a folder to a user/role. The ownership can be transferred to a different user/role using the GRANT OWNERSHIP command by the owner, or any user/role with the MANAGE GRANTS privilege on the folder. Only a single entity (user/role) can hold this privilege on a specific object at a time. Folder owners cannot access the folder or the objects in the folder unless they have the USAGE privilege on the project that contains the folder. Once they are granted the USAGE privilege on the project, folder owners have all other implicit privileges on the folder and folders, tables, and views within the source. Actions include modifying folder settings, granting/revoking privileges to users and roles, deleting the folder, and more.

Table Privileges

PRIVILEGE	DESCRIPTION
ALL	Grant the user all possible privileges for a table, except OWNERSHIP.
ALTER	Grants the ALTER privilege on a table. This enables users/roles to: Edit the wiki of the table. Edit table definitions or settings of the table. Issue commands to manage metadata of the table (including refresh and forget).
ALTER REFLECTION	Grants privileges to Create, Edit and View Reflections on a table. Includes all interfaces including the table reflection pages, the admin reflection pages and the REST API endpoints (both individual reflections and list all reflections), and job history for reflections.
VIEW REFLECTION	Grants privileges to View Reflections on a table. Includes all interfaces including the table reflection pages, the admin reflection pages and the Rest API endpoints (both individual reflections and list all reflections), includes job history for reflection.
INSERT, UPDATE, DELETE, TRUNCATE	Grant privileges to execute the associated DML operation on a table. Note: This is only supported with Apache Iceberg tables.
SELECT	Grants the SELECT privilege on a table. This enables users/roles to: Read data from the table. View schema definition of the table. View the wiki and labels of the table. View the graph of the table. Promote the table. For Arctic tables, see the table definition.
MANAGE GRANTS	Grants the ability to grant or revoke privileges of a table.
OWNERSHIP	Grants ownership of a table to a user/role. The ownership can be transferred to a different user/role using the GRANT OWNERSHIP command by the owner, or any user/role with the MANAGE GRANTS privilege on the table. Only a single entity (user/role) can hold this privilege on a specific object at a time. Table owners cannot access the table unless they have the USAGE privilege on the project that contains the table. Once they are granted the USAGE privilege on the project, table owners have all other implicit privileges on the table. Actions include modifying table settings, granting/revoking privileges to users and roles, deleting the table, and more.

View Privileges

PRIVILEGE	DESCRIPTION
ALL	Grant the user all possible privileges for a view, except OWNERSHIP.
ALTER	Grants the ALTER privilege on a view. This enables users/roles to: Edit the wiki of the view. Edit view definitions or settings of the view.
ALTER REFLECTION	Grants privileges to Create, Edit and View Reflections on a view. Includes all interfaces including the view reflection pages, the admin reflection pages and the REST API endpoints (both individual reflections and list all reflections), and job history for reflections.
VIEW REFLECTION	Grants privileges to View Reflections on a view. Includes all interfaces including the view reflection pages, the admin reflection pages and the Rest API endpoints (both individual reflections and list all reflections), includes job history for reflection.
INSERT, UPDATE, DELETE, TRUNCATE	Grant privileges to execute the associated DML operation on a view. Note: This is only supported with Apache Iceberg tables.
SELECT	Grants the SELECT privilege on a view. This enables users/roles to: Read data from the view. Read schema definition of the view. Read the wiki and labels of the view. Read the graph of the view. See the view definition.
MANAGE GRANTS	Grants the ability to grant or revoke privileges of a view.
OWNERSHIP	Grants ownership of a view to a user/role. The ownership can be transferred to a different user/role using the GRANT OWNERSHIP command by the owner, or any user/role with the MANAGE GRANTS privilege on the view. Only a single entity (user/role) can hold this privilege on a specific object at a time. View owners cannot access the view unless they have the USAGE privilege on the project that contains the view. Once they are granted the USAGE privilege on the project, view owners have all other implicit privileges on the view. Actions include modifying view settings, granting/revoking privileges to users and roles, deleting the view, and more.

UDF (User Defined Function) Privileges

PRIVILEGE	DESCRIPTION
EXECUTE	Grant privilege to execute the associated user-defined function (UDF) for the purposes of querying tables/view with row-access or column-masking filters applied. Only the owner of a UDF may view or edit the associated function. Users or roles must have this privilege in order to apply filtering and masking policies.
OWNERSHIP	Grants ownership of an UDF to a user/role. The ownership can be transferred to a different user/role using the GRANT OWNERSHIP command by the owner. Only a single entity (user/role) can hold this privilege on a specific object at a time. UDF owners cannot access the UDF unless they have the USAGE privilege on the project that contains the UDF. Once they are granted the USAGE privilege on the project, UDF owners have all other implicit privileges on the UDF. Actions include modifying UDF settings and deleting the UDF.

PRIVILEGE

DESCRIPTION

EXECUTE

Grant privilege to execute the associated user-defined function (UDF) for the purposes of querying tables/view with row-access or column-masking filters applied.

Only the owner of a UDF may view or edit the associated function. Users or roles must have this privilege in order to apply filtering and masking policies.

OWNERSHIP

Grants ownership of an UDF to a user/role. The ownership can be transferred to a different user/role using the GRANT OWNERSHIP command by the owner.

Only a single entity (user/role) can hold this privilege on a specific object at a time.
UDF owners cannot access the UDF unless they have the USAGE privilege on the project that contains the UDF. Once they are granted the USAGE privilege on the project, UDF owners have all other implicit privileges on the UDF. Actions include modifying UDF settings and deleting the UDF.

Privileges

Organization Privileges​

User Privileges​

Role Privileges​

Sonar Project Privileges​

Cloud Privileges​

Identity Provider Privileges​

Engine Privileges​

Source Privileges​

Folder Privileges​

Table Privileges​

View Privileges​

UDF (User Defined Function) Privileges​