Privileges
The following sections describe the supported privileges for each type of securable object.
Organization Privileges
PRIVILEGE | DESCRIPTION |
---|---|
ALL | Grant the user/role all possible privileges for an organization, except OWNERSHIP. This includes all possible privileges for the projects, clouds, Arctic catalog, and Identity Providers within the organization. |
CONFIGURE SECURITY | Grants privileges to configure security-related features for the organization: set up social logins and identity providers for authentication; enable single sign-on (SSO) for BI applications like Tableau and Power BI; configure Dremio to honor tokens issued by external identity providers; and create custom OAuth applications. |
CREATE BILLING ACCOUNT | Grants the privilege to create a new billing account, which is used to handle usage invoices if you are using Enterprise edition. The account creator is the default owner. |
CREATE CATALOG | Grants the privilege to create a new Dremio Arctic catalog. The catalog creator is the default owner. |
CREATE CLOUD | Grants the privilege to create a new cloud. The cloud creator is the default owner for the cloud. |
CREATE PROJECT | Grants the privilege to create a new project. The project creator is the default owner of the project. |
CREATE USER | Grants the privilege to create a user. The user responsible for its creation automatically becomes its owner. |
CREATE ROLE | Grants the privilege to create a role. The user responsible for its creation automatically becomes its owner. |
MANAGE GRANTS | Grants the ability to grant or revoke privileges of an organization and its child objects. |
OWNERSHIP | Grants ownership of an organization to a user/role. The ownership can be transferred to a different user/role using the GRANT OWNERSHIP command by the owner, or any user/role with the MANAGE GRANTS privilege on the organization.
|
User Privileges
PRIVILEGE | DESCRIPTION |
---|---|
OWNERSHIP | Grants ownership of a user to a user/role.
|
Role Privileges
PRIVILEGE | DESCRIPTION |
---|---|
OWNERSHIP | Grants ownership of a role over to a user/role.
|
Sonar Project Privileges
PRIVILEGE | DESCRIPTION |
---|---|
ALL | Grant the user all possible privileges for a project, except OWNERSHIP. This includes all possible privileges for the sources within the project. |
ALTER | Grants the ALTER privilege on all sources in the project. This enables users/roles to:
|
ALTER REFLECTION | Grants privileges to Create, Edit and View Reflections on all tables and views in a project. Includes all interfaces including the table/view reflection pages, the admin reflection pages and the REST API endpoints (both individual reflections and list all reflections), and job history for reflections. |
VIEW REFLECTION | Grants privileges to View Reflections on all tables and views in a project. Includes all interfaces including the table/view reflection pages, the admin reflection pages and the Rest API endpoints (both individual reflections and list all reflections), includes job history for reflection. |
CREATE SOURCE | Grants privileges to create new data sources in a project. |
UPLOAD | Grants privileges to allow a user to upload files into their home space. |
INSERT UPDATE DELETE TRUNCATE | Grant privileges to execute the associated DML operation on all tables in a project. Note: This is only supported with Apache Iceberg tables. |
SELECT | Grants the SELECT privilege on all sources in the project. This enables users/roles to:
|
CREATE TABLE | Grant privileges to:
Note: Only for specific sources such as Arctic, object storage, Glue, and filesystem sources. |
EXTERNAL QUERY | Grant privilege to run the external_query table function on external non-datalake sources in a project. Note: This privilege applies to only Oracle, SQL Server, MySQL, AWS Redshift, PostgresSQL sources and Dremio Hub connectors that use ARP(Advanced Relational Pushdown). |
VIEW JOB HISTORY | Grant privilege to view the job history tables (for all users) of a project from the Jobs page. |
MODIFY | Grant privileges to access and modify workload management settings in a project including:
|
MONITOR | Grant privileges to read all current project settings. |
OPERATE | Grant privilege to start/enable and stop/disable all engines in a project. |
USAGE | Grant privilege to access the project. |
MANAGE GRANTS | Grants the ability to grant or revoke privileges of a project and its child objects (sources). |
OWNERSHIP | Grants ownership of a project to a user/role. The ownership can be transferred to a different user/role using the GRANT OWNERSHIP command by the owner, or any user/role with the MANAGE GRANTS privilege on the project.
|
Cloud Privileges
PRIVILEGE | DESCRIPTION |
---|---|
ALL | Grant the user all possible privileges for a cloud, except OWNERSHIP. |
MODIFY | Grant privileges to access and modify cloud settings. |
MONITOR | Grant privileges to read all cloud settings. |
MANAGE GRANTS | Grants the ability to grant or revoke privileges of a cloud. |
OWNERSHIP | Grants ownership of a cloud to a user/role. The ownership can be transferred to a different user/role using the GRANT OWNERSHIP command by the owner, or any user/role with the MANAGE GRANTS privilege on the cloud.
|
Identity Provider Privileges
PRIVILEGE | DESCRIPTION |
---|---|
ALL | Grant the user all possible privileges for an Identity Provider, except OWNERSHIP. |
MODIFY | Grant privileges to access and modify Identity Provider settings. |
MONITOR | Grant privileges to read all Identity Provider settings. |
OWNERSHIP | Grants ownership of an Identity Provider to a user/role. The ownership can be transferred to a different user/role using the GRANT OWNERSHIP command by the owner.
|
Engine Privileges
PRIVILEGE | DESCRIPTION |
---|---|
ALL | Grant the user all possible privileges for an engine, except OWNERSHIP. |
MODIFY | Grant privileges to access and modify engine settings including:
|
MONITOR | Grant privileges to read all engine settings including:
|
OPERATE | Grant privilege to start/enable and stop/disable an engine. |
USAGE | Grant privilege to run queries against the engine. By default, USAGE privilege on all engines is granted to the PUBLIC role, but this can be revoked manually. |
MANAGE GRANTS | Grants the ability to grant or revoke privileges of an engine. |
OWNERSHIP | Grants ownership of an engine to a user/role. The ownership can be transferred to a different user/role using the GRANT OWNERSHIP command by the owner, or any user/role with the MANAGE GRANTS privilege on the engine.
|
Source Privileges
PRIVILEGE | DESCRIPTION |
---|---|
ALL | Grant the user all possible privileges for a source, except OWNERSHIP. This includes all possible privileges for the folders and tables within the source. |
ALTER | Grants the ALTER privilege on the source, including the folders and tables within the source. This enables users/roles to:
|
ALTER REFLECTION | Grants privileges to Create, Edit and View Reflections on all tables in a source. Includes all interfaces including the table reflection pages, the admin reflection pages and the REST API endpoints (both individual reflections and list all reflections), and job history for reflections. |
VIEW REFLECTION | Grants privileges to View Reflections on all tables in a source. Includes all interfaces including the table reflection pages, the admin reflection pages and the Rest API endpoints (both individual reflections and list all reflections), includes job history for reflection. |
INSERT, UPDATE, DELETE, TRUNCATE | Grant privileges to execute the associated DML operation on all tables in a source. Note: This is only supported with Apache Iceberg tables. |
SELECT | Grants SELECT on all folders and tables within the source. This enables the user/role to:
|
CREATE TABLE | Grant privileges to:
Note: Only for specific sources such as Arctic, object storage, Glue, and filesystem sources. |
EXTERNAL QUERY | Grant privilege to run the external_query table function on the source. Note:This privilege applies to only Oracle, SQL Server, MySQL, AWS Redshift, PostgresSQL sources and Dremio Hub connectors that use ARP(Advanced Relational Pushdown). |
MODIFY | Grant privileges to access and modify source settings. |
MANAGE GRANTS | Grants the ability to grant or revoke privileges of a source and its child objects (folders and tables). |
OWNERSHIP | Grants ownership of a source to a user/role. The ownership can be transferred to a different user/role using the GRANT OWNERSHIP command by the owner, or any user/role with the MANAGE GRANTS privilege on the source.
|
Folder Privileges
PRIVILEGE | DESCRIPTION |
---|---|
ALL | Grant the user all possible privileges for a folder, except OWNERSHIP. This includes all possible privileges for the folders, tables, and views within the folder. |
ALTER | Grants the ALTER privilege on all folders, tables, and views in the folder. This enables users/roles to:
|
ALTER REFLECTION | Grants privileges to Create, Edit and View Reflections on all tables and views in a folder. Includes all interfaces including the table/view reflection pages, the admin reflection pages and the REST API endpoints (both individual reflections and list all reflections), and job history for reflections. |
VIEW REFLECTION | Grants privileges to View Reflections on all tables and views in a folder. Includes all interfaces including the table/view reflection pages, the admin reflection pages and the Rest API endpoints (both individual reflections and list all reflections), includes job history for reflection. |
INSERT, UPDATE, DELETE, TRUNCATE | Grant privileges to execute the associated DML operation on all tables and views in a folder. Note: This is only supported with Apache Iceberg tables. |
SELECT | Grants the SELECT privilege on all folders, tables, and views in the folder. This enables users/roles to:
|
MANAGE GRANTS | Grants the ability to grant or revoke privileges of a folder and its child objects (folders, tables, and views). |
OWNERSHIP | Grants ownership of a folder to a user/role. The ownership can be transferred to a different user/role using the GRANT OWNERSHIP command by the owner, or any user/role with the MANAGE GRANTS privilege on the folder.
|
Table Privileges
PRIVILEGE | DESCRIPTION |
---|---|
ALL | Grant the user all possible privileges for a table, except OWNERSHIP. |
ALTER | Grants the ALTER privilege on a table. This enables users/roles to:
|
ALTER REFLECTION | Grants privileges to Create, Edit and View Reflections on a table. Includes all interfaces including the table reflection pages, the admin reflection pages and the REST API endpoints (both individual reflections and list all reflections), and job history for reflections. |
VIEW REFLECTION | Grants privileges to View Reflections on a table. Includes all interfaces including the table reflection pages, the admin reflection pages and the Rest API endpoints (both individual reflections and list all reflections), includes job history for reflection. |
INSERT, UPDATE, DELETE, TRUNCATE | Grant privileges to execute the associated DML operation on a table. Note: This is only supported with Apache Iceberg tables. |
SELECT | Grants the SELECT privilege on a table. This enables users/roles to:
|
MANAGE GRANTS | Grants the ability to grant or revoke privileges of a table. |
OWNERSHIP | Grants ownership of a table to a user/role. The ownership can be transferred to a different user/role using the GRANT OWNERSHIP command by the owner, or any user/role with the MANAGE GRANTS privilege on the table.
|
View Privileges
PRIVILEGE | DESCRIPTION |
---|---|
ALL | Grant the user all possible privileges for a view, except OWNERSHIP. |
ALTER | Grants the ALTER privilege on a view. This enables users/roles to:
|
ALTER REFLECTION | Grants privileges to Create, Edit and View Reflections on a view. Includes all interfaces including the view reflection pages, the admin reflection pages and the REST API endpoints (both individual reflections and list all reflections), and job history for reflections. |
VIEW REFLECTION | Grants privileges to View Reflections on a view. Includes all interfaces including the view reflection pages, the admin reflection pages and the Rest API endpoints (both individual reflections and list all reflections), includes job history for reflection. |
INSERT, UPDATE, DELETE, TRUNCATE | Grant privileges to execute the associated DML operation on a view. Note: This is only supported with Apache Iceberg tables. |
SELECT | Grants the SELECT privilege on a view. This enables users/roles to:
|
MANAGE GRANTS | Grants the ability to grant or revoke privileges of a view. |
OWNERSHIP | Grants ownership of a view to a user/role. The ownership can be transferred to a different user/role using the GRANT OWNERSHIP command by the owner, or any user/role with the MANAGE GRANTS privilege on the view.
|
UDF (User Defined Function) Privileges
PRIVILEGE | DESCRIPTION |
---|---|
EXECUTE | Grant privilege to execute the associated user-defined function (UDF) for the purposes of querying tables/view with row-access or column-masking filters applied.
|
OWNERSHIP | Grants ownership of an UDF to a user/role. The ownership can be transferred to a different user/role using the GRANT OWNERSHIP command by the owner.
|