Skip to main content

Privileges

The following sections describe the supported privileges for each type of securable object.

Organization Privileges

PRIVILEGEDESCRIPTION
ALLGrant the user/role all possible privileges for an organization, except OWNERSHIP. Organization privileges that are inheritable also implicitly apply to child objects through inheritance.
  • For organizations, child objects include clouds; projects; engines; identity providers; sources and the folders, tables, and views they contain; scripts; users; and roles.
  • Revoking the ALL privilege on an organization does not change any privileges that are directly assigned on child objects in the organization. For example, if you grant the SELECT privilege on Table 1 in Organization A to User 1 and then grant the ALL privilege on Organization A to User 1, User 1 inherits all privileges on Table 1. If you later revoke the ALL privilege on Organization A for User 1, User 1 retains the SELECT privilege on Table 1.
CONFIGURE SECURITYGrants privileges to configure security-related features for the organization: set up social logins and identity providers for authentication; enable single sign-on (SSO) for BI applications like Tableau and Power BI; configure Dremio to honor tokens issued by external identity providers; and create custom OAuth applications.
CREATE BILLING ACCOUNTGrants the privilege to create a new billing account, which is used to handle usage invoices if you are using Enterprise edition. The account creator is the default owner.
CREATE CATALOGGrants the privilege to create a new Dremio Arctic catalog. The catalog creator is the default owner.
CREATE CLOUDGrants the privilege to create a new cloud. The cloud creator is the default owner for the cloud.
CREATE PROJECTGrants the privilege to create a new project. The project creator is the default owner of the project.
CREATE USERGrants the privilege to create a user. The user responsible for its creation automatically becomes its owner.
CREATE ROLEGrants the privilege to create a role. The user responsible for its creation automatically becomes its owner.
MANAGE GRANTSGrants the ability to grant or revoke privileges of an organization and its child objects.
OWNERSHIPGrants ownership of an organization to a user/role. The ownership can be transferred to a different user/role using the GRANT OWNERSHIP command by the owner, or any user/role with the MANAGE GRANTS privilege on the organization.
  • Only a single entity (user/role) can hold this privilege on a specific object at a time.
  • Allows all actions on the organization and child objects within the organization (projects, clouds, Arctic catalogs, and Identity Providers).
  • Actions include modifying object settings, granting/revoking privileges to users and roles, deleting the object, and more.

User Privileges

PRIVILEGEDESCRIPTION
OWNERSHIPGrants ownership of a user to a user/role.
  • Only a single entity (user/role) can hold this privilege on a specific object at a time.

Role Privileges

PRIVILEGEDESCRIPTION
OWNERSHIPGrants ownership of a role over to a user/role.
  • Only a single entity (user/role) can hold this privilege on a specific object at a time.

Sonar Project Privileges

PRIVILEGEDESCRIPTION
ALLGrant the user all possible privileges for a project, except OWNERSHIP. Project privileges that are inheritable also implicitly apply to child objects through inheritance.
  • For projects, child objects include the project's engines and sources in the project and the folders, tables, and views they contain.
  • Revoking the ALL privilege on a project does not change any privileges that are directly assigned on child objects in the project. For example, if you grant the SELECT privilege on Folder 1 in Project A to User 1 and then grant the ALL privilege on Project A to User 1, User 1 inherits all privileges on Folder 1. If you later revoke the ALL privilege on Project A for User 1, User 1 retains the SELECT privilege on Folder 1.
ALTERGrants the ALTER privilege on all sources in the project. This enables users/roles to:
  • Edit the wikis of all sources, folders, tables, and views in the project.
  • Edit table or view definitions or settings of all tables and views in the object.
  • If a Space or folder in a space:
    • Create & Delete views in scope.
    • Add or Remove a folder in the object.
  • If a Source or folder in a source:
    • Promote & demote tables.
    • On sources allows “ALTER SOURCE name REFRESH STATUS”.
  • If a table dataset:
    • Issue commands to manage metadata (including refresh and forget).
ALTER REFLECTIONGrants privileges to Create, Edit and View Reflections on all tables and views in a project. Includes all interfaces including the table/view reflection pages, the admin reflection pages and the REST API endpoints (both individual reflections and list all reflections), and job history for reflections.
VIEW REFLECTIONGrants privileges to view table metadata and reflections on all tables and views in a project, including the Reflections tab on the Edit Dataset page for the table or view, the Reflections sidebar in the project Settings, reflection API endpoints (both individual reflections and all reflections), and job history for reflections.
CREATE SOURCEGrants privileges to create new data sources in a project.
UPLOADGrants privileges to allow a user to upload files into their home space.
INSERT UPDATE DELETE TRUNCATEGrant privileges to execute the associated DML operation on all tables in a project.
Note: This is only supported with Apache Iceberg tables.
SELECTGrants the SELECT privilege on all sources in the project. This enables users/roles to:
  • Read data from all tables and views in the project.
  • View schema definition of all tables and views in the project.
  • View the wikis of all sources and folders in the project.
  • View the wiki and labels of all tables and views in the project.
  • View the graph of all tables and views in the project.
  • Promote tables.
CREATE TABLEGrant privileges to:
  • Create tables using CREATE TABLE SQL in sources.
  • Creates tables using CREATE TABLE AS SELECT (CTAS) SQL in sources.

Note: Only for specific sources such as Arctic, object storage, Glue, and filesystem sources.
EXTERNAL QUERYGrant privilege to run the external_query table function on external non-datalake sources in a project.
Note: This privilege applies to only Oracle, SQL Server, MySQL, AWS Redshift, PostgresSQL sources and Dremio Hub connectors that use ARP(Advanced Relational Pushdown).
VIEW JOB HISTORYGrant privilege to view the job history tables (for all users) of a project from the Jobs page.
MODIFYGrant privileges to access and modify workload management settings in a project including:
  • create/modify/delete engines.
  • engine routing.
  • queues.
  • view node activity.
MONITORGrant privileges to read all current project settings.
OPERATEGrant privilege to start/enable and stop/disable all engines in a project.
USAGEGrant privilege to access the project. Users with direct privileges on objects in a project, including ownership, cannot query the objects unless they have the USAGE privilege on the project.
MANAGE GRANTSGrants the ability to grant or revoke privileges of a project and its child objects (sources).
OWNERSHIPGrants ownership of a project to a user/role. The ownership can be transferred to a different user/role using the GRANT OWNERSHIP command by the owner, or any user/role with the MANAGE GRANTS privilege on the project.
  • Only a single entity (user/role) can hold this privilege on a specific object at a time.
  • Allows all actions on the project and sources within the project.
  • Actions include modifying object settings, granting/revoking privileges to users and roles, deleting the object, and more.

Cloud Privileges

PRIVILEGEDESCRIPTION
ALLGrant the user all possible privileges for a cloud, except OWNERSHIP.
MODIFYGrant privileges to access and modify cloud settings.
MONITORGrant privileges to read all cloud settings.
MANAGE GRANTSGrants the ability to grant or revoke privileges of a cloud.
OWNERSHIPGrants ownership of a cloud to a user/role. The ownership can be transferred to a different user/role using the GRANT OWNERSHIP command by the owner, or any user/role with the MANAGE GRANTS privilege on the cloud.
  • Only a single entity (user/role) can hold this privilege on a specific object at a time.
  • Allows all actions on the cloud including modifying cloud settings, granting/revoking user and role access, and deleting the cloud.

Identity Provider Privileges

PRIVILEGEDESCRIPTION
ALLGrant the user all possible privileges for an Identity Provider, except OWNERSHIP.
MODIFYGrant privileges to access and modify Identity Provider settings.
MONITORGrant privileges to read all Identity Provider settings.
OWNERSHIPGrants ownership of an Identity Provider to a user/role. The ownership can be transferred to a different user/role using the GRANT OWNERSHIP command by the owner.
  • Only a single entity (user/role) can hold this privilege on a specific object at a time.
  • Allows all actions on the Identity Provider including modifying settings and deleting the Identity Provider.

Engine Privileges

PRIVILEGEDESCRIPTION
ALLGrant the user all possible privileges for an engine, except OWNERSHIP.
MODIFYGrant privileges to access and modify engine settings including:
  • Setting replicas.
  • Replica Auto-Stop.
  • Time Limits.
  • Tags.
MONITORGrant privileges to read all engine settings including:
  • Viewing Replicas.
  • Viewing Replica Auto-Stop.
  • Viewing Time Limits.
  • Viewing Tags.
OPERATEGrant privilege to start/enable and stop/disable an engine.
USAGEGrant privilege to run queries against the engine. By default, USAGE privilege on all engines is granted to the PUBLIC role, but this can be revoked manually.
MANAGE GRANTSGrants the ability to grant or revoke privileges of an engine.
OWNERSHIPGrants ownership of an engine to a user/role. The ownership can be transferred to a different user/role using the GRANT OWNERSHIP command by the owner, or any user/role with the MANAGE GRANTS privilege on the engine.
  • Only a single entity (user/role) can hold this privilege on a specific object at a time.
  • Allows all actions on the engine.

Source Privileges

PRIVILEGEDESCRIPTION
ALLGrant the user all possible privileges for a source, except OWNERSHIP. Source privileges that are inheritable also implicitly apply to child objects through inheritance.
  • For sources, child objects include the folders, tables, and views the source contains.
  • Revoking the ALL privilege on a source does not change any privileges that are directly assigned on child objects in the source. For example, if you grant the SELECT privilege on Table 1 in Source A to User 1 and then grant the ALL privilege on Source A to User 1, User 1 inherits all privileges on Table 1. If you later revoke the ALL privilege on Source A for User 1, User 1 retains the SELECT privilege on Table 1.
ALTERGrants the ALTER privilege on the source, including the folders and tables within the source. This enables users/roles to:
  • Edit the source's wiki and the wikis of all folders and tables in the source.
  • Edit table definitions or settings of all tables in the source.
  • If a Source or folder in a source:
    • Promote & demote tables.
    • On sources allows “ALTER SOURCE name REFRESH STATUS”.
  • If a table dataset:
    • Issue commands to manage metadata (including refresh and forget).
ALTER REFLECTIONGrants privileges to Create, Edit and View Reflections on all tables in a source. Includes all interfaces including the table reflection pages, the admin reflection pages and the REST API endpoints (both individual reflections and list all reflections), and job history for reflections.
VIEW REFLECTIONGrants privileges to View Reflections on all tables in a source. Includes all interfaces including the table reflection pages, the admin reflection pages and the Rest API endpoints (both individual reflections and list all reflections), includes job history for reflection.
INSERT, UPDATE, DELETE, TRUNCATEGrant privileges to execute the associated DML operation on all tables in a source.
Note: This is only supported with Apache Iceberg tables.
SELECTGrants SELECT on all folders and tables within the source. This enables the user/role to:
  • Read data from all tables.
  • View schema definition of all tables.
  • View the wikis of all folders.
  • View the wiki and labels of all tables.
  • View the graph of all tables.
  • Promote tables.
CREATE TABLEGrant privileges to:
  • Create a table using CREATE TABLE AS SELECT (CTAS) in source.
  • Create tables using CREATE TABLE in source.

Note: Only for specific sources such as Arctic, object storage, Glue, and filesystem sources.
EXTERNAL QUERYGrant privilege to run the external_query table function on the source.
Note:This privilege applies to only Oracle, SQL Server, MySQL, AWS Redshift, PostgresSQL sources and Dremio Hub connectors that use ARP(Advanced Relational Pushdown).
MODIFYGrant privileges to access and modify source settings.
MANAGE GRANTSGrants the ability to grant or revoke privileges of a source and its child objects (folders and tables).
OWNERSHIPGrants ownership of a source to a user/role. The ownership can be transferred to a different user/role using the GRANT OWNERSHIP command by the owner, or any user/role with the MANAGE GRANTS privilege on the source.
  • Only a single entity (user/role) can hold this privilege on a specific object at a time.
  • Source owners cannot query the source unless they have the USAGE privilege on the project that contains the source. Once they are granted the USAGE privilege on the project, source owners have all other implicit privileges on the source and folders and tables within the source. Actions include modifying source settings, granting/revoking privileges to users and roles, deleting the source, and more.

Folder Privileges

PRIVILEGEDESCRIPTION
ALLGrant the user all possible privileges for a folder, except OWNERSHIP. Folder privileges that are inheritable also implicitly apply to child objects through inheritance.
  • For folders, child objects include the tables and views the folder contains, as well as any nested folders and their contents.
  • Revoking the ALL privilege on a folder does not change any privileges that are directly assigned on child objects in the folder. For example, if you grant the SELECT privilege on Table 1 in Folder A to User 1 and then grant the ALL privilege on Folder A to User 1, User 1 inherits all privileges on Folder A. If you later revoke the ALL privilege on Folder A for User 1, User 1 retains the SELECT privilege on Table 1.
ALTERGrants the ALTER privilege on all folders, tables, and views in the folder. This enables users/roles to:
  • Edit the wikis of the folder and all tables and views in the folder.
  • Edit table or view definitions or settings of all tables and views.
  • If a folder in a space:
    • Create & Delete tables and views.
    • Add or Remove a folder in the object.
  • If a table dataset:
    • Issue commands to manage metadata (including refresh and forget).
ALTER REFLECTIONGrants privileges to Create, Edit and View Reflections on all tables and views in a folder. Includes all interfaces including the table/view reflection pages, the admin reflection pages and the REST API endpoints (both individual reflections and list all reflections), and job history for reflections.
VIEW REFLECTIONGrants privileges to View Reflections on all tables and views in a folder. Includes all interfaces including the table/view reflection pages, the admin reflection pages and the Rest API endpoints (both individual reflections and list all reflections), includes job history for reflection.
INSERT, UPDATE, DELETE, TRUNCATEGrant privileges to execute the associated DML operation on all tables and views in a folder.
Note: This is only supported with Apache Iceberg tables.
SELECTGrants the SELECT privilege on all folders, tables, and views in the folder. This enables users/roles to:
  • Read data from all tables and views.
  • View schema definition of all tables and views.
  • View the folder's wiki and the wikis and labels of all tables and views.
  • View the graph of all tables and views.
  • Promote tables in folders.
MANAGE GRANTSGrants the ability to grant or revoke privileges of a folder and its child objects (folders, tables, and views).
OWNERSHIPGrants ownership of a folder to a user/role. The ownership can be transferred to a different user/role using the GRANT OWNERSHIP command by the owner, or any user/role with the MANAGE GRANTS privilege on the folder.
  • Only a single entity (user/role) can hold this privilege on a specific object at a time.
  • Folder owners cannot access the folder or the objects in the folder unless they have the USAGE privilege on the project that contains the folder. Once they are granted the USAGE privilege on the project, folder owners have all other implicit privileges on the folder and folders, tables, and views within the source. Actions include modifying folder settings, granting/revoking privileges to users and roles, deleting the folder, and more.

Table Privileges

PRIVILEGEDESCRIPTION
ALLGrant the user all possible privileges for a table, except OWNERSHIP.
ALTERGrants the ALTER privilege on a table. This enables users/roles to:
  • Edit the wiki of the table.
  • Edit table definitions or settings of the table.
  • Issue commands to manage metadata of the table (including refresh and forget).
ALTER REFLECTIONGrants privileges to Create, Edit and View Reflections on a table. Includes all interfaces including the table reflection pages, the admin reflection pages and the REST API endpoints (both individual reflections and list all reflections), and job history for reflections.
VIEW REFLECTIONGrants privileges to View Reflections on a table. Includes all interfaces including the table reflection pages, the admin reflection pages and the Rest API endpoints (both individual reflections and list all reflections), includes job history for reflection.
INSERT, UPDATE, DELETE, TRUNCATEGrant privileges to execute the associated DML operation on a table.
Note: This is only supported with Apache Iceberg tables.
SELECTGrants the SELECT privilege on a table. This enables users/roles to:
  • Read data from the table.
  • View schema definition of the table.
  • View the wiki and labels of the table.
  • View the graph of the table.
  • For Arctic tables, see the table definition.
MANAGE GRANTSGrants the ability to grant or revoke privileges of a table.
OWNERSHIPGrants ownership of a table to a user/role. The ownership can be transferred to a different user/role using the GRANT OWNERSHIP command by the owner, or any user/role with the MANAGE GRANTS privilege on the table.
  • Only a single entity (user/role) can hold this privilege on a specific object at a time.
  • Table owners cannot access the table unless they have the USAGE privilege on the project that contains the table. Once they are granted the USAGE privilege on the project, table owners have all other implicit privileges on the table. Actions include modifying table settings, granting/revoking privileges to users and roles, deleting the table, and more.

View Privileges

PRIVILEGEDESCRIPTION
ALLGrant the user all possible privileges for a view, except OWNERSHIP.
ALTERGrants the ALTER privilege on a view. This enables users/roles to:
  • Edit the wiki of the view.
  • Edit view definitions or settings of the view.
ALTER REFLECTIONGrants privileges to Create, Edit and View Reflections on a view. Includes all interfaces including the view reflection pages, the admin reflection pages and the REST API endpoints (both individual reflections and list all reflections), and job history for reflections.
VIEW REFLECTIONGrants privileges to View Reflections on a view. Includes all interfaces including the view reflection pages, the admin reflection pages and the Rest API endpoints (both individual reflections and list all reflections), includes job history for reflection.
INSERT, UPDATE, DELETE, TRUNCATEGrant privileges to execute the associated DML operation on a view.
Note: This is only supported with Apache Iceberg tables.
SELECTGrants the SELECT privilege on a view. This enables users/roles to:
  • Read data from the view.
  • Read schema definition of the view.
  • Read the wiki and labels of the view.
  • Read the graph of the view.
  • See the view definition.
MANAGE GRANTSGrants the ability to grant or revoke privileges of a view.
OWNERSHIPGrants ownership of a view to a user/role. The ownership can be transferred to a different user/role using the GRANT OWNERSHIP command by the owner, or any user/role with the MANAGE GRANTS privilege on the view.
  • Only a single entity (user/role) can hold this privilege on a specific object at a time.
  • View owners cannot access the view unless they have the USAGE privilege on the project that contains the view. Once they are granted the USAGE privilege on the project, view owners have all other implicit privileges on the view. Actions include modifying view settings, granting/revoking privileges to users and roles, deleting the view, and more.

Script Privileges

PRIVILEGEDESCRIPTION
VIEWGrants the privilege to view a script.
MODIFYGrants the privilege to modify a script.
DELETEGrants the privilege to delete a script.
MANAGE GRANTSGrants the ability to grant or revoke privileges on a script.