Privileges
The following sections describe the supported privileges for each type of securable object.
Organization Privileges
PRIVILEGE | DESCRIPTION |
---|---|
ALL | Grant the user/role all possible privileges for an organization, except OWNERSHIP. This includes all possible privileges for the projects, clouds, Arctic catalog, and Identity Providers within the organization. |
CONFIGURE SECURITY | Grants privileges to configure security-related features for the organization: set up social logins and identity providers for authentication; enable single sign-on (SSO) for BI applications like Tableau and Power BI; configure Dremio to honor tokens issued by external identity providers; and create custom OAuth applications. |
CREATE BILLING ACCOUNT | Grants the privilege to create a new billing account, which is used to handle usage invoices if you are using Enterprise edition. The account creator is the default owner. |
CREATE CATALOG | Grants the privilege to create a new Dremio Arctic catalog. The catalog creator is the default owner. |
CREATE CLOUD | Grants the privilege to create a new cloud. The cloud creator is the default owner for the cloud. |
CREATE PROJECT | Grants the privilege to create a new project. The project creator is the default owner of the project. |
CREATE USER | Grants the privilege to create a user. The user responsible for its creation automatically becomes its owner. |
CREATE ROLE | Grants the privilege to create a role. The user responsible for its creation automatically becomes its owner. |
MANAGE GRANTS | Grants the ability to grant or revoke privileges of an organization and its child objects. |
OWNERSHIP | Grants ownership of an organization to a user/role. The ownership can be transferred to a different user/role using the GRANT OWNERSHIP command by the owner, or any user/role with the MANAGE GRANTS privilege on the organization.
|
User Privileges
PRIVILEGE | DESCRIPTION |
---|---|
OWNERSHIP | Grants ownership of a user to a user/role.
|
Role Privileges
PRIVILEGE | DESCRIPTION |
---|---|
OWNERSHIP | Grants ownership of a role over to a user/role.
|
Sonar Project Privileges
PRIVILEGE | DESCRIPTION |
---|---|
ALL | Grant the user all possible privileges for a project, except OWNERSHIP. This includes all possible privileges for the sources within the project. |
ALTER | Grants the ALTER privilege on all sources in the project. This enables users/roles to:
|
ALTER REFLECTION | Grants privileges to Create, Edit and View Reflections on all tables and views in a project. Includes all interfaces including the table/view reflection pages, the admin reflection pages and the REST API endpoints (both individual reflections and list all reflections), and job history for reflections. |
VIEW REFLECTION | Grants privileges to view table metadata and reflections on all tables and views in a project, including the Reflections tab on the Edit Dataset page for the table or view, the Reflections sidebar in the project Settings, reflection API endpoints (both individual reflections and all reflections), and job history for reflections. |
CREATE SOURCE | Grants privileges to create new data sources in a project. |
UPLOAD | Grants privileges to allow a user to upload files into their home space. |
INSERT UPDATE DELETE TRUNCATE | Grant privileges to execute the associated DML operation on all tables in a project. Note: This is only supported with Apache Iceberg tables. |
SELECT | Grants the SELECT privilege on all sources in the project. This enables users/roles to:
|
CREATE TABLE | Grant privileges to:
Note: Only for specific sources such as Arctic, object storage, Glue, and filesystem sources. |
EXTERNAL QUERY | Grant privilege to run the external_query table function on external non-datalake sources in a project. Note: This privilege applies to only Oracle, SQL Server, MySQL, AWS Redshift, PostgresSQL sources and Dremio Hub connectors that use ARP(Advanced Relational Pushdown). |
VIEW JOB HISTORY | Grant privilege to view the job history tables (for all users) of a project from the Jobs page. |
MODIFY | Grant privileges to access and modify workload management settings in a project including:
|
MONITOR | Grant privileges to read all current project settings. |
OPERATE | Grant privilege to start/enable and stop/disable all engines in a project. |
USAGE | Grant privilege to access the project. Users with direct privileges on objects in a project, including ownership, cannot query the objects unless they have the USAGE privilege on the project. |
MANAGE GRANTS | Grants the ability to grant or revoke privileges of a project and its child objects (sources). |
OWNERSHIP | Grants ownership of a project to a user/role. The ownership can be transferred to a different user/role using the GRANT OWNERSHIP command by the owner, or any user/role with the MANAGE GRANTS privilege on the project.
|
Cloud Privileges
PRIVILEGE | DESCRIPTION |
---|---|
ALL | Grant the user all possible privileges for a cloud, except OWNERSHIP. |
MODIFY | Grant privileges to access and modify cloud settings. |
MONITOR | Grant privileges to read all cloud settings. |
MANAGE GRANTS | Grants the ability to grant or revoke privileges of a cloud. |
OWNERSHIP | Grants ownership of a cloud to a user/role. The ownership can be transferred to a different user/role using the GRANT OWNERSHIP command by the owner, or any user/role with the MANAGE GRANTS privilege on the cloud.
|
Identity Provider Privileges
PRIVILEGE | DESCRIPTION |
---|---|
ALL | Grant the user all possible privileges for an Identity Provider, except OWNERSHIP. |
MODIFY | Grant privileges to access and modify Identity Provider settings. |
MONITOR | Grant privileges to read all Identity Provider settings. |
OWNERSHIP | Grants ownership of an Identity Provider to a user/role. The ownership can be transferred to a different user/role using the GRANT OWNERSHIP command by the owner.
|
Engine Privileges
PRIVILEGE | DESCRIPTION |
---|---|
ALL | Grant the user all possible privileges for an engine, except OWNERSHIP. |
MODIFY | Grant privileges to access and modify engine settings including:
|
MONITOR | Grant privileges to read all engine settings including:
|
OPERATE | Grant privilege to start/enable and stop/disable an engine. |
USAGE | Grant privilege to run queries against the engine. By default, USAGE privilege on all engines is granted to the PUBLIC role, but this can be revoked manually. |
MANAGE GRANTS | Grants the ability to grant or revoke privileges of an engine. |
OWNERSHIP | Grants ownership of an engine to a user/role. The ownership can be transferred to a different user/role using the GRANT OWNERSHIP command by the owner, or any user/role with the MANAGE GRANTS privilege on the engine.
|
Source Privileges
PRIVILEGE | DESCRIPTION |
---|---|
ALL | Grant the user all possible privileges for a source, except OWNERSHIP. This includes all possible privileges for the folders and tables within the source. |
ALTER | Grants the ALTER privilege on the source, including the folders and tables within the source. This enables users/roles to:
|
ALTER REFLECTION | Grants privileges to Create, Edit and View Reflections on all tables in a source. Includes all interfaces including the table reflection pages, the admin reflection pages and the REST API endpoints (both individual reflections and list all reflections), and job history for reflections. |
VIEW REFLECTION | Grants privileges to View Reflections on all tables in a source. Includes all interfaces including the table reflection pages, the admin reflection pages and the Rest API endpoints (both individual reflections and list all reflections), includes job history for reflection. |
INSERT, UPDATE, DELETE, TRUNCATE | Grant privileges to execute the associated DML operation on all tables in a source. Note: This is only supported with Apache Iceberg tables. |
SELECT | Grants SELECT on all folders and tables within the source. This enables the user/role to:
|
CREATE TABLE | Grant privileges to:
Note: Only for specific sources such as Arctic, object storage, Glue, and filesystem sources. |
EXTERNAL QUERY | Grant privilege to run the external_query table function on the source. Note:This privilege applies to only Oracle, SQL Server, MySQL, AWS Redshift, PostgresSQL sources and Dremio Hub connectors that use ARP(Advanced Relational Pushdown). |
MODIFY | Grant privileges to access and modify source settings. |
MANAGE GRANTS | Grants the ability to grant or revoke privileges of a source and its child objects (folders and tables). |
OWNERSHIP | Grants ownership of a source to a user/role. The ownership can be transferred to a different user/role using the GRANT OWNERSHIP command by the owner, or any user/role with the MANAGE GRANTS privilege on the source.
|
Folder Privileges
PRIVILEGE | DESCRIPTION |
---|---|
ALL | Grant the user all possible privileges for a folder, except OWNERSHIP. This includes all possible privileges for the folders, tables, and views within the folder. |
ALTER | Grants the ALTER privilege on all folders, tables, and views in the folder. This enables users/roles to:
|
ALTER REFLECTION | Grants privileges to Create, Edit and View Reflections on all tables and views in a folder. Includes all interfaces including the table/view reflection pages, the admin reflection pages and the REST API endpoints (both individual reflections and list all reflections), and job history for reflections. |
VIEW REFLECTION | Grants privileges to View Reflections on all tables and views in a folder. Includes all interfaces including the table/view reflection pages, the admin reflection pages and the Rest API endpoints (both individual reflections and list all reflections), includes job history for reflection. |
INSERT, UPDATE, DELETE, TRUNCATE | Grant privileges to execute the associated DML operation on all tables and views in a folder. Note: This is only supported with Apache Iceberg tables. |
SELECT | Grants the SELECT privilege on all folders, tables, and views in the folder. This enables users/roles to:
|
MANAGE GRANTS | Grants the ability to grant or revoke privileges of a folder and its child objects (folders, tables, and views). |
OWNERSHIP | Grants ownership of a folder to a user/role. The ownership can be transferred to a different user/role using the GRANT OWNERSHIP command by the owner, or any user/role with the MANAGE GRANTS privilege on the folder.
|
Table Privileges
PRIVILEGE | DESCRIPTION |
---|---|
ALL | Grant the user all possible privileges for a table, except OWNERSHIP. |
ALTER | Grants the ALTER privilege on a table. This enables users/roles to:
|
ALTER REFLECTION | Grants privileges to Create, Edit and View Reflections on a table. Includes all interfaces including the table reflection pages, the admin reflection pages and the REST API endpoints (both individual reflections and list all reflections), and job history for reflections. |
VIEW REFLECTION | Grants privileges to View Reflections on a table. Includes all interfaces including the table reflection pages, the admin reflection pages and the Rest API endpoints (both individual reflections and list all reflections), includes job history for reflection. |
INSERT, UPDATE, DELETE, TRUNCATE | Grant privileges to execute the associated DML operation on a table. Note: This is only supported with Apache Iceberg tables. |
SELECT | Grants the SELECT privilege on a table. This enables users/roles to:
|
MANAGE GRANTS | Grants the ability to grant or revoke privileges of a table. |
OWNERSHIP | Grants ownership of a table to a user/role. The ownership can be transferred to a different user/role using the GRANT OWNERSHIP command by the owner, or any user/role with the MANAGE GRANTS privilege on the table.
|
View Privileges
PRIVILEGE | DESCRIPTION |
---|---|
ALL | Grant the user all possible privileges for a view, except OWNERSHIP. |
ALTER | Grants the ALTER privilege on a view. This enables users/roles to:
|
ALTER REFLECTION | Grants privileges to Create, Edit and View Reflections on a view. Includes all interfaces including the view reflection pages, the admin reflection pages and the REST API endpoints (both individual reflections and list all reflections), and job history for reflections. |
VIEW REFLECTION | Grants privileges to View Reflections on a view. Includes all interfaces including the view reflection pages, the admin reflection pages and the Rest API endpoints (both individual reflections and list all reflections), includes job history for reflection. |
INSERT, UPDATE, DELETE, TRUNCATE | Grant privileges to execute the associated DML operation on a view. Note: This is only supported with Apache Iceberg tables. |
SELECT | Grants the SELECT privilege on a view. This enables users/roles to:
|
MANAGE GRANTS | Grants the ability to grant or revoke privileges of a view. |
OWNERSHIP | Grants ownership of a view to a user/role. The ownership can be transferred to a different user/role using the GRANT OWNERSHIP command by the owner, or any user/role with the MANAGE GRANTS privilege on the view.
|
Script Privileges
PRIVILEGE | DESCRIPTION |
---|---|
VIEW | Grants the privilege to view a script. |
MODIFY | Grants the privilege to modify a script. |
DELETE | Grants the privilege to delete a script. |
MANAGE GRANTS | Grants the ability to grant or revoke privileges on a script. |