On this page

    Privileges

    Access to Dremio objects can be managed through privileges. A privilege is the right to perform a specific action on an object.

    Granting Privileges to a User

    Syntax
    GRANT { objectPrivilege | ALL } ON { <object_type> <object_name> } 
    TO USER <username>
    
    objectPrivilege
    -- On Organizations
    { CONFIGURE SECURITY | CREATE CLOUD | CREATE PROJECT | MANAGE GRANTS | OWNERSHIP } [, ...]
    -- On Clouds
    { MANAGE GRANTS | MODIFY | MONITOR | OWNERSHIP } [, ...]
    -- On Projects
    { ALTER | ALTER REFLECTION | CREATE TABLE | DROP | EXTERNAL QUERY | MANAGE GRANTS | MODIFY | MONITOR | OPERATE | OWNERSHIP | SELECT | USAGE | VIEW JOB HISTORY | VIEW REFLECTION } [, ...]
    -- On Engines
    { MODIFY | MONITOR | OPERATE | OWNERSHIP | USAGE } [, ...]
    -- On Identity and Token Providers
    { MODIFY | MONITOR | OPERATE | USAGE } [, ...]
    -- On Sources
    { ALTER | ALTER REFLECTION | CREATE TABLE | DROP | EXTERNAL QUERY | MANAGE GRANTS | MODIFY | OWNERSHIP | SELECT } [, ...]
    -- On Spaces
    { ALTER | ALTER REFLECTION | MANAGE GRANTS | MODIFY | OWNERSHIP | SELECT } [, ...]
    -- On Folders
    { ALTER | ALTER REFLECTION | CREATE TABLE | DROP | MANAGE GRANTS | OWNERSHIP | SELECT } [, ...]
    -- On Physical Datasets (PDS)
    { ALTER | MANAGE GRANTS | OWNERSHIP } [, ...]
    -- On Views
    { ALTER | MANAGE GRANTS | OWNERSHIP } [, ...]
    -- On Roles
    { ALTER | MANAGE GRANTS | OWNERSHIP } [, ...]
    -- On Users
    { ALTER | MANAGE GRANTS | OWNERSHIP } [, ...]
    

    Parameters

    <objectPrivilege>

    String

    The privilege(s) to be granted to the user. A comma-separated list of privileges can be specified. For more information, see all supported privileges.


    <object_type>

    String

    The name of the type of object on which the specified privilege is being granted.

    EnumORG, CLOUD, PROJECT, ENGINE, SOURCE, SPACE, IDENTITY PROVIDER, EXTERNAL TOKEN, FOLDER, PDS, VDS


    <object_name>

    String

    The name of the object on which the privilege is being granted. Object names need to be qualified with the path if they are nested.

    note:

    For <object_type> ORG or PROJECT, the <object_name> is inferred and should be omitted from the statement.


    <username>

    String

    The username of the user to whom the privilege is being granted.

    Examples

    Grant SELECT privilege on the project to user
    GRANT SELECT 
    ON PROJECT
    TO USER "user@dremio.com"
    
    Grant ALTER and SELECT privileges on a space to a user
    GRANT ALTER, SELECT
    ON SPACE "Application" 
    TO USER "user@dremio.com"
    
    Grant OWNERSHIP privilege on a user to a user
    GRANT OWNERSHIP 
    ON USER "user1@dremio.com" 
    TO USER "user@dremio.com"
    

    Granting Privileges to a Role

    Syntax
    GRANT { objectPrivilege | ALL } ON { <object_type> <object_name> } 
    TO ROLE <role_name>
    
    objectPrivilege
    -- On Organizations
    { CONFIGURE SECURITY | CREATE CLOUD | CREATE PROJECT | MANAGE GRANTS } [, ...]
    -- On Clouds
    { MANAGE GRANTS | MODIFY | MONITOR } [, ...]
    -- On Projects
    { ALTER | ALTER REFLECTION | CREATE TABLE | DROP | EXTERNAL QUERY | MANAGE GRANTS | MODIFY | MONITOR | OPERATE | SELECT | VIEW REFLECTION | USAGE | VIEW JOB HISTORY } [, ...]
    -- On Engines
    { MODIFY | MONITOR | OPERATE | USAGE } [, ...]
    -- On Identity and Token Providers
    { MODIFY | MONITOR | OPERATE | USAGE } [, ...]
    -- On Sources
    { ALTER | ALTER REFLECTION | CREATE TABLE | DROP | EXTERNAL QUERY | MANAGE GRANTS | MODIFY | SELECT } [, ...]
    -- On Spaces
    { ALTER | ALTER REFLECTION | MANAGE GRANTS | MODIFY | SELECT } [, ...]
    -- On Folders
    { ALTER | ALTER REFLECTION | CREATE TABLE | DROP | MANAGE GRANTS | SELECT } [, ...]
    -- On Physical Datasets (PDS)
    { ALTER | MANAGE GRANTS } [, ...]
    -- On Views
    { ALTER | MANAGE GRANTS } [, ...]
    

    Parameters

    <objectPrivilege>

    String

    The privilege(s) to be granted to the role. A comma-separated list of privileges can be specified. For more information, see all supported privileges.


    <object_type>

    String

    The name of the type of object on which the specified privilege is being granted.

    EnumORG, CLOUD, PROJECT, ENGINE, SOURCE, SPACE, IDENTITY PROVIDER, EXTERNAL TOKEN, FOLDER, PDS, VDS


    <object_name>

    String

    The name of the object on which the privilege is being granted. Object names need to be qualified with the path if they are nested.

    note:

    For <object_type> ORG or PROJECT, the <object_name> is inferred and should be omitted from the statement.


    <role_name>

    String

    The name of the role to which the privilege is being granted.

    Examples

    Grant CREATE PROJECT and CREATE CLOUD privileges on the organization to a role
    GRANT CREATE PROJECT, CREATE CLOUD 
    ON ORG 
    TO ROLE "DATA_ENGINEER" 
    
    Grant MODIFY privilege on a cloud to a role
    GRANT MODIFY, MONITOR 
    ON CLOUD "Default Cloud"
    TO ROLE "DATA_ENGINEER"
    
    Grant OPERATE privilege on an engine to a role
    GRANT OPERATE 
    ON ENGINE "reflections_engine" 
    TO ROLE "DATA_ENGINEER" 
    
    Grant MODIFY privileges on an identity provider to a user
    GRANT MONITOR
    ON IDENTITY PROVIDER "0oarj64sbnrVQBBy" 
    TO USER "user@dremio.com"
    

    Revoking Privileges from a User

    Syntax
    REVOKE { objectPrivilege | ALL } ON { <object_type> <object_name> } 
    FROM USER <username>
    
    objectPrivilege
    -- On Organizations
    { CONFIGURE SECURITY | CREATE CLOUD | CREATE PROJECT | MANAGE GRANTS } [, ...]
    -- On Clouds
    { MANAGE GRANTS | MODIFY | MONITOR } [, ...]
    -- On Projects
    { ALTER | ALTER REFLECTION | CREATE TABLE | DROP | EXTERNAL QUERY | MANAGE GRANTS | MODIFY | MONITOR | OPERATE | SELECT | VIEW REFLECTION | USAGE | VIEW JOB HISTORY } [, ...]
    -- On Engines
    { MODIFY | MONITOR | OPERATE | USAGE } [, ...]
    -- On Identity and Token Providers
    { MODIFY | MONITOR | OPERATE | USAGE } [, ...]
    -- On Sources
    { ALTER | ALTER REFLECTION | CREATE TABLE | DROP | EXTERNAL QUERY | MANAGE GRANTS | MODIFY | SELECT } [, ...]
    -- On Spaces
    { ALTER | ALTER REFLECTION | MANAGE GRANTS | MODIFY | SELECT } [, ...]
    -- On Folders
    { ALTER | ALTER REFLECTION | CREATE TABLE | DROP | MANAGE GRANTS | SELECT } [, ...]
    -- On Physical Datasets (PDS)
    { ALTER | MANAGE GRANTS } [, ...]
    -- On Views
    { ALTER | MANAGE GRANTS } [, ...]
    

    Parameters

    <objectPrivilege>

    String

    The privilege(s) to be revoked from the user. A comma-separated list of privileges can be specified. For more information, see all supported privileges.


    <object_type>

    String

    The name of the type of object for which the specified privilege is being revoked.


    <object_name>

    String

    The name of the object for which the privilege is being revoked. Object names need to be qualified with the path if they are nested.

    note:

    For <object_type> ORG or PROJECT, the <object_name> is inferred and should be omitted from the statement.


    <username>

    String

    The username of the user from which the privilege is being revoked.

    Examples

    Revoke SELECT privilege on the project from the user
    REVOKE SELECT 
    ON PROJECT 
    FROM USER "user@dremio.com"
    
    Revoke ALTER privilege on a space from a user
    REVOKE ALTER 
    ON SPACE Application 
    FROM USER "user@dremio.com"
    

    Revoking Privileges from a Role

    Syntax
    REVOKE { objectPrivilege | ALL } ON { <object_type> <object_name> } 
    FROM ROLE <role_name>
    
    objectPrivilege
    -- On Organizations
    { CONFIGURE SECURITY | CREATE CLOUD | CREATE PROJECT | MANAGE GRANTS } [, ...]
    -- On Clouds
    { MANAGE GRANTS | MODIFY | MONITOR } [, ...]
    -- On Projects
    { ALTER | ALTER REFLECTION | CREATE TABLE | DROP | EXTERNAL QUERY | MANAGE GRANTS | MODIFY | MONITOR | OPERATE | SELECT | VIEW REFLECTION | USAGE | VIEW JOB HISTORY } [, ...]
    -- On Engines
    { MODIFY | MONITOR | OPERATE | USAGE } [, ...]
    -- On Identity and Token Providers
    { MODIFY | MONITOR | OPERATE | USAGE } [, ...]
    -- On Sources
    { ALTER | ALTER REFLECTION | CREATE TABLE | DROP | EXTERNAL QUERY | MANAGE GRANTS | MODIFY | SELECT } [, ...]
    -- On Spaces
    { ALTER | ALTER REFLECTION | MANAGE GRANTS | MODIFY | SELECT } [, ...]
    -- On Folders
    { ALTER | ALTER REFLECTION | CREATE TABLE | DROP | MANAGE GRANTS | SELECT } [, ...]
    -- On Physical Datasets (PDS)
    { ALTER | MANAGE GRANTS } [, ...]
    -- On Views
    { ALTER | MANAGE GRANTS } [, ...]
    

    Parameters

    <objectPrivilege>

    String

    The privilege(s) to be revoked from the role. A comma-separated list of privileges can be specified. For more information, see all supported privileges.


    <object_type>

    String

    The name of the type of object for which the specified privilege is being revoked.


    <object_name>

    String

    The name of the object for which the privilege is being revoked. Object names need to be qualified with the path if they are nested.

    note:

    For <object_type> ORG or PROJECT, the <object_name> is inferred and should be omitted from the statement.


    <role_name>

    String

    The name of the role from which the privilege is being revoked.

    Examples

    Revoke MODIFY and MONITOR privileges on a cloud from a role
    REVOKE MODIFY, MONITOR
    ON CLOUD "Default Cloud"
    FROM ROLE "DATA_ENGINEER"
    
    Revoke CREATE CLOUD privilege on an organization from a role
    REVOKE CREATE CLOUD  
    ON ORG 
    FROM ROLE "DATA_ENGINEER"