Skip to main content
Version: current [25.x]

Privileges Enterprise

The following sections describe the supported privileges for each type of securable object.

note

Privileges that are inheritable also implicitly apply to child objects through inheritance.

  • For the system, child objects include engines; identity providers; sources and spaces, as well as the folders, tables, and views they contain; scripts; users; and roles.
  • For sources and spaces, child objects include the folders, tables, and views the source or space contains.
  • For folders, child objects include the tables and views the folder contains, as well as any nested folders and their contents.

System Privileges

PRIVILEGEDESCRIPTION
ALTER
  • Edit the wikis of all sources, spaces, folders, tables, and views.
  • Edit the definitions and settings of all tables and views.
  • Promote and demote all tables.
  • Create and delete views.
  • Add and remove folders.
  • Issue ALTER SOURCE <source_name> REFRESH STATUS commands.
  • Issue commands to manage metadata (including REFRESH and FORGET) for all tables.
ALTER REFLECTIONCreate, edit, and view reflections on all tables, including viewing all table reflection and admin reflection pages, using the API endpoints for listing all reflections and individual reflections, and viewing the job history for reflections.
CONFIGURE SECURITYConfigure security-related features: set up social logins and identity providers for authentication; enable single sign-on (SSO) for BI applications like Tableau and Power BI; configure Dremio to honor tokens issued by external identity providers; and create custom OAuth applications.
CREATE ROLECreate roles. Each role's creator is its default owner.
CREATE SOURCECreate sources. Each source's creator is its default owner.
CREATE TABLECreate tables. Each table's creator is its default owner.
CREATE USERCreate users. Each user's creator is its default owner.
DELETEExecute the delete operation on all Apache Iceberg tables.
DROPRemove sources, spaces, folders, tables, and views.
EXECUTE
  • Run user-defined functions (UDFs).
  • Query and edit tables and views that are subject to row-access or column-masking policies (also requires SELECT or ALTER).
EXPORT DIAGNOSTICSDownload the cluster logs using the Dremio console.
EXTERNAL QUERYRun external queries on the sources in the system.
  • This privilege is only supported for Amazon Redshift, Microsoft SQL Server, MySQL, and PostgreSQL sources and Dremio Hub connectors that use advanced relational pushdown (ARP).
INSERTExecute the insert operation on all Apache Iceberg tables.
MANAGE GRANTSGrant or revoke privileges on all objects.
MODIFYAccess and modify settings on all objects.
READ METADATAView the following metadata for all objects:
  • The node
  • The name and path
  • The number of columns, column names, and type
  • The number of jobs run
To view this metadata in the lineage graph, you also need the SELECT privilege on the object. For more information, see Lineage.
SELECT
  • View data from all sources, spaces, folders, and tables.
  • View the schema definition of all tables in all sources, spaces, and folders.
  • View the wikis of all sources, spaces, and folders.
  • View the wikis and labels of all tables.
  • View the graphs of all tables.
  • Promote tables.
TRUNCATEExecute the truncate operation on all Apache Iceberg tables.
UPDATEExecute the update operation on all Apache Iceberg tables.
UPLOAD FILEUpload a file to any source, space, or folder.
VIEW JOB HISTORYView the job history for all objects.
VIEW REFLECTIONView table metadata and reflections on all tables and views in the system, including the Reflections tab on the Edit Dataset page for the table or view, the Reflections sidebar in the system settings, reflection API endpoints for listing individual reflections and all reflections, and job history for reflections.

Source Privileges

PRIVILEGEDESCRIPTION
ALTER
  • Edit the source's wiki and the wikis of all folders and tables in the source.
  • Edit the definitions and settings of all tables in the source.
  • Promote and demote tables in the source and the source's child folders.
  • Issue ALTER SOURCE <source_name> REFRESH STATUS commands on the source.
  • Issue commands to manage metadata (including REFRESH and FORGET) for tables in the source.
ALTER REFLECTIONCreate, edit, and view reflections on all tables in the source. Includes table reflection pages, admin reflection pages, API endpoints for listing all reflections and individual reflections, and job history for reflections.
CREATE TABLECreate tables using CREATE TABLE and CREATE TABLE AS SELECT (CTAS) in the source.
  • This privilege is only supported for sources that support mutability.
DELETEExecute the delete operation on all Apache Iceberg tables in the source.
DROPRemove the source.
EXTERNAL QUERYRun external queries on the source.
  • This privilege is only supported for Amazon Redshift, Microsoft SQL Server, MySQL, and PostgreSQL sources and Dremio Hub connectors that use advanced relational pushdown (ARP).
INSERTExecute the insert operation on all Apache Iceberg tables.
MANAGE GRANTSGrant and revoke privileges on the source and the objects it contains.
MODIFYAccess and modify source settings.
OWNERSHIPAllows all actions on the source and all objects it contains.
  • Only one user or role (not both) can hold this privilege on the source at a time.
  • The owner and any user or role member with the MANAGE GRANTS privilege can transfer ownership using the GRANT OWNERSHIP command.
READ METADATAView the following metadata for the source:
  • The node
  • The name and path
  • The number of columns, column names, and types of the objects in the source
  • The number of jobs run (shows only the jobs you have privileges to view)
To view this metadata in the lineage graph, you also need the SELECT privilege on the source and the objects it contains. For more information, see Lineage.
SELECT
  • View data from all folders and tables in the source.
  • View the schema definition of all tables in the source.
  • View the wikis of all folders in the source.
  • View the wikis and labels of all tables in the source.
  • View the graphs of all tables in the source.
  • Promote tables in the source.
TRUNCATEExecute the truncate operation on all Apache Iceberg tables.
UPDATEExecute the update operation on all Apache Iceberg tables.
VIEW REFLECTIONView reflections on all tables in the source. Includes table reflection pages, admin reflection pages, API endpoints for listing all reflections and individual reflections, and job history for reflections.

Space Privileges

PRIVILEGEDESCRIPTION
ALTER
  • Edit the space's wiki and the wikis of all folders and tables in the space.
  • Edit the definitions and settings of all tables in the space.
  • Promote and demote tables in the space and the space's child folders.
  • Issue commands to manage metadata (including REFRESH and FORGET) for tables in the space.
ALTER REFLECTIONCreate, edit, and view reflections on all tables in the space. Includes table reflection pages, admin reflection pages, API endpoints for listing all reflections and individual reflections, and job history for reflections.
DELETEExecute the delete operation on all Apache Iceberg tables in the space.
INSERTExecute the insert operation on all Apache Iceberg tables in the space.
MANAGE GRANTSGrant and revoke privileges on the space and its child objects.
MODIFYAccess and modify space settings.
OWNERSHIPGrants ownership of the space. The owner and any user or role member with the MANAGE GRANTS privilege can transfer ownership using the GRANT OWNERSHIP command.
  • Only one user or role (not both) can hold this privilege on the space at a time.
READ METADATAView the following metadata for the space:
  • The node
  • The name and path
  • The number of columns, column names, and types of the objects in the space
  • The number of jobs run (shows only the jobs you have privileges to view)
To view this metadata in the lineage graph, you also need the SELECT privilege on the space and the objects it contains. For more information, see Lineage.
SELECT
  • View data from all folders and tables in the space.
  • View the schema definition of all tables in the space.
  • View the wikis of all folders in the space.
  • View the wiki and labels of all tables in the space.
  • View the graph of all tables in the space.
  • Promote tables in the space.
TRUNCATEExecute the truncate operation on all Apache Iceberg tables in the space.
UPDATEExecute the update operation on all Apache Iceberg tables in the space.
VIEW REFLECTIONView reflections on all tables in the space. Includes table reflection pages, admin reflection pages, API endpoints for listing all reflections and individual reflections, and job history for reflections.

Folder Privileges

PRIVILEGEDESCRIPTION
ALTER
  • Edit the folder's wiki and the wikis of all subfolders, tables, and views it contains.
  • Edit the definitions and settings of all tables in the folder.
  • Promote and demote tables in the folder and any subfolders.
  • Create and delete tables and views in the folder.
  • Create and delete subfolders in the folder.
  • Issue commands to manage metadata (including REFRESH and FORGET) for tables in the folder.
ALTER REFLECTIONCreate, edit, and view reflections on all tables in the folder. Includes table reflection pages, admin reflection pages, API endpoints for listing all reflections and individual reflections, and job history for reflections.
CREATE TABLECreate tables using CREATE TABLE and CREATE TABLE AS SELECT (CTAS) in the folder.
  • This privilege is only supported for sources that support mutability.
DELETEExecute the delete operation on all Apache Iceberg tables in the folder.
DROPRemove the folder.
MANAGE GRANTSGrant and revoke privileges on the folder and its child objects.
OWNERSHIPAllows all actions on the folder and all objects it contains.
  • Only one user or role (not both) can hold this privilege on the folder at a time.
  • The owner and any user or role member with the MANAGE GRANTS privilege can transfer ownership using the GRANT OWNERSHIP command.
READ METADATAView the following metadata for the folder:
  • The node
  • The name and path
  • The number of columns, column names, and types of the objects in the folder
  • The number of jobs run (shows only the jobs you have privileges to view)
To view this metadata in the lineage graph, you also need the SELECT privilege on the folder. For more information, see Lineage.
SELECT
  • View data from the folder and the objects it contains.
  • View the schema definition of all tables in the folder.
  • View the wikis of the folders and any subfolders it contains.
  • View the wikis and labels of all tables in the folder.
  • View the graph of all tables in the folder.
  • Promote tables in the folder.
TRUNCATEExecute the truncate operation on all Apache Iceberg tables.
UPDATEExecute the update operation on all Apache Iceberg tables.
VIEW REFLECTIONView reflections on all tables and views in the folder. Includes reflection pages, admin reflection pages, API endpoints for listing all reflections and individual reflections, and job history for reflections.

Script Privileges

PRIVILEGEDESCRIPTION
DELETEDelete the script.
MANAGE GRANTSGrant and revoke privileges on the script.
MODIFYAccess and modify script settings.
VIEWAccess and view the script.

Table Privileges

PRIVILEGEDESCRIPTION
ALTEREdit the table's wiki, definitions, and settings and issue commands to manage metadata (including REFRESH and FORGET) for the table.
DELETEExecute the delete operation (Apache Iceberg tables only).
INSERTExecute the insert operation (Apache Iceberg tables only).
MANAGE GRANTSGrant and revoke privileges on the table.
OWNERSHIPAllows all actions on the table.
  • Only one user or role (not both) can hold this privilege on the table at a time.
  • The owner and any user or role member with the MANAGE GRANTS privilege can transfer ownership using the GRANT OWNERSHIP command.
READ METADATAView the following metadata for the table:
  • The node
  • The name and path
  • The number of columns and column names in the table
  • The number of jobs run (shows only the jobs you have privileges to view)
To view this metadata in the lineage graph, you also need the SELECT privilege on the table. For more information, see Lineage.
SELECT
  • View data from the table.
  • View the schema definition of the table.
  • View the table's wiki and labels.
  • View the graph of all tables in the folder.
TRUNCATEExecute the truncate operation (Apache Iceberg tables only).
UPDATEExecute the update operation (Apache Iceberg tables only).

User-Defined Function (UDF) Privileges

PRIVILEGEDESCRIPTION
ALTEREdit the function's wiki, definitions, and settings and issue commands to manage metadata (including REFRESH and FORGET).
EXECUTE
  • Run user-defined functions (UDFs).
  • Query and edit tables and views that are subject to row-access or column-masking policies (also requires SELECT or ALTER).
  • Create row-access and column-masking policies for tables and views.
MANAGE GRANTSGrant and revoke privileges on the script.
OWNERSHIPAllows all actions on the script.
  • Only one user or role (not both) can hold this privilege on the script at a time.
  • The owner and any user or role member with the MANAGE GRANTS privilege can transfer ownership using the GRANT OWNERSHIP command.

View Privileges

PRIVILEGEDESCRIPTION
ALTER
  • Edit the view's wiki.
  • Edit the view's definitions and settings.
DELETEExecute the delete operation (views created from Apache Iceberg tables only).
INSERTExecute the insert operation (views created from Apache Iceberg tables only).
MANAGE GRANTSGrant and revoke privileges on the view.
OWNERSHIPAllows all actions on the view.
  • Only one user or role (not both) can hold this privilege on the view at a time.
  • The owner and any user or role member with the MANAGE GRANTS privilege can transfer ownership using the GRANT OWNERSHIP command.
READ METADATAView the following metadata for the view:
  • The node
  • The name and path
  • The number of columns and column names in the view
  • The number of jobs run (shows only the jobs you have privileges to view)
To view this metadata in the lineage graph, you also need the SELECT privilege on the view. For more information, see Lineage.
SELECT
  • View data from the view.
  • View the schema definition of the view.
  • View the wiki of the view.
  • View the view's graph.
TRUNCATEExecute the truncate operation (views created from Apache Iceberg tables only).
UPDATEExecute the update operation (views created from Apache Iceberg tables only).

User Privileges

PRIVILEGEDESCRIPTION
ALTERSet a new password for the user and change the user's type from local (internal) to external.
  • The ALTER privilege is supported only for local (internal) users.
OWNERSHIPTake all actions on the user, including setting a new password, changing the user type from local (internal) to external, granting and revoking user privileges, and transferring ownership using the GRANT OWNERSHIP SQL command.
  • Only one user or role (not both) can hold this privilege on the user at a time.

Role Privileges

PRIVILEGEDESCRIPTION
OWNERSHIPTake all actions on the role, including adding and removing role members, granting and revoking role privileges, and transferring ownership using the GRANT OWNERSHIP SQL command.
  • Only one user or role (not both) can hold this privilege on the role at a time.

ALL Privilege

The ALL privilege is available on all objects in Dremio. Granting the ALL privilege on an object grants the user or role all possible privileges, except OWNERSHIP, on the object.

The ALL privilege grants a static set of privileges that includes only the privileges that exist when you run the grant command. ALL privilege grants are not automatically updated to include new privileges that become available later.

Revoking the ALL privilege on a parent object does not change any privileges that are directly assigned on child objects. For example, if you grant the SELECT privilege on Table 1 in Folder A to User 1 and then grant the ALL privilege on Folder A to User 1, User 1 inherits all privileges on Table 1. If you later revoke the ALL privilege on Folder A for User 1, User 1 retains the SELECT privilege on Table 1.