Privileges
This functionality is for Dremio v16.0+ Enterprise Edition only.
The following table shows all privileges currently supported by Dremio’s access control functionality.
All Supported Privileges
Dataset Privileges
| Privilege | Target Objects | Description |
|---|---|---|
| ALL | Source, Folder/Schema, Dataset/View | Grant the user all possible privileges for an object type, except MANAGE GRANTS and OWNERSHIP. |
| ALTER | System, Space, Source, Folder, Table, View | Add, delete, or modify table or view definitions, columns, or settings of all datasets in scope. For spaces, sources, tables, and views, this includes editing the wiki. For tables, this includes managing metadata, such as Metadata Refresh and Forget. |
| ALTER REFLECTION | System, Source, Space, Folder | Create, edit, and view reflections on all datasets in scope. Includes granting access to all interfaces, such as the Dataset Reflection pages, Administrator Reflection pages, and any REST API endpoints. |
| CREATE_TABLE | System, Source, Folder | Create a table using CREATE TABLE AS SELECT (CTAS) for all datasets in the scope. |
| DELETE | System, Source, Space, Folder/Schema, Dataset/View | Execute the associated DML operation on all datasets in scope. This is only supported with Apache Iceberg datasets. |
| DROP | System, Source, Folder | Drop tables on any dataset in the scope. |
| EXECUTE | Dataset/View | Execute the associated user-defined function (UDF) for the purposes of querying tables/view with row-access or column-masking filters applied. Only the owner of a UDF may view or edit the associated function. Users or roles must have this privilege in order to apply filtering and masking policies. |
| INSERT | System, Source, Space, Folder/Schema, Dataset/View | Execute the associated DML operation on all datasets in scope. This is only supported with Apache Iceberg datasets. |
| MANAGE GRANTS | System, Source, Space, System Table, Folder, Table, View | Modifies the privileges of all objects in the set scope. |
| OWNERSHIP | Organization, Space, Source, Folder/Schema, Dataset/View, Users, Roles | Allows all actions on the object and objects within the object, except GRANT OWNERSHIP cannot be applied to ALL DATASETS. Actions include modifying object settings, granting/revoking user and role access, and deleting the object. |
| SELECT | Source, Space, System Table, Folder, View, Table | Gives the ability to execute SELECT queries in the scope. |
| TRUNCATE | System, Source, Space, Folder/Schema, Dataset/View | Execute the associated DML operation on all datasets in scope. This is only supported with Apache Iceberg datasets. |
| UPDATE | System, Source, Space, Folder/Schema, Dataset/View | Execute the associated DML operation on all datasets in scope. This is only supported with Apache Iceberg datasets. |
| VIEW REFLECTION | System, Source, Space, Folder | View Reflections on all datasets in the scope. Includes access to all Dremio interfaces, such as the Dataset Reflection pages, Administrator Reflection pages, and any REST API endpoints. |
Sources & Spaces
| Privilege | Target Objects | Description |
|---|---|---|
| CREATE ROLE | System | Create new roles but does not include access to editing the admin role memberships. |
| CREATE SOURCE | System | Create new sources. |
| CREATE USER | System | Create new users. Assigning roles to the new users also requires the CREATE ROLE privilege. |
| EXTERNAL QUERY | System, Source | Run the external_query table function on the source. |
| MODIFY | System, Source, Space, Engine | Edit and delete an object. The following conditions apply:
|
| UPLOAD | System | Upload files to the home space. |
| VIEW JOB HISTORY | System | Give the ability to view all job history. |
Granting Privileges
By default, all users have all privileges granted to them on any objects that do not have any specific privilege grants. After a user or role is granted specific privileges on an object, access is restricted to only the users and roles who have been granted specific privileges. All other users no longer have access to the object.
You can manually grant privileges using the SQL Editor, REST APIs, or the Privileges screen in the Dremio user interface (UI). The SQL Editor is accessible from any dataset, and any SQL commands that you enter apply to the scope supplied with the command itself.
To grant user and role privileges using the Dremio UI:
Locate the desired object.
For spaces and sources, click the gear button at the top right of the screen. For folders and datasets, click the ellipses (...) button at the right side of the screen and then select Settings.
Select the Privileges tab. This is where you can manually grant privileges on an object to users and roles.
noteFor some object types, the settings dialog automatically opens to display the privilege settings, and you do not need to select the Privileges tab.
Enter the user's username or the role name under Add User/Role.
Click Add to Privileges. If the entry matches a user or role in Dremio, then a record will appear for them in the privileges table.
Select the desired privileges for that user or role.
When finished, click Save to preserve your changes.
noteIn the Privileges tab, the pre-populated row for All Users represents the PUBLIC role. Use the All Users row to grant privileges to the PUBLIC role.
Revoking Privileges
You can manually revoke privileges using the SQL Editor, REST APIs, or the Privileges screen in the Dremio user interface (UI). The SQL Editor is accessible from any dataset, and any SQL commands that you enter apply to the scope supplied with the command itself.
To revoke user and role privileges using the Dremio UI:
Locate the desired object.
For spaces and sources, click the gear button at the top right of the screen. For folders and datasets, click the ellipses (...) button at the right side of the screen and then select Settings.
Select the Privileges tab to view the currently assigned privileges.
noteFor some object types, the settings dialog automatically opens to display the privilege settings, and you do not need to select the Privileges tab.
Scroll down to the desired user or role record. If the user or role is not listed, then they do not have specific privileges on the object aside from any privileges listed in the All Users row, which represents the PUBLIC role.
Clear the checkboxes in the columns for the privileges you wish to revoke.
When finished, click Save to preserve your changes.
noteIf a user has a specific privilege on an object through their memberships in multiple roles and the privilege is revoked for one of the roles, the user retains the privilege until it is revoked on the same object for all roles to which the user belongs.