Skip to main content
Version: current [24.2.x]

Privileges

note

This functionality is for Dremio v16.0+ Enterprise Edition only.

The following table shows all privileges currently supported by Dremio’s access control functionality.

All Supported Privileges

Dataset Privileges

PrivilegeTarget ObjectsDescription
ALLSource, Folder/Schema, Dataset/ViewGrant the user all possible privileges for an object type, except MANAGE GRANTS and OWNERSHIP.
ALTERSystem, Space, Source, Folder, Table, ViewAdd, delete, or modify table or view definitions, columns, or settings of all datasets in scope. For spaces, sources, tables, and views, this includes editing the wiki. For tables, this includes managing metadata, such as Metadata Refresh and Forget.
ALTER REFLECTIONSystem, Source, Space, FolderCreate, edit, and view reflections on all datasets in scope. Includes granting access to all interfaces, such as the Dataset Reflection pages, Administrator Reflection pages, and any REST API endpoints.
CREATE_TABLESystem, Source, FolderCreate a table using CREATE TABLE AS SELECT (CTAS) for all datasets in the scope.
DELETESystem, Source, Space, Folder/Schema, Dataset/ViewExecute the associated DML operation on all datasets in scope. This is only supported with Apache Iceberg datasets.
DROPSystem, Source, FolderDrop tables on any dataset in the scope.
EXECUTEDataset/ViewExecute the associated user-defined function (UDF) for the purposes of querying tables/view with row-access or column-masking filters applied. Only the owner of a UDF may view or edit the associated function. Users or roles must have this privilege in order to apply filtering and masking policies.
INSERTSystem, Source, Space, Folder/Schema, Dataset/ViewExecute the associated DML operation on all datasets in scope. This is only supported with Apache Iceberg datasets.
MANAGE GRANTSSystem, Source, Space, System Table, Folder, Table, ViewModifies the privileges of all objects in the set scope.
OWNERSHIPOrganization, Space, Source, Folder/Schema, Dataset/View, Users, RolesAllows all actions on the object and objects within the object, except GRANT OWNERSHIP cannot be applied to ALL DATASETS. Actions include modifying object settings, granting/revoking user and role access, and deleting the object.
SELECTSource, Space, System Table, Folder, View, TableGives the ability to execute SELECT queries in the scope.
TRUNCATESystem, Source, Space, Folder/Schema, Dataset/ViewExecute the associated DML operation on all datasets in scope. This is only supported with Apache Iceberg datasets.
UPDATESystem, Source, Space, Folder/Schema, Dataset/ViewExecute the associated DML operation on all datasets in scope. This is only supported with Apache Iceberg datasets.
VIEW REFLECTIONSystem, Source, Space, FolderView Reflections on all datasets in the scope. Includes access to all Dremio interfaces, such as the Dataset Reflection pages, Administrator Reflection pages, and any REST API endpoints.

Sources & Spaces

PrivilegeTarget ObjectsDescription
CREATE ROLESystemCreate new roles but does not include access to editing the admin role memberships.
CREATE SOURCESystemCreate new sources.
CREATE USERSystemCreate new users. Assigning roles to the new users also requires the CREATE ROLE privilege.
EXTERNAL QUERYSystem, SourceRun the external_query table function on the source.
MODIFYSystem, Source, Space, EngineEdit and delete an object. The following conditions apply:
  • If Space or Source, edit the object’s settings and wiki.
  • If System, edit workload management settings including engine routing and queues, view node activity, and change support key settings.
UPLOADSystemUpload files to the home space.
VIEW JOB HISTORYSystemGive the ability to view all job history.

Granting Privileges

By default, all users have all privileges granted to them on any objects that do not have any specific privilege grants. After a user or role is granted specific privileges on an object, access is restricted to only the users and roles who have been granted specific privileges. All other users no longer have access to the object.

You can manually grant privileges using the SQL Editor, REST APIs, or the Privileges screen in the Dremio user interface (UI). The SQL Editor is accessible from any dataset, and any SQL commands that you enter apply to the scope supplied with the command itself.

To grant user and role privileges using the Dremio UI:

  1. Locate the desired object.

  2. For spaces and sources, click the gear button at the top right of the screen. For folders and datasets, click the ellipses (...) button at the right side of the screen and then select Settings.

  3. Select the Privileges tab. This is where you can manually grant privileges on an object to users and roles.

    note

    For some object types, the settings dialog automatically opens to display the privilege settings, and you do not need to select the Privileges tab.

  4. Enter the user's username or the role name under Add User/Role.

  5. Click Add to Privileges. If the entry matches a user or role in Dremio, then a record will appear for them in the privileges table.

  6. Select the desired privileges for that user or role.

  7. When finished, click Save to preserve your changes.

    note

    In the Privileges tab, the pre-populated row for All Users represents the PUBLIC role. Use the All Users row to grant privileges to the PUBLIC role.

Revoking Privileges

You can manually revoke privileges using the SQL Editor, REST APIs, or the Privileges screen in the Dremio user interface (UI). The SQL Editor is accessible from any dataset, and any SQL commands that you enter apply to the scope supplied with the command itself.

To revoke user and role privileges using the Dremio UI:

  1. Locate the desired object.

  2. For spaces and sources, click the gear button at the top right of the screen. For folders and datasets, click the ellipses (...) button at the right side of the screen and then select Settings.

  3. Select the Privileges tab to view the currently assigned privileges.

    note

    For some object types, the settings dialog automatically opens to display the privilege settings, and you do not need to select the Privileges tab.

  4. Scroll down to the desired user or role record. If the user or role is not listed, then they do not have specific privileges on the object aside from any privileges listed in the All Users row, which represents the PUBLIC role.

  5. Clear the checkboxes in the columns for the privileges you wish to revoke.

  6. When finished, click Save to preserve your changes.

    note

    If a user has a specific privilege on an object through their memberships in multiple roles and the privilege is revoked for one of the roles, the user retains the privilege until it is revoked on the same object for all roles to which the user belongs.