Skip to main content

Grants

Use the Catalog API to grant privileges to users and roles and retrieve lists of the privileges that are available on specific catalog objects. You must have the MANAGE GRANTS privilege to retrieve grants on catalog objects.

Grants Object 
{
  "id": "7f1c4660-cd7b-40d0-97d1-b8a6f431cbda",
  "availablePrivileges": [
    "ALTER",
    "ALTER_REFLECTION",
    "CREATE_TABLE",
    "DELETE",
    "DROP",
    "INSERT",
    "MANAGE_GRANTS",
    "MODIFY",
    "READ_METADATA",
    "SELECT",
    "TRUNCATE",
    "UPDATE",
    "VIEW_REFLECTION"
  ],
  "grants": [
    {
      "privileges": [
        "ALTER",
        "SELECT",
        "MANAGE_GRANTS"
      ],
      "granteeType": "USER",
      "id": "27937a63-e7e5-4478-8d3c-4ad3f20d43c0",
      "name": "jeansmith",
      "firstName": "Jean",
      "lastName": "Smith",
      "email": "jean_smith@example.com"
    },
    {
      "privileges": [
        "ALTER",
        "SELECT"
      ],
      "granteeType": "ROLE",
      "id": "0f2d94e0-bb5e-4c03-8c6f-62d379d10889",
      "name": "examplerole"
    }
  ]
}

Grants Attributes

id String (UUID)

UUID of the Dremio catalog object.

availablePrivileges Array of String

List of available privileges on the catalog object. See Privileges for more information.

Example:

[
  "ALTER",
  "DELETE",
  "INSERT",
  "MANAGE_GRANTS",
  "SELECT",
  "TRUNCATE",
  "UPDATE"
]

grants Array of Object

Information about the privileges and grantees for the catalog object. If the grants array is empty, there are no explicit grants for the object. An empty grants array does not mean that no users have access to the object. For example, admin users implicitly have all privileges on all catalog objects, owners implicitly have all privileges on everything they own, and child objects inherit the grants from their parent objects.

Attributes of Objects in the grants Array

privileges Array of String

List of privileges granted to the user or role. See Privileges for more information.

Example:

[
  "ALTER",
  "SELECT",
  "MANAGE_GRANTS"
]

granteeType String

Type of grantee. Must be USER or ROLE.

Example: USER

id String (UUID)

UUID of the user or role.

name String

Name of the user or role.

Example: jeansmith

firstName String

The user's first name. Not included if the object is a role.

Example: Jean

lastName String

The user's last name. Not included if the object is a role.

Example: Smith

email String

The user's email address. Not included if the object is a role.

Example: jean_smith@example.com

Create or Update Grants on a Catalog Object

Method and URL 
PUT /v0/projects/{project_id}/catalog/{id}/grants

Parameters

project_id Path   String (UUID)

id Path   String (UUID)

UUID of the Dremio catalog object.

grants Body   Array of Object

Array of objects that specify which users and roles should have privileges on the catalog object, as well as the specific privileges for each user and role. May include objects for users, roles, or both. If you omit a user or role object in a PUT request, Dremio removes all existing explicit access settings for the omitted user or role. To preserve existing access settings, include the existing user and role objects in the PUT request along with any updates.

Parameters of Objects in the grants Array

privileges Body   Array of String

List of privileges to grant to the user or role. See Privileges for more information.

Example:

[
  "ALTER",
  "SELECT",
  "MANAGE_GRANTS"
]

granteeType Body   String

Type of grantee. Must be USER or ROLE.

id Body   String (UUID)

UUID of the user or role.

Example

Request 
curl -X PUT "https://api.dremio.cloud/v0/projects/$PROJECT_ID/catalog/$FOLDER_ID/grants" \
-H 'Authorization: Bearer $DREMIO_TOKEN' \
-H 'Content-Type: application/json' \
--data-raw '{
  "grants": [
    {
      "privileges": [
        "ALTER",
        "SELECT",
        "MANAGE_GRANTS"
      ],
      "granteeType": "USER",
      "id": "27937a63-e7e5-4478-8d3c-4ad3f20d43c0"
    },
    {
      "privileges": [
        "SELECT",
        "ALTER"
      ],
      "granteeType": "ROLE",
      "id": "0f2d94e0-bb5e-4c03-8c6f-62d379d10889"
    }
  ]
}'

A successful request returns an empty response body with HTTP status 204 No Content.

Response Status Codes

204   No Content

401   Unauthorized

403   Forbidden

404   Not Found

Retrieve Privileges and Grantees on a Catalog Object

Method and URL 
GET /v0/projects/{project_id}/catalog/{id}/grants

Parameters

project_id Path   String (UUID)

id Path   String (UUID)

UUID of the catalog object.

Example

Request 
curl -X GET "https://api.dremio.cloud/v0/projects/$PROJECT_ID/catalog/$SOURCE_ID/grants" \
-H 'Authorization: Bearer $DREMIO_TOKEN' \
-H 'Content-Type: application/json'
Response 
{
  "id": "7f1c4660-cd7b-40d0-97d1-b8a6f431cbda",
  "availablePrivileges": [
    "ALTER",
    "ALTER_REFLECTION",
    "CREATE_TABLE",
    "DELETE",
    "DROP",
    "INSERT",
    "MANAGE_GRANTS",
    "MODIFY",
    "READ_METADATA",
    "SELECT",
    "TRUNCATE",
    "UPDATE",
    "VIEW_REFLECTION"
  ],
  "grants": [
    {
      "privileges": [
        "ALTER",
        "SELECT",
        "MANAGE_GRANTS"
      ],
      "granteeType": "USER",
      "id": "27937a63-e7e5-4478-8d3c-4ad3f20d43c0",
      "name": "jeansmith",
      "firstName": "Jean",
      "lastName": "Smith",
      "email": "jean_smith@example.com"
    },
    {
      "privileges": [
        "ALTER",
        "SELECT"
      ],
      "granteeType": "ROLE",
      "id": "0f2d94e0-bb5e-4c03-8c6f-62d379d10889",
      "name": "examplerole"
    }
  ]
}

Response Status Codes

200   OK

400   Bad Request

401   Unauthorized

403   Forbidden

404   Not Found