Privileges
Dremio provides a range of privileges for each type of securable object. These privileges work together to control access across your organization.
Key Concepts
Grants
Dremio privileges are granted to users and roles. Users possess all the privileges granted to their user identity and their roles. See GRANT TO USER and GRANT TO ROLE for example grants.
Privilege Inheritance
Dremio uses a hierarchical privilege system where most higher-level privileges apply to all objects within their scope:
Organization → Projects → Sources → Folders → Tables and Views
When you grant a privilege at a higher level, it applies to all relevant objects at lower levels. For example, granting SELECT at the project level gives SELECT access to all datasets in that project across all sources.
Ownership and Object Creation
The OWNERSHIP privilege is unique—it applies only to the specific object where it's assigned and is never inherited by nested objects. When you create any object, you automatically become its owner. This design maintains clear ownership boundaries, so a project owner doesn't automatically own every table in that project. OWNERSHIP grants full control of the specific object. Ownership can be transferred using the GRANT OWNERSHIP command.
Sharing Data Through Views
When you create a view based on a table, you become the owner of that view. Your privileges as the view owner determine whether the view can access the underlying table—creating a privilege chain. You can then grant other users access to your view, allowing them to see the table's data even though they don't have direct permission to access that table themselves. However, if you (or whoever last modified the view) lose access to the underlying table, the entire privilege chain breaks and the view stops working for everyone.
Organization Privileges
Organization privileges are the highest level in the hierarchy and control organization-wide operations and resources.
| Privilege Type | Description |
|---|---|
| ALL | Shorthand to grant all supported privileges except OWNERSHIP. |
| CALL MODEL | Use all the AI models available. |
| CONFIGURE BILLING | Create and manage billing accounts for usage invoices. |
| CONFIGURE SECURITY | Configure organization security features including identity providers, external token providers, and custom OAuth applications. |
| CREATE MODEL PROVIDER | Create model providers for the organization. |
| CREATE PROJECT | Create new projects, each including an Open Catalog. |
| CREATE ROLE | Create and edit roles. See Custom Roles for details. |
| CREATE USER | Create and edit users. See Add a User for details. |
| MANAGE GRANTS | Grant or revoke privileges on the organization and all objects it contains. |
| OWNERSHIP | Full control of the organization object; not inherited by nested objects. |
Project Privileges
Project privileges control access to projects and apply to different categories of objects within the project. These privileges provide broad control across all sources, catalogs, and engines in the project.
| Privilege Type | Applies To | Description |
|---|---|---|
| OWNERSHIP | Project | Full control of the project object; not inherited by nested objects. |
| USAGE | Project | Access the project and its engines. Required for any other project operations. |
| VIEW JOB HISTORY | Project | View the job history page for all users across the entire project. |
| CREATE SOURCE | Sources | Create new data sources and modify source configurations throughout the project. |
| EXTERNAL QUERY | Sources | Run external queries on compatible sources. |
| ALTER | Datasets | Edit definitions, settings, wikis, and manage metadata. Create or remove folders and datasets where supported. |
| CREATE TABLE | Datasets | Create tables using CREATE TABLE and CREATE TABLE AS on sources that support table creation. |
| DELETE INSERT TRUNCATE UPDATE | Datasets | Execute DML operations on Apache Iceberg tables in compatible object storage. |
| DROP | Datasets | Remove tables and folders from all sources that support deletion operations. |
| SELECT | Datasets | Query contained datasets and view schema definitions, lineages, wikis, and labels. |
| ALTER REFLECTION | Reflections | Create, edit, and view all Reflections across the project. Includes access to Reflection pages, API endpoints, and job history. |
| VIEW REFLECTION | Reflections | View all Reflections across the project, including pages, API endpoints, and job history. |
| MODIFY | Engines | Complete engine management including workload settings, routing, and queues. Includes MONITOR and OPERATE. |
| MONITOR | Engines | View all engine settings including replicas, auto-stop settings, time limits, and tags across all engines. |
| OPERATE | Engines | Start, stop, enable, and disable all engines in the project. |
| MANAGE GRANTS | All Objects | Grant and revoke privileges on the project and all objects it contains. |
Open Catalog Privileges
Open Catalog is a specialized source whose privileges control access to folders and datasets within the catalog.
You can grant each of these privileges at the indicated scopes:
- Catalog scope: Privileges are granted on the catalog and apply to all the catalog folders and datasets.
- Folder scope: Privileges are granted to a specific folder and apply to all contained folders and datasets.
- Dataset scope: Privileges are granted to a single table or view and apply only to that dataset.
| Privilege Type | Catalog Scope | Folder Scope | Dataset Scope | Description |
|---|---|---|---|---|
| ALL | ✔ | ✔ | ✔ | Shorthand to grant all supported privileges except OWNERSHIP. |
| ALTER | ✔ | ✔ | ✔ | Edit contained table definitions, settings, wikis, and manage metadata operations. Add or remove folders. |
| ALTER REFLECTION | ✔ | ✔ | ✔ | Create, edit, and view Reflections on contained datasets, including pages, APIs, and job history. |
| DROP | ✔ | ✔ | Remove contained datasets and folders. | |
| MANAGE GRANTS | ✔ | ✔ | ✔ | Grant and revoke privileges on contained objects. |
| OWNERSHIP | ✔ | ✔ | ✔ | Full object control; not inherited by nested objects. |
| READ METADATA | ✔ | ✔ | ✔ | View metadata including column information and job history, limited to jobs you have permission to see. |
| SELECT | ✔ | ✔ | ✔ | Query contained datasets and view schema definitions, lineages, wikis, and labels. |
| USAGE | ✔ | ✔ | Use the immediate namespace or folder. Must be granted on every folder in the hierarchy path. | |
| VIEW REFLECTION | ✔ | ✔ | ✔ | View Reflections on contained datasets, including pages, APIs, and job history. |
| WRITE | ✔ | ✔ | ✔ | Execute write operations INSERT, UPDATE, TRUNCATE, DELETE on contained Apache Iceberg tables. |
Source Privileges
Source privileges control access to external data sources and datasets. All sources and other catalogs utilize these privileges in Dremio.
You can grant each of these privileges at the indicated scopes:
- Source scope: Privileges are granted on the source and apply to all the source folders and datasets.
- Folder scope: Privileges are granted to a specific folder and apply to all contained folders and datasets.
- Dataset scope: Privileges are granted to a specific table or view and apply only to that dataset.
| Privilege Type | Source Scope | Folder Scope | Dataset Scope | Description |
|---|---|---|---|---|
| ALL | ✔ | ✔ | ✔ | Shorthand to grant all supported privileges except OWNERSHIP. |
| ALTER | ✔ | ✔ | ✔ | Edit contained dataset definitions, settings, wikis, and manage metadata. Add or remove folders, promote or demote tables. |
| ALTER REFLECTION | ✔ | ✔ | ✔ | Create, edit, and view all Reflections on contained datasets, including pages, APIs, and job history. |
| CREATE TABLE | ✔ | ✔ | Create new tables using CREATE TABLE and CREATE TABLE AS (requires source to support table creation). | |
| DELETE INSERT TRUNCATE UPDATE | ✔ | ✔ | ✔ | Execute associated DML operations DELETE, INSERT, TRUNCATE, UPDATE on all contained Apache Iceberg tables (requires compatible object storage). |
| DROP | ✔ | ✔ | Remove contained datasets and folders (requires source deletion support). | |
| EXTERNAL QUERY | ✔ | Run external queries on compatible sources. | ||
| MANAGE GRANTS | ✔ | ✔ | ✔ | Grant and revoke privileges on contained objects. |
| MODIFY | ✔ | Access and modify configuration settings, connection parameters, and source-level properties. | ||
| OWNERSHIP | ✔ | ✔ | ✔ | Full object control; not inherited by nested objects. |
| READ METADATA | ✔ | ✔ | ✔ | View metadata including column information and job history, limited to jobs you have permission to see. |
| SELECT | ✔ | ✔ | ✔ | Query contained datasets and view schema definitions, lineages, wikis, and labels. |
| VIEW REFLECTION | ✔ | ✔ | ✔ | View Reflections on contained datasets, including pages, APIs, and job history. |
User-Defined Function Privileges
User-defined functions (UDFs) allow you to create reusable custom functions using SQL expressions.
| Privilege Type | Description |
|---|---|
| ALL | Shorthand to grant all supported privileges except OWNERSHIP. |
| ALTER | Edit the function's wiki, definitions, and settings. |
| EXECUTE | Ability to run the UDF. Use the function as row-access and column-masking policies for tables and views. |
| MANAGE GRANTS | Grant and revoke privileges on the UDF. |
| OWNERSHIP | Full object control; not inherited by nested objects. |
Engine Privileges
Engine privileges control access to specific named engines. Use engine privileges at the project level to manage all engines collectively.
| Privilege Type | Description |
|---|---|
| ALL | Shorthand to grant all supported privileges except OWNERSHIP. |
| MANAGE GRANTS | Grant and revoke privileges on the specific engine. |
| MODIFY | Access and modify all engine settings including replicas, auto-stop configuration, time limits, and tags. |
| MONITOR | View all engine settings and configuration details without modification rights. |
| OPERATE | Start, stop, enable, and disable the engine. |
| OWNERSHIP | Full control of the engine object; not inherited by nested objects. |
| USAGE | Execute queries using the engine. The PUBLIC role has this privilege on all engines by default, but it can be revoked. |
Model Provider Privileges
Model provider privileges control access to AI model providers configured at the organization level. These privileges determine who can use, manage, and configure model providers for your organization.
| Privilege Type | Description |
|---|---|
| CALL MODEL | Use the AI models available. |
| MODIFY | Access and edit the model provider settings. |
| MANAGE GRANTS | Grant and revoke privileges on the model provider. |
| OWNERSHIP | Take all actions on the model provider, including deleting it and transferring ownership using the GRANT TO ROLE or GRANT TO USER SQL command.
|
Script Privileges
Script privileges enable sharing of individual saved scripts with other users and roles.
| Privilege Type | Description |
|---|---|
| ALL | Shorthand to grant all supported privileges except OWNERSHIP. |
| DELETE | Remove the script permanently. |
| MANAGE GRANTS | Grant and revoke privileges on the script. |
| MODIFY | Edit the script content and settings. |
| OWNERSHIP | Full control of the script object; not inherited by nested objects. |
| VIEW | Access, view, and execute the script. |
Identity Provider Privileges
Identity provider privileges control access to organization-level authentication and identity management settings.
| Privilege Type | Description |
|---|---|
| ALL | Shorthand to grant all supported privileges except OWNERSHIP. |
| MODIFY | Access and modify identity provider settings, including configuration changes and updates. |
| MONITOR | View all identity provider settings and configuration details without modification rights. |
| OWNERSHIP | Full control of the identity provider object; not inherited by nested objects. |
Related Topics
- Security Pillar – See the security design principles and best practices of the Dremio Well-Architected Framework.