GRANT TO ROLE
Access to Dremio objects can be managed by granting privileges to roles. A privilege is the right to perform a specific action on an object.
SyntaxGRANT { objectPrivilege | ALL } ON { <object_type> <object_name> }
TO ROLE <role_name>
GRANT { objectPrivilege } ON ALL FOLDERS IN CATALOG { <object_name> }
TO ROLE <role_name>
GRANT { objectPrivilege } ON ALL DATASETS IN CATALOG { <object_name> }
TO ROLE <role_name>
The DELETE, INSERT, TRUNCATE, and UPDATE privileges are supported only for Iceberg tables.
The CREATE TABLE and DROP privileges are supported only for sources that support mutability.
-- On Organizations
{ CONFIGURE SECURITY | CONFIGURE BILLING | CREATE CATALOG | CREATE CLOUD | CREATE PROJECT | CREATE ROLE | CREATE USER | MANAGE GRANTS | OWNERSHIP } [, ...]
-- On Clouds
{ MANAGE GRANTS | MODIFY | MONITOR | OWNERSHIP } [, ...]
-- On Projects
{ ALTER | ALTER REFLECTION | CREATE SOURCE | CREATE TABLE | DELETE | DROP | EXTERNAL QUERY | INSERT | MANAGE GRANTS | MODIFY | MONITOR | OPERATE | OWNERSHIP | SELECT | UPDATE | USAGE | VIEW JOB HISTORY | VIEW REFLECTION } [, ...]
-- On Engines
{ MANAGE GRANTS | MODIFY | MONITOR | OPERATE | OWNERSHIP | USAGE } [, ...]
-- On Identity and Token Providers
{ MODIFY | MONITOR | OPERATE } [, ...]
-- On catalog sources
{ ALTER | ALTER REFLECTION | CREATE TABLE | DELETE | DROP | EXTERNAL QUERY | INSERT | MANAGE GRANTS | MODIFY | OWNERSHIP | SELECT | TRUNCATE | UPDATE | VIEW REFLECTION } [, ...]
-- On Folders
{ ALTER | ALTER REFLECTION | CREATE TABLE | DELETE | DROP | INSERT | MANAGE GRANTS | OWNERSHIP | SELECT | SHOW | TRUNCATE | UPDATE | VIEW REFLECTION } [, ...]
-- On Tables in catalog sources
{ ALTER | DELETE | INSERT | MANAGE GRANTS | OWNERSHIP | SELECT | TRUNCATE | UPDATE } [, ...]
-- On User-Defined Functions
{ OWNERSHIP }
-- On Views in catalog sources
{ ALTER | DELETE | INSERT | MANAGE GRANTS | OWNERSHIP | SELECT | TRUNCATE | UPDATE } [, ...]
-- On Scripts
{ VIEW | MODIFY | DELETE | MANAGE GRANTS }
-- On Roles
{ OWNERSHIP }
-- On Users
{ OWNERSHIP }
-- On Open Catalogs and sources
{ MANAGE GRANTS | OWNERSHIP | USAGE | MODIFY }
-- On Tables in Open Catalogs
{ ALTER REFLECTION | MANAGE GRANTS | SELECT | VIEW REFLECTION | WRITE }
-- On Views in Open Catalogs
{ ALTER REFLECTION | MANAGE GRANTS | SELECT | VIEW REFLECTION | WRITE }
Parameters
<objectPrivilege> String
The privilege(s) to be granted to the role. A comma-separated list of privileges can be specified. For more information, read Privileges.
<object_type> String
The name of the type of object on which the specified privilege is being granted.
Enum: ORG, CLOUD, PROJECT, ENGINE, CATALOG, ROLE, USER, SOURCE, IDENTITY PROVIDER, EXTERNAL TOKEN, FOLDER, FUNCTION, TABLE, VIEW
<object_name> String
The name of the object on which the privilege is being granted. Object names need to be qualified with the path if they are nested.
For <object_type> ORG or PROJECT, the <object_name> is inferred and should be omitted from the statement.
<role_name> String
The name of the role to which the privilege is being granted.
Examples
Grant CREATE PROJECT and CREATE CLOUD privileges on the organization to a roleGRANT CREATE PROJECT, CREATE CLOUD
ON ORG
TO ROLE "DATA_ENGINEER"
GRANT MODIFY, MONITOR
ON CLOUD "Default Cloud"
TO ROLE "DATA_ENGINEER"
GRANT OWNERSHIP ON ROLE data_engineer TO USER user1
GRANT OPERATE
ON ENGINE "reflections_engine"
TO ROLE "DATA_ENGINEER"
GRANT VIEW JOB HISTORY ON SYSTEM TO ROLE "DATA ANALYST"
GRANT OWNERSHIP ON CATALOG prodCatalog TO ROLE data_engineer
GRANT SHOW ON ALL FOLDERS IN CATALOG prodCatalog TO ROLE "PUBLIC"
GRANT SELECT ON ALL DATASETS IN CATALOG Cat1
TO ROLE <role_name>