Dremio Cloud
Dremio Software
 
On this page

    Get Grantee Privileges for an Object

    Note:

    This functionality is for Dremio v16.0+ Enterprise Edition only.

    This API lists all users or groups with granted privileges for a specific object.

    Endpoint Syntax

    Method and URL 
    GET /api/v3/catalog/{ID}/grants

    Required Privileges

    All users executing this Rest API must have the MANAGE GRANTS privilege assigned to receive a response output.

    Response Output

    This is the standard response output for the API.

    Example response 
    {
  "id": "126ced34-70d2-4e31-92bb-0ee687ebff24",
  "availablePrivileges": [
        "ALTER",
        "SELECT"
  ],
  "grants": [
    {
      "privileges": [
        "SELECT"
      ],
      "granteeType": "USER",
      "id": "821b04ae-0d0d-448c-a8b1-e77151732d4d",
      "name": "dremio",
      "firstName": "a",
      "lastName": "a",
      "email": "a@b.com"
    },
    {
      "privileges": [
        "SELECT"
      ],
      "granteeType": "ROLE",
      "id": "5cdaac3f-611b-4b78-bf37-85d8a85e4a1f",
      "name": "PUBLIC"
    }
  ]
}

    Response Codes

    • 200 - Success.
    • 403 - The user executing the API request lacks the MANAGE GRANTS permission.
    • 404 - An object with the entityId is not found.

    Examples

    In the following examples, scenarios describe the conditions which influence the appearance or exclusion of certain parameters in the API’s response output.

    Example 1: Curl Request

    curl request example 
    curl -X GET --location "http://localhost:9047/api/v3/catalog/c9baddf4-07db-4bb2-9b60-4d304dce3df8/grants" \
    -H "Authorization: _dremio9ug09rkbgu0kebmg77hopuuocc" \
    -H "Content-Type: application/json" \
    -H "Accept: application/json"

    Example 2: Default State

    By default, Dremio grants all privileges on an object to all users. When a privilege is assigned to the All Users User option, all other users or groups on the privilege table are assigned the privilege, which is illustrated by the presence of a grey check box as shown in the image below.

    Under such circumstances, the privilege array for this API will still list all possible privileges. However, the user- and role-grants arrays will both be empty, as seen in the example response below.

    Default state example 
    {
  "availablePrivileges": [
        "ALTER",
        "SELECT"
  ],

  "grants": []
}

    Example 3: Specific Users/Roles Grant

    This example illustrates what happens when adding specific users or groups to the privileges table of the Sharing window. As part of this, the All Users entry will not have any privileges assigned, as the grants are now specified at the user or group level.

    As a result of this, the privileges array in the API response will include privileges, and userGrants, roleGrants, or both will not be empty (as in Example 1). See the response output below:

    Grant user-specific privileges example 
    {
  "id": "126ced34-70d2-4e31-92bb-0ee687ebff24",
   "availablePrivileges": [
        "ALTER",
        "SELECT"
  ],
  "grants": [
    {
      "privileges": [
        "SELECT"
      ],
      "granteeType": "USER",
      "id": "821b04ae-0d0d-448c-a8b1-e77151732d4d",
      "name": "dremio",
      "firstName": "a",
      "lastName": "a",
      "email": "a@b.com"
    }
   ]
}

    Curl Request: Privileges for the Space Object

    Space object privileges example 
    curl -X GET --location "http://localhost:9047/api/v3/grant?grantType=PROJECT" \
    -H "Authorization: _dremiohrr395nv31g8k610616tucp91g" \
    -H "Content-Type: application/json" \
    -H "Accept: application/json"