Skip to main content
Version: current [24.3.x]

Privileges

note

This functionality is for Dremio v16.0+ Enterprise Edition only.

The following table shows all privileges currently supported by Dremio’s access control functionality.

All Supported Privileges

Dataset Privileges

PrivilegeTarget ObjectsDescription
ALLSource, Folder/Schema, Dataset/ViewGrant the user all possible privileges for an object type, except MANAGE GRANTS and OWNERSHIP.
ALTERSystem, Space, Source, Folder, Table, ViewAdd, delete, or modify table or view definitions, columns, or settings of all datasets in scope. For spaces, sources, tables, and views, this includes editing the wiki. For tables, this includes managing metadata, such as Metadata Refresh and Forget.
ALTER REFLECTIONSystem, Source, Space, FolderCreate, edit, and view reflections on all datasets in scope. Includes granting access to all interfaces, such as the Dataset Reflection pages, Administrator Reflection pages, and any REST API endpoints.
CONFIGURE SECURITYSystemConfigure security-related features for the system: enable single sign-on (SSO) for BI applications like Tableau and Power BI and configure Dremio to honor tokens issued by external identity providers.
CREATE_TABLESystem, Source, FolderCreate a table using CREATE TABLE AS SELECT (CTAS) for all datasets in the scope.
DELETESystem, Source, Space, Folder/Schema, Dataset/ViewExecute the associated DML operation on all datasets in scope. This is only supported with Apache Iceberg datasets.
DROPSystem, Source, FolderDrop tables on any dataset in the scope.
INSERTSystem, Source, Space, Folder/Schema, Dataset/ViewExecute the associated DML operation on all datasets in scope. This is only supported with Apache Iceberg datasets.
MANAGE GRANTSSystem, Source, Space, System Table, Folder, Table, ViewModifies the privileges of all objects in the set scope.
OWNERSHIPOrganization, Space, Source, Folder/Schema, Dataset/View, Users, RolesAllows all actions on the object and objects within the object, except GRANT OWNERSHIP cannot be applied to ALL DATASETS. Actions include modifying object settings, granting/revoking user and role access, and deleting the object.
SELECTSource, Space, System Table, Folder, View, TableGives the ability to execute SELECT queries in the scope. For Nessie tables, see the dataset definition.
TRUNCATESystem, Source, Space, Folder/Schema, Dataset/ViewExecute the associated DML operation on all datasets in scope. This is only supported with Apache Iceberg datasets.
UPDATESystem, Source, Space, Folder/Schema, Dataset/ViewExecute the associated DML operation on all datasets in scope. This is only supported with Apache Iceberg datasets.
VIEW REFLECTIONSystem, Source, Space, FolderView table metadata and reflections on all datasets in the scope. Includes access to all Dremio interfaces, such as the Reflections tab on the Edit Dataset page for the dataset, the Reflections sidebar in Settings, and any REST API endpoints.

Script Privileges

PRIVILEGEDESCRIPTION
VIEWGrants the privilege to view a script.
MODIFYGrants the privilege to modify a script.
DELETEGrants the privilege to delete a script.
MANAGE GRANTSGrants the ability to grant or revoke privileges on a script.

Sources & Spaces

PrivilegeTarget ObjectsDescription
CREATE ROLESystemCreate new roles but does not include access to editing the admin role memberships.
CREATE SOURCESystemCreate new sources.
CREATE USERSystemCreate new users. Assigning roles to the new users also requires the CREATE ROLE privilege.
EXTERNAL QUERYSystem, SourceRun external queries on relational-database sources. See Querying Relational-Database Sources Directly.
MODIFYSystem, Source, Space, EngineEdit and delete an object. The following conditions apply:
  • If Space or Source, edit the object’s settings and wiki.
  • If System, edit workload management settings including engine routing and queues, view node activity, and change support key settings.
UPLOADSystemUpload files to the home space.
VIEW JOB HISTORYSystemGive the ability to view all job history.

User-Defined Function Privileges

PRIVILEGEDESCRIPTION
ALLGrants the user all possible privileges for the function except MANAGE GRANTS and OWNERSHIP.
ALTERGrants the ability to edit a function.
EXECUTEExecute the associated function for the purposes of querying tables/view with row-access or column-masking policies applied. Users or roles must have this privilege in order to alter a table and provide row-access or column-masking policies.
MANAGE GRANTSGrants the ability to grant or revoke privileges on a function.
OWNERSHIPAssigns ownership of the function.

Granting Privileges

You can share catalog objects with others in your organization by granting privileges. By default, a new user is assigned the PUBLIC role, which grants the user the USAGE privilege on all projects.

To grant additional privileges to roles or users, complete the following steps:

  1. Locate the desired object.

  2. Click This is the icon that represents more actions. or This is the icon that represents more actions. depending on the object.

  3. In the object settings dialog, select Privileges from the settings sidebar.

    note

    For some object types, the settings dialog automatically opens to display the privilege settings, and you do not need to select the Privileges tab.

  4. In the Privileges dialog, enter the name of the user or role that you want to grant access to under Add User/Role.

  5. Click Add to Privileges.

    If the entry matches a user or role in Dremio, then a record will appear for them in the Users table.

  6. In the Users table, toggle the green checkmark for each privilege you want to grant for that user or role. For a description of the privilege, hover over the column name in the Users table. See the example below:

    note

    Use the pre-populated All Users row to grant privileges to the PUBLIC role.

  7. (Optional) Repeat steps 2-4 if you want to add more users or roles and grant them privileges.

  8. When finished, click Save.

Revoking Privileges

To revoke user and role privileges, complete the following steps:

  1. Locate the desired object.

  2. Click This is the icon that represents more actions. or This is the icon that represents more actions. depending on the object.

  3. In the object settings dialog, select Privileges from the settings sidebar.

    note

    For some object types, the settings dialog automatically opens to display the privilege settings, and you do not need to select the Privileges tab.

  4. In the Privileges dialog, locate the desired user or role record. If the user or role is not listed, then they do not have specific privileges on the object aside from any privileges listed in the All Users row, which represents the PUBLIC role.

  5. Clear the checkboxes in the columns for the privileges you wish to revoke. For a description of the privilege, hover over the column name in the Users table. See the example below:

  6. When finished, click Save.

note

If a user has a specific privilege on an object through their memberships in multiple roles and the privilege is revoked for one of the roles, the user retains the privilege until it is revoked on the same object for all roles to which the user belongs.

tip

You can also grant or revoke privileges using SQL commands or REST APIs.