On this page



    This functionality is for Dremio v16.0+ Enterprise Edition only.

    The following table shows all privileges currently supported by Dremio’s access control functionality.

    Granting or Revoking Privileges

    By default, all users have all privileges granted to them for any objects without applicable permissions. Once a specific user has been granted access to an object, access is then restricted to only users granted access. All other users no longer have access.

    The manual granting of privileges is accomplished either from the SQL Editor, REST APIs, or the Privileges screen. The SQL Editor is accessible from any dataset and any commands entered here will apply to the scope supplied with the command itself.

    To access the role-based access control from Dremio’s interface:

    1. Navigate to the desired object (folder, dataset, source, etc.).
    2. Click the Down arrow next to the ellipses () button near the top-right corner of the screen.
    3. Click the Settings option.
    4. Select the Privileges tab. This is where all privileges may be manually assigned to users and groups for an object.
    5. Click the Specific users… button and add or remove privileges as desired.
    6. When finished, click Save to preserve your changes.


    If a user has been granted a specific privilege for an object by more than one group and that privilege is revoked for one group, the user will retain that privilege until it is revoked by all groups associated with the same object(s).

    All Supported Privileges

    Dataset Privileges

    Privilege Target Objects Description
    ALTER System, Space, Source, Folder, Table, View Add, delete, or modify table or view definitions, columns, or settings of all datasets in scope. For tables, this includes managing metadata, such as Metadata Refresh and Forget.
    ALTER REFLECTION System, Source, Space, Folder Create, edit, and view reflections on all datasets in scope. Includes granting access to all interfaces, such as the Dataset Reflection pages, Administrator Reflection pages, and any REST API endpoints.
    CREATE_TABLE System, Source, Folder Create a table using CREATE TABLE AS SELECT (CTAS) for all datasets in the scope.
    DROP Project, Source, Folder Drop tables on any dataset in the scope.
    MANAGE GRANTS System, Source, Space, System Table, Folder, Table, View Modifies the privileges of all objects in the set scope. Also changes the owner of all objects within the scope.
    SELECT Source, Space, System Table, Folder, View, Table Gives the ability to execute SELECT queries in the scope.
    VIEW REFLECTION System, Source, Space, Folder View Reflections on all datasets in the scope. Includes access to all Dremio interfaces, such as the Dataset Reflection pages, Administrator Reflection pages, and any REST API endpoints.

    Source & Spaces

    Privilege Target Objects Description
    CREATE ROLE System Create new roles but does not include access to editing the admin role memberships.
    CREATE SOURCE System Create new sources.
    CREATE USER System Create new users. Assigning roles to the new users also requires the CREATE ROLE privilege.
    EXTERNAL QUERY System, Source Run the external_query table function on the source.
    MODIFY System, Source, Space, Engine Edit and delete an object. The following conditions apply:
    • If Space or Source, edit the object’s settings.
    • If System, edit workload management settings including engine routing and queues, view node activity, and change support key settings.
    ROLE ADMIN System Grant full admin access to users associated with a specified role. This may only be assigned with the GRANT SQL command.
    UPLOAD System Upload files to the home space.
    VIEW JOB HISTORY System Give the ability to view all job history.