Privileges
Access to Dremio objects can be managed through privileges. A privilege is the right to perform a specific action on an object.
Granting Privileges to a User
SyntaxGRANT { objectPrivilege | ALL } ON { <object_type> <object_name> }
TO USER <username>
-- On Organizations
{ CONFIGURE SECURITY | CREATE CLOUD | CREATE PROJECT | MANAGE GRANTS | OWNERSHIP } [, ...]
-- On Clouds
{ MANAGE GRANTS | MODIFY | MONITOR | OWNERSHIP } [, ...]
-- On Projects
{ ALTER | ALTER REFLECTION | CREATE TABLE | DROP | EXTERNAL QUERY | MANAGE GRANTS | MODIFY | MONITOR | OPERATE | OWNERSHIP | SELECT | USAGE | VIEW JOB HISTORY | VIEW REFLECTION } [, ...]
-- On Engines
{ MODIFY | MONITOR | OPERATE | OWNERSHIP | USAGE } [, ...]
-- On Identity and Token Providers
{ MODIFY | MONITOR | OPERATE | USAGE } [, ...]
-- On Sources
{ ALTER | ALTER REFLECTION | CREATE TABLE | DROP | EXTERNAL QUERY | MANAGE GRANTS | MODIFY | OWNERSHIP | SELECT } [, ...]
-- On Spaces
{ ALTER | ALTER REFLECTION | MANAGE GRANTS | MODIFY | OWNERSHIP | SELECT } [, ...]
-- On Folders
{ ALTER | ALTER REFLECTION | CREATE TABLE | DROP | MANAGE GRANTS | OWNERSHIP | SELECT } [, ...]
-- On Tables
{ ALTER | MANAGE GRANTS | OWNERSHIP } [, ...]
-- On Views
{ ALTER | MANAGE GRANTS | OWNERSHIP } [, ...]
-- On Roles
{ ALTER | MANAGE GRANTS | OWNERSHIP } [, ...]
-- On Users
{ ALTER | MANAGE GRANTS | OWNERSHIP } [, ...]
Parameters
{{< sql-section file="data/sql/privileges.json" data="grantingPrivilegesParametersUser" >}}
Examples
Grant SELECT privilege on the project to userGRANT SELECT
ON PROJECT
TO USER "user@dremio.com"
GRANT ALTER, SELECT
ON SPACE "Application"
TO USER "user@dremio.com"
GRANT OWNERSHIP
ON USER "user1@dremio.com"
TO USER "user@dremio.com"
Granting Privileges to a Role
SyntaxGRANT { objectPrivilege | ALL } ON { <object_type> <object_name> }
TO ROLE <role_name>
-- On Organizations
{ CONFIGURE SECURITY | CREATE CLOUD | CREATE PROJECT | MANAGE GRANTS } [, ...]
-- On Clouds
{ MANAGE GRANTS | MODIFY | MONITOR } [, ...]
-- On Projects
{ ALTER | ALTER REFLECTION | CREATE TABLE | DROP | EXTERNAL QUERY | MANAGE GRANTS | MODIFY | MONITOR | OPERATE | SELECT | VIEW REFLECTION | USAGE | VIEW JOB HISTORY } [, ...]
-- On Engines
{ MODIFY | MONITOR | OPERATE | USAGE } [, ...]
-- On Identity and Token Providers
{ MODIFY | MONITOR | OPERATE | USAGE } [, ...]
-- On Sources
{ ALTER | ALTER REFLECTION | CREATE TABLE | DROP | EXTERNAL QUERY | MANAGE GRANTS | MODIFY | SELECT } [, ...]
-- On Spaces
{ ALTER | ALTER REFLECTION | MANAGE GRANTS | MODIFY | SELECT } [, ...]
-- On Folders
{ ALTER | ALTER REFLECTION | CREATE TABLE | DROP | MANAGE GRANTS | SELECT } [, ...]
-- On Tables
{ ALTER | MANAGE GRANTS } [, ...]
-- On Views
{ ALTER | MANAGE GRANTS } [, ...]
Parameters
{{< sql-section file="data/sql/privileges.json" data="grantingPrivilegesParametersRole">}}
Examples
Grant CREATE PROJECT and CREATE CLOUD privileges on the organization to a roleGRANT CREATE PROJECT, CREATE CLOUD
ON ORG
TO ROLE "DATA_ENGINEER"
GRANT MODIFY, MONITOR
ON CLOUD "Default Cloud"
TO ROLE "DATA_ENGINEER"
GRANT OPERATE
ON ENGINE "reflections_engine"
TO ROLE "DATA_ENGINEER"
GRANT MONITOR
ON IDENTITY PROVIDER "0oarj64sbnrVQBBy"
TO USER "user@dremio.com"
Revoking Privileges from a User
SyntaxREVOKE { objectPrivilege | ALL } ON { <object_type> <object_name> }
FROM USER <username>
-- On Organizations
{ CONFIGURE SECURITY | CREATE CLOUD | CREATE PROJECT | MANAGE GRANTS } [, ...]
-- On Clouds
{ MANAGE GRANTS | MODIFY | MONITOR } [, ...]
-- On Projects
{ ALTER | ALTER REFLECTION | CREATE TABLE | DROP | EXTERNAL QUERY | MANAGE GRANTS | MODIFY | MONITOR | OPERATE | SELECT | VIEW REFLECTION | USAGE | VIEW JOB HISTORY } [, ...]
-- On Engines
{ MODIFY | MONITOR | OPERATE | USAGE } [, ...]
-- On Identity and Token Providers
{ MODIFY | MONITOR | OPERATE | USAGE } [, ...]
-- On Sources
{ ALTER | ALTER REFLECTION | CREATE TABLE | DROP | EXTERNAL QUERY | MANAGE GRANTS | MODIFY | SELECT } [, ...]
-- On Spaces
{ ALTER | ALTER REFLECTION | MANAGE GRANTS | MODIFY | SELECT } [, ...]
-- On Folders
{ ALTER | ALTER REFLECTION | CREATE TABLE | DROP | MANAGE GRANTS | SELECT } [, ...]
-- On Tables
{ ALTER | MANAGE GRANTS } [, ...]
-- On Views
{ ALTER | MANAGE GRANTS } [, ...]
Parameters
{{< sql-section file="data/sql/privileges.json" data="revokingPrivilegesParametersUser" >}}
Examples
Revoke SELECT privilege on the project from the userREVOKE SELECT
ON PROJECT
FROM USER "user@dremio.com"
REVOKE ALTER
ON SPACE Application
FROM USER "user@dremio.com"
Revoking Privileges from a Role
SyntaxREVOKE { objectPrivilege | ALL } ON { <object_type> <object_name> }
FROM ROLE <role_name>
-- On Organizations
{ CONFIGURE SECURITY | CREATE CLOUD | CREATE PROJECT | MANAGE GRANTS } [, ...]
-- On Clouds
{ MANAGE GRANTS | MODIFY | MONITOR } [, ...]
-- On Projects
{ ALTER | ALTER REFLECTION | CREATE TABLE | DROP | EXTERNAL QUERY | MANAGE GRANTS | MODIFY | MONITOR | OPERATE | SELECT | VIEW REFLECTION | USAGE | VIEW JOB HISTORY } [, ...]
-- On Engines
{ MODIFY | MONITOR | OPERATE | USAGE } [, ...]
-- On Identity and Token Providers
{ MODIFY | MONITOR | OPERATE | USAGE } [, ...]
-- On Sources
{ ALTER | ALTER REFLECTION | CREATE TABLE | DROP | EXTERNAL QUERY | MANAGE GRANTS | MODIFY | SELECT } [, ...]
-- On Spaces
{ ALTER | ALTER REFLECTION | MANAGE GRANTS | MODIFY | SELECT } [, ...]
-- On Folders
{ ALTER | ALTER REFLECTION | CREATE TABLE | DROP | MANAGE GRANTS | SELECT } [, ...]
-- On Tables
{ ALTER | MANAGE GRANTS } [, ...]
-- On Views
{ ALTER | MANAGE GRANTS } [, ...]
Parameters
{{< sql-section file="data/sql/privileges.json" data="revokingPrivilegesParametersRole" >}}
Examples
Revoke MODIFY and MONITOR privileges on a cloud from a roleREVOKE MODIFY, MONITOR
ON CLOUD "Default Cloud"
FROM ROLE "DATA_ENGINEER"
REVOKE CREATE CLOUD
ON ORG
FROM ROLE "DATA_ENGINEER"