# Administering Users in your Organization

This article is helpful if you've just been given access to a new DeltaStream [organization](https://docs.deltastream.io/overview/core-concepts/access-control#organiation). It discusses the responsibilities of different administrator roles.

{% hint style="info" %}
**Note** For additional background, see this [high-level overview of access control concepts](https://docs.deltastream.io/overview/core-concepts/access-control) in DeltaStream.
{% endhint %}

One of the first things to do when you begin to assemble a new organization in DeltaStream is to invite users to add other administrators to administrative roles, including:

* sysadmin
* securityadmin
* useradmin
* orgadmin

Note the role hierarchy illustrated in the diagram below:

<figure><img src="https://1288764042-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fdbd9e6ZJodkgF1H6AVay%2Fuploads%2Fgit-blob-1a635544ca4dc27ce0dbce412f29cbf16e12a20a%2Fimage%20(3).png?alt=media" alt=""><figcaption><p>DeltaStream Role Hierarchy</p></figcaption></figure>

Admin roles are built into DeltaStream. There are 4 types of admin roles:

1. **ORGADMIN** — Root of the the role hierarchy. This role manages operations at the organization level.
2. **SYSADMIN** — Role that has privileges to create, manage, and drop objects.
3. **USERADMIN** — Role that has privileges to manage users and roles within the organization.
4. **SECURITYADMIN** — Role that manages any object grants globally. This role inherits privileges from the `useradmin` role.

{% hint style="warning" %}
**Important** Admin roles are the most powerful roles in DeltaStream. Only select individuals should have them.
{% endhint %}

## Using the OrgAdmin Role

The `orgadmin` role is the single most powerful role in DeltaStream. Use it only for routine administrative tasks, such as inviting and removing users. Do not use it to grant access to resources for activities such creating and querying streams. For example, when you create objects such as databases, namespaces, or DeltaStream objects, use the `sysadmin` or lower roles in the hierarchy. Similarly, when you invite new users or create new roles, use the `useradmin` role.

{% hint style="success" %}
**Tip** As a best practice, use a less powerful role (that is, one with fewer privileges) whenever possible.
{% endhint %}

When someone first gets access to DeltaStream, they're granted the `orgadmin` role. In turn they inherit the `sysadmin` and `securityadmin` roles, and their default role will be `sysadmin`.

### 1. Adding OrgAdmin Users

To add people to your organization, use the `orgadmin` or `useradmin` role. To invite others to be an `orgadmin`, use the [`INVITE USER` command](https://docs.deltastream.io/reference/sql-syntax/command/invite-user).

```sql
INVITE USER 'user@demo.org' WITH (
  'roles' = (orgadmin, sysadmin), 
  'default' = sysadmin
);
```

{% hint style="warning" %}
**Important** Do not set OrgAdmin as the default role for people you invite into your organization.
{% endhint %}

For more details, see [Switching Roles](https://docs.deltastream.io/how-do-i.../managing-user-roles#switch-roles) and [Inviting Users to an Organization](https://docs.deltastream.io/how-do-i.../roles/invite-user).

### 2. Switching to a different role

After you invite others to be `orgadmin`, switch to use a different role.

```sql
USE ROLE useradmin;
```

## Using the UserAdmin Role

The `useradmin` role should be the default for managing users and creating custom roles. The `useradmin` role is also powerful, as it includes the privilege to [grant roles](https://docs.deltastream.io/reference/sql-syntax/command/grant-role). As with `orgadmin` and `securityadmin`, be judicious when assigning the role of `useradmin`.

### 1. Managing Invitations

#### Inviting other people to the organization

The below example shows how to use the [`INVITE USER`](https://docs.deltastream.io/reference/sql-syntax/command/invite-user) command to invite someone who has the `useradmin` and `public` roles. The default role is `public`:

```sql
INVITE USER 'user@demo.org' WITH (
  'roles' = (useradmin, "public"), 
  'default' = "public"
);
```

#### Listing Invitations

The below example shows how to use the [`LIST INVITATIONS` ](https://docs.deltastream.io/reference/sql-syntax/command/list-invitations)command; to see invitations you've only just sent, use `LIST PENDING INVITATIONS`:

```
<no-db>/<no-store># LIST PENDING INVITATIONS;
             Invitation ID             | Org name |                            Org ID                            |     Email     | Invited by  |    User roles    | Default role
---------------------------------------+----------+--------------------------------------------------------------+---------------+-------------+------------------+---------------
  8f7a4504-ce64-4ee3-a9b5-227925e9dq44 | doc_org  | 830e26fe-de4g-4996-839f-bccb258f8f91                         | user@demo.org | useradmin   | useradmin,public | public
```

#### Revoking Invitations

To delete a pending invitation, use the [`REVOKE INVITATION` ](https://docs.deltastream.io/reference/sql-syntax/command/revoke-invitation)command:

```sql
REVOKE INVITATION 8f7a4504-ce64-4ee3-a9b5-227925e9dq44;
```

#### Describing a User

To print (view) information about an existing user, use the [`DESCRIBE USER` ](https://docs.deltastream.io/reference/sql-syntax/command/describe-user)command:

```
<no-db>/<no-store># DESCRIBE USER 'user@demo.org' ;
  Given name | Family name |     Email     | Locale
-------------+-------------+---------------+---------
  user       | Demo        | user@demo.org | en

  GrantedRoles | Inherited
---------------+------------
  useradmin    |
  public       | ✓
```

### 2. Managing Roles

#### Granting a specific role to an individual or to another role

The below example shows how to use the [`GRANT ROLE`](https://docs.deltastream.io/reference/sql-syntax/command/grant-role) command to grant the `sysadmin` role to a user:

```sql
GRANT ROLE sysadmin TO USER 'user@demo.org';
```

The below example shows how to grant the custom role `my_role` to the `sysadmin` role:

```sql
GRANT ROLE my_role TO ROLE sysadmin;
```

#### Revoking a role from either a user or another role

The below example shows how to use the [`REVOKE ROLE` ](https://docs.deltastream.io/reference/sql-syntax/command/revoke-role)command to revoke the `sysadmin` role from a user:

```sql
REVOKE ROLE sysadmin FROM USER 'user@demo.org';
```

The below example shows how to revoke the custom role `my_role` from the `sysadmin` role:

```sql
REVOKE ROLE my_role FROM ROLE sysadmin;
```

#### Creating a custom role

The below example shows how to use the [`CREATE ROLE`](https://docs.deltastream.io/reference/sql-syntax/ddl/create-role) command to create the `production_role` role:

```sql
CREATE ROLE production_role;
```

#### Dropping a custom role

The below example shows how to use the [`DROP ROLE` ](https://docs.deltastream.io/reference/sql-syntax/ddl/drop-role)command to drop the `production_role` role:

```sql
DROP ROLE production_role;
```

## Using the `SecurityAdmin` Role

The `securityadmin` role should be the default role for managing object grants. As the `securityadmin` role inherits privileges from the `useradmin` role, it's also a powerful role. And as with the `orgadmin` and `useradmin` roles, take care to give the role of `securityadmin` only to people who will need it.

### 1. Granting Privileges to Roles

DeltaStream allows a finite number of privileges. To view them, see [Access Control Core Concepts](https://docs.deltastream.io/overview/core-concepts/access-control#_privilege).

The below example shows how to use the [`GRANT <PRIVILEGE>`](https://docs.deltastream.io/reference/sql-syntax/command/grant-privileges) command to grant the `CREATE_DATABASE` privilege to the `my_role` role:

```sql
GRANT CREATE_DATABASE ON ORGANIZATION TO ROLE my_role;
```

#### Revoking privileges from existing roles

The below example shows how to use the [`REVOKE <PRIVILEGE>`](https://docs.deltastream.io/reference/sql-syntax/command/revoke-privileges) command to revoke the `CREATE_DATABASE` privilege from the `my_role` role:

```sql
REVOKE CREATE_DATABASE ON ORGANIZATION FROM ROLE my_role;
```

### 2. Granting Ownership of Objects to Different Roles

You can only transfer ownership of an object when either:

* the current role is the owner of the object and has been granted the destination role\
  — or —
* the current role is `securityadmin`

Custom roles should be owned by the `useradmin`. You can grant the `Sysadmin` or other custom roles but not grant ownership.

{% hint style="success" %}
**Tip** Avoid granting ownership of roles to the `sysadmin` role or to any roles that `sysadmin` inherits.
{% endhint %}

The below example shows how to use the [`GRANT OWNERSHIP`](https://docs.deltastream.io/reference/sql-syntax/command/grant-ownership) command to grant ownership of the `db` [Database](https://docs.deltastream.io/overview/core-concepts/databases) to the `my_role` role:

```sql
GRANT OWNERSHIP ON DATABASE db TO my_role;
```

## Using the SysAdmin Role

The `sysadmin` role has the privileges to create, manage, and drop objects. Most day-to-day tasks are done in the `sysadmin` role or in a custom role that has been granted to the`sysadmin`.

Some of the main actions a `sysadmin` can perform include:

* [`CREATE STORE`](https://docs.deltastream.io/reference/sql-syntax/ddl/create-store) / [`DROP STORE`](https://docs.deltastream.io/reference/sql-syntax/ddl/drop-store)
* [`CREATE ENTITY`](https://docs.deltastream.io/reference/sql-syntax/ddl/create-entity) / [`DROP ENTITY`](https://docs.deltastream.io/reference/sql-syntax/ddl/drop-entity)
* [`CREATE DATABASE`](https://docs.deltastream.io/reference/sql-syntax/ddl/create-database) / [`DROP DATABASE`](https://docs.deltastream.io/reference/sql-syntax/ddl/drop-database)
* [`CREATE SCHEMA`](https://docs.deltastream.io/reference/sql-syntax/ddl/create-schema_registry) / [`DROP SCHEMA`](https://docs.deltastream.io/reference/sql-syntax/ddl/drop-schema)
* [`CREATE STREAM`](https://docs.deltastream.io/reference/sql-syntax/ddl/create-stream) / [`DROP STREAM`](https://docs.deltastream.io/reference/sql-syntax/ddl/drop-stream)
* [`CREATE CHANGELOG`](https://docs.deltastream.io/reference/sql-syntax/ddl/create-changelog) / [`DROP CHANGELOG`](https://docs.deltastream.io/reference/sql-syntax/ddl/drop-changelog)
* [`CREATE MATERIALIZED VIEW AS`](https://docs.deltastream.io/reference/sql-syntax/query/materialized-view/create-materialized-view-as)
* [`SELECT`](https://docs.deltastream.io/reference/sql-syntax/query/select)
* [`TERMINATE QUERY`](https://docs.deltastream.io/reference/sql-syntax/query/terminate-query)

{% hint style="success" %}
**Tip** This role typically is at the root of the hierarchy for all custom roles that also create, manage, or drop objects. In this way the `sysadmin` role is in charge of all objects in the organization.
{% endhint %}

See also:

* [store](https://docs.deltastream.io/how-do-i.../create-and-manage-data-stores/store "mention")
* [using-multiple-stores-in-queries](https://docs.deltastream.io/how-do-i.../create-and-manage-data-stores/using-multiple-stores-in-queries "mention")
* [relation](https://docs.deltastream.io/how-do-i.../relation "mention")
* [database](https://docs.deltastream.io/how-do-i.../database "mention")
* [creating-and-querying-materialized-views](https://docs.deltastream.io/how-do-i.../creating-and-querying-materialized-views "mention")