Access Control


An Organization is the unit of tenant isolation in DeltaStream. All objects (Databases, Stores, Queries, etc) are set up under the Organization.


A user represents an authenticated identity within DeltaStream. A user may be a member of multiple Organizations. A user holds one or more Roles within each Organization.


Objects are entities within DeltaStream which can be protected with access controls. Unless explicitly granted privileges, access is denied. Each object resides within a hierarchy, with the Organization being the root. Organizations contain Stores, Schema Registries, Descriptors, Databases, Function Sources, and Queries. Databases contain Schemas, which in turn contain Relations.

Every Object has a single owner, which is the Role used when creating the object. The owner role has all Privileges on the object and can grant or revoke privileges to other Roles. Ownership can be transferred to another Role.


In DeltaStream, privileges determine which role can access and perform operations on a given object. Every object has a set of privileges that can be granted on it. Privileges are managed using the GRANT and REVOKE commands.

Use of these commands is restricted to the role that owns an object (i.e., the role has the OWNERSHIP privilege on the object) or any roles that have the MANAGE_GRANTS global privilege for the object (only the SECURITYADMIN role by default).

Note that a role that holds the global MANAGE_GRANTS privilege can grant additional privileges to the current (grantor) role.

Available privileges

PrivilegeApplicable objectDescription


Allows databases to be created


Allows stores to be created


Allows schema registries to be created


Allows descriptor sources to be created


Allows function sources to be created


Allows functions to be created


Allows queries to be run


Allows management of users and roles


Allows management of privileges


Allows viewing and basic usage of the object. Additional privileges may be required to some actions


For databases, allows new schemas to be created with in the database. For schemas, allows defining new relations within the schema.


Allows select queries to use to the relation


Allows queries to inserting data into the relation


A role is an entity to which privileges can be granted. Roles are assigned to Users in order to allow them to perform actions against an Object. A user can be assigned multiple roles. This allows the user to switch roles in order to perform actions with a different set of privileges.

There are a set of built-in roles under every Organization. Built-in roles cannot be dropped and the Privileges assigned to these roles cannot be revoked.

Roles can be also granted to other roles. This creates a hierarchy of roles where the privileges associated with a role are inherited by any roles above that role in the hierarchy.

Built-in roles

The following are the built in roles in DeltaStream that are available to use without creating them.

  • ORGADMIN — Root of the the role hierarchy. This role manages operations at the organization level.

  • SYSADMIN — Role that has privileges to create, manage, and drop objects.

  • USERADMIN — Role that has privileges to manage users and roles within the Organization.

  • SECURITYADMIN — Role that manages any object grants globally. This role inherits privileges from the USERADMIN role.

  • PUBLIC — A pseudo role that is granted to all roles within the Organization. This role can be granted privileges on objects that will be inherited by all other roles.

Custom roles

Custom roles can be created using the USERADMIN (or a higher) role as well as by any role to which the MANAGE_MEMBERS privilege has been granted.

When a new role is created it is not assigned to any user, nor granted to any other role. For the roles that will be owners of objects, DeltaStream recommends to use a custom role hierarchy where the top-most custom role in the hierarchy is assigned to the system role SYSADMIN. With this strategy, system administrators can manage all the objects in the organization, while restricting management of users and roles to the USERADMIN role.

On the other hand, not assigning SYSADMIN through a role hierarchy to a custom role, prevents the system administrator from managing the objects owned by the custom role. This results in limiting the roles that can view the objects and modify their access grants to those roles that have been granted the MANAGE_GRANTS privilege (only the SECURITYADMIN role by default).

For instructions to create custom roles, see CREATE ROLE.

Best Practices

DeltaStream recommends the following best practices for access control:

  • Reserve the ORGADMIN role for administrative tasks only. It must not be used for day-to-day access.

  • Ideally, administrators should have 2 separate logins, one with the ORGADMIN role for administrative tasks and a separate role for day-to-day access.

  • ORGADMIN must not own any objects and it must never be granted to any other roles.

  • SECURITYADMIN is also a very powerful role with the MANAGE_GRANTS privilege and must only be used in limited cases.

  • USERADMIN should be the default role for managing users and role grants. This role should normally be the owner of all other custom roles.

  • SYSADMIN should be the default role for managing objects and should always be the eventual owner of all other objects. You can grant the custom roles to SYSADMIN but must never grant ownership of other roles. This maintains the separation of responsibility between SYSADMIN and USERADMIN.

  • When building custom role hierarchy, define functional roles and access roles. Privileges on objects can be granted to access roles and access roles can be granted to functional roles.

  • Use SCIM based automation to manage grants of functional roles to users.

Last updated