# GRANT PRIVILEGES ## Organization Privileges ### Syntax ```sql GRANT [ CREATE_COMPUTE_POOL | CREATE_DATABASE | CREATE_STORE | CREATE_SCHEMA_REGISTRY | CREATE_DESCRIPTOR_SOURCE | CREATE_FUNCTION_SOURCE | CREATE_FUNCTION | CREATE_QUERY | MANAGE_MEMBERS | MANAGE_GRANTS | ALL PRIVILEGES , ... ] ON ORGANIZATION TO ROLE role_name [, ...] [WITH GRANT OPTION]; ``` ### Description Grants [Organization](https://docs.deltastream.io/overview/core-concepts/access-control#_organiation) [privileges](https://docs.deltastream.io/overview/core-concepts/access-control#_privilege) to one or more roles. The current role requires one of the following privileges: * Ownership of Organization * `MANAGE_GRANTS` privilege on Organization * Privilege granted to the current role `WITH GRANT OPTION`. ### Arguments #### CREATE\_COMPUTE\_POOL Allow role to create [compute\_pools](https://docs.deltastream.io/overview/core-concepts/compute-pools) under the organization. #### CREATE\_DATABASE Allow role to create [databases](https://docs.deltastream.io/overview/core-concepts/databases) under the organization. #### CREATE\_STORE Allow role to define [stores](https://docs.deltastream.io/overview/core-concepts/store) under the organization. #### CREATE\_SCHEMA\_REGISTRY Allow role to define [schema registries](https://docs.deltastream.io/reference/data-format-serialization#_schema_registry) under the organization. #### CREATE\_DESCRIPTOR\_SOURCE Allow role to upload [descriptor sources](https://docs.deltastream.io/reference/data-format-serialization#protocol-buffers-and-descriptors) to the organization. #### CREATE\_FUNCTION\_SOURCE Allow role to upload [UDF and UDAF sources](https://docs.deltastream.io/overview/core-concepts/function) to the organization. #### CREATE\_FUNCTION Allow role to define a new [UDF or UDAF](https://docs.deltastream.io/overview/core-concepts/function) under the organization. The role will also require `USAGE` privileges to the function source. #### CREATE\_QUERY Allow role to launch a new [query](https://docs.deltastream.io/overview/core-concepts/queries) under the organization. The role also has additional privileges on database, schema, relations, and stores to launch the query. #### MANAGE\_MEMBERS Allow role to manage [roles](https://docs.deltastream.io/overview/core-concepts/access-control#_role), invitations, and users. #### MANAGE\_GRANTS Allow role to manage all privilege grants within the organization. #### ALL PRIVILEGES Grants all the privileges listed above to the role. #### role\_name \[, ...] One or more [roles](https://docs.deltastream.io/overview/core-concepts/access-control#_role) to grant the privileges to. #### WITH GRANT OPTION Grants privileges that allow the role to grant those same privileges to other roles. ### Example ```bash /# GRANT CREATE_DATABASE, CREATE_STORE ON ORGANIZATION TO rol1, rol2; +-----------------+----------+------------------------------------------+ | Type | Command | Summary | +=================+==========+==========================================+ | privilege grant | ALTER | Privilege(s) "create_database, | | | | create_store" on "MR main" granted to | | | | "rol1, rol2" | +-----------------+----------+------------------------------------------+ /# DESCRIBE ROLE rol1; +--------------+---------+-----------------+--------------------+---------------+ | Type | Name | Privilege | With Grant Option | Granted By | +==============+=========+=================+====================+===============+ | role | public | usage | false | orgadmin | +--------------+---------+-----------------+--------------------+---------------+ | organization | MR main | create_database | false | securityadmin | +--------------+---------+-----------------+--------------------+---------------+ | organization | MR main | create_store | false | securityadmin | +--------------+---------+-----------------+--------------------+---------------+ ``` ```bash /# GRANT CREATE_DATABASE, CREATE_STORE ON ORGANIZATION TO rol1, rol2 WITH GRANT OPTION; +-----------------+----------+------------------------------------------+ | Type | Command | Summary | +=================+==========+==========================================+ | privilege grant | ALTER | Privilege(s) "create_database, | | | | create_store" on "MR main" granted to | | | | "rol1, rol2" | +-----------------+----------+------------------------------------------+ /# DESCRIBE ROLE rol1; +--------------+---------+-----------------+--------------------+---------------+ | Type | Name | Privilege | With Grant Option | Granted By | +==============+=========+=================+====================+===============+ | role | public | usage | false | orgadmin | +--------------+---------+-----------------+--------------------+---------------+ | organization | MR main | create_database | true | securityadmin | +--------------+---------+-----------------+--------------------+---------------+ | organization | MR main | create_store | true | securityadmin | +--------------+---------+-----------------+--------------------+---------------+ ``` ## Compute\_pool Privileges ```sql GRANT [ USAGE | ALL PRIVILEGES ] ON COMPUTE_POOL compute_pool_name TO ROLE role_name [, ...] [WITH GRANT OPTION]; ``` ### Description Grants privileges to one or more roles. ### Arguments #### USAGE Allow role to list and use the compute\_pool. #### CREATE Allow role to create compute\_pools. #### ALL PRIVILEGES Grants all the privileges listed above to the role. #### compute\_pool\_name The name of the compute\_pool to grant privileges on. #### role\_name \[, ...] One or more [roles](https://docs.deltastream.io/overview/core-concepts/access-control#_role) to which to grant the privileges. #### WITH GRANT OPTION Grants privileges that allow the role to grant those same privileges to other roles. ## Database Privileges ```sql GRANT [ USAGE | CREATE | ALL PRIVILEGES , ... ] ON DATABASE database_name TO ROLE role_name [, ...] [WITH GRANT OPTION]; ``` ### Description Grants [database](https://docs.deltastream.io/overview/core-concepts/databases) privileges to one or more roles. ### Arguments #### USAGE Allow role to list and use the database. The role also requires additional privileges on schema as well as relations to use them. #### CREATE Allow role to create schemas under the database. #### ALL PRIVILEGES Grants all the privileges listed above to the role. #### database\_name The name of the database to granted privileges on. #### role\_name \[, ...] One or more [roles](https://docs.deltastream.io/overview/core-concepts/access-control#_role) to grant the privileges to. #### WITH GRANT OPTION Grants privileges that allow the role to grant the same privileges to other roles. ### Example ```sh /# GRANT USAGE ON DATABASE user_db TO rol1; +-----------------+----------+------------------------------------------+ | Type | Command | Summary | +=================+==========+==========================================+ | privilege grant | ALTER | Privilege(s) "usage" on "user_db" | | | | granted to "rol1" | +-----------------+----------+------------------------------------------+ /# DESCRIBE ROLE rol1; +----------+---------+------------+--------------------+---------------+ | Type | Name | Privilege | With Grant Option | Granted By | +==========+=========+============+====================+===============+ | role | public | usage | false | orgadmin | +----------+---------+------------+--------------------+---------------+ | database | user_db | usage | false | securityadmin | +----------+---------+------------+--------------------+---------------+ ``` ```sh /# GRANT USAGE,CREATE ON DATABASE user_db TO rol1 WITH GRANT OPTION; +-----------------+----------+------------------------------------------+ | Type | Command | Summary | +=================+==========+==========================================+ | privilege grant | ALTER | Privilege(s) "usage" on "user_db" | | | | granted to "rol1" | +-----------------+----------+------------------------------------------+ /# DESCRIBE ROLE rol1; +----------+---------+------------+--------------------+---------------+ | Type | Name | Privilege | With Grant Option | Granted By | +==========+=========+============+====================+===============+ | role | public | usage | false | orgadmin | +----------+---------+------------+--------------------+---------------+ | database | user_db | usage | true | securityadmin | +----------+---------+------------+--------------------+---------------+ | database | user_db | create | true | securityadmin | +----------+---------+------------+--------------------+---------------+ ``` ## Database Schema Privileges ```sql GRANT [ USAGE | CREATE | ALL PRIVILEGES ] ON SCHEMA schema_name TO ROLE role_name [, ...] [WITH GRANT OPTION]; ``` ### Description Grants schema privileges to one or more roles. ### Arguments #### USAGE Allow role to list and use the schemas. The role also has additional privileges on relations to use them. #### CREATE Allow role to create relations under the schema. #### ALL PRIVILEGES Grants all the privileges listed above to the role. #### schema\_name The qualified name of the schema to grant privileges on. This name can include a specific database name to form a fully-qualified name in the format of `.;` otherwise, the system uses the current database name in the session. #### role\_name \[, ...] One or more [roles](https://docs.deltastream.io/overview/core-concepts/access-control#_role) to which to grant the privileges. #### WITH GRANT OPTION Grants privileges that allow the role to grant those same privileges to other roles. ### Example ```sh /# GRANT USAGE,CREATE ON SCHEMA accounting_db.public TO rol1; +-----------------+----------+------------------------------------------+ | Type | Command | Summary | +=================+==========+==========================================+ | privilege grant | ALTER | Privilege(s) "usage, create" on | | | | "public" granted to "rol1" | +-----------------+----------+------------------------------------------+ /# DESCRIBE ROLE rol1; +----------+---------+------------+--------------------+---------------+ | Type | Name | Privilege | With Grant Option | Granted By | +==========+=========+============+====================+===============+ | role | public | usage | false | orgadmin | +----------+---------+------------+--------------------+---------------+ | database | user_db | usage | true | securityadmin | +----------+---------+------------+--------------------+---------------+ | schema | public | usage | false | securityadmin | +----------+---------+------------+--------------------+---------------+ | database | user_db | create | true | securityadmin | +----------+---------+------------+--------------------+---------------+ | schema | public | create | false | securityadmin | +----------+---------+------------+--------------------+---------------+ ``` ```sh /# GRANT USAGE,CREATE ON SCHEMA accounting_db.public TO rol1 WITH GRANT OPTION; +-----------------+----------+------------------------------------------+ | Type | Command | Summary | +=================+==========+==========================================+ | privilege grant | ALTER | Privilege(s) "usage, create" on | | | | "public" granted to "rol1" | +-----------------+----------+------------------------------------------+ /# DESCRIBE ROLE rol1; +----------+---------+------------+--------------------+---------------+ | Type | Name | Privilege | With Grant Option | Granted By | +==========+=========+============+====================+===============+ | role | public | usage | false | orgadmin | +----------+---------+------------+--------------------+---------------+ | database | user_db | usage | true | securityadmin | +----------+---------+------------+--------------------+---------------+ | schema | public | usage | true | securityadmin | +----------+---------+------------+--------------------+---------------+ | database | user_db | create | true | securityadmin | +----------+---------+------------+--------------------+---------------+ | schema | public | create | true | securityadmin | +----------+---------+------------+--------------------+---------------+ ``` ## Store Privileges ```sql GRANT [ USAGE | ALL PRIVILEGES ] ON STORE store_name TO ROLE role_name [, ...] [WITH GRANT OPTION]; ``` ### Description Grants store privileges to one or more roles. ### Arguments #### USAGE Allow role to list and use the store. #### store\_name The name of the store on which to grant privileges. #### role\_name \[, ...] One or more [roles](https://docs.deltastream.io/overview/core-concepts/access-control#_role) to which to grant the privileges. #### WITH GRANT OPTION Grants privileges that allow the role to grant those same privileges to other roles. ### Example ```sh /# GRANT USAGE ON STORE kafka_pub TO rol2; +-----------------+----------+------------------------------------------+ | Type | Command | Summary | +=================+==========+==========================================+ | privilege grant | ALTER | Privilege(s) "usage" on "kafka_pub" | | | | granted to "rol2" | +-----------------+----------+------------------------------------------+ /# DESCRIBE ROLE rol2; +--------------+-----------+-----------------+--------------------+---------------+ | Type | Name | Privilege | With Grant Option | Granted By | +==============+===========+=================+====================+===============+ | role | public | usage | false | orgadmin | +--------------+-----------+-----------------+--------------------+---------------+ | store | kafka_pub | usage | false | securityadmin | +--------------+-----------+-----------------+--------------------+---------------+ ``` ```sh /# GRANT USAGE ON STORE kafka_pub TO rol2 WITH GRANT OPTION; +-----------------+----------+------------------------------------------+ | Type | Command | Summary | +=================+==========+==========================================+ | privilege grant | ALTER | Privilege(s) "usage" on "kafka_pub" | | | | granted to "rol2" | +-----------------+----------+------------------------------------------+ /# DESCRIBE ROLE rol2; +--------------+-----------+-----------------+--------------------+---------------+ | Type | Name | Privilege | With Grant Option | Granted By | +==============+===========+=================+====================+===============+ | role | public | usage | false | orgadmin | +--------------+-----------+-----------------+--------------------+---------------+ | store | kafka_pub | usage | true | securityadmin | +--------------+-----------+-----------------+--------------------+---------------+ ``` ## Descriptor Source Privileges ```sql GRANT [ USAGE | ALL PRIVILEGES ] ON DESCRIPTOR_SOURCE descriptor_source_name TO ROLE role_name [, ...] [WITH GRANT OPTION]; ``` ### Description Grants [descriptor source](https://docs.deltastream.io/reference/data-format-serialization#protocol-buffers-and-descriptors) privileges to one or more roles. ### Arguments #### USAGE Allow role to list and use the descriptor source. #### descriptor\_source\_name The name of the descriptor source on which to grant privileges. #### role\_name \[, ...] One or more [roles](https://docs.deltastream.io/overview/core-concepts/access-control#_role) to which to grant the privileges. #### WITH GRANT OPTION Grants privileges that allow the role to grant those same privileges to other roles. ### Example ```sh demodb.public/demostore# GRANT USAGE ON DESCRIPTOR_SOURCE demosource TO rol1; +-----------------+----------+------------------------------------------+ | Type | Command | Summary | +=================+==========+==========================================+ | privilege grant | ALTER | Privilege(s) "usage" on "demosource" | | | | granted to "rol1" | +-----------------+----------+------------------------------------------+ demodb.public/demostore# DESCRIBE ROLE rol1; +-------------------+--------------+------------+--------------------+---------------+ | Type | Name | Privilege | With Grant Option | Granted By | +===================+==============+============+====================+===============+ | role | public | usage | false | orgadmin | +-------------------+-------------------------+------------+--------------------+---------------+ | descriptor_source | demosource | usage | false | securityadmin | +-------------------+--------------+------------+--------------------+---------------+ ``` ## Relation Privileges ```sql GRANT [ SELECT | INSERT | ALL PRIVILEGES ] ON RELATION relation_name TO ROLE role_name [, ...] [WITH GRANT OPTION]; ``` ### Description Grants [relation](https://docs.deltastream.io/overview/core-concepts/databases#_relation) privileges to one or more roles. ### Arguments #### SELECT Allow role to create a [query](https://docs.deltastream.io/overview/core-concepts/queries) and use the relation as a source. #### INSERT Allow role to create a [query](https://docs.deltastream.io/overview/core-concepts/queries) and use the relation as a sink. #### relation\_name The name of the relation to grant privileges on. Optionally, provide [database](https://docs.deltastream.io/overview/core-concepts/databases) and [schema](https://docs.deltastream.io/overview/core-concepts/databases#_schema) name for a fully-qualified relation name in the format of `[..]` — for example, `db1.public.pageviews`. Otherwise, the system uses the current database and schema to identify the relation. #### role\_name \[, ...] One or more [roles](https://docs.deltastream.io/overview/core-concepts/access-control#_role) to which to grant the privileges. #### WITH GRANT OPTION Grants privileges that allow the role to grant those same privileges to other roles. ### Example ```sh demodb.public/demostore# GRANT SELECT ON RELATION demodb."public".pv TO rol1; +-----------------+----------+------------------------------------------+ | Type | Command | Summary | +=================+==========+==========================================+ | privilege grant | ALTER | Privilege(s) "select" on "pv" granted | | | | to "rol1" | +-----------------+----------+------------------------------------------+ demodb.public/demostore# DESCRIBE ROLE rol1; +-------------------+-------------------------+------------+--------------------+---------------+ | Type | Name | Privilege | With Grant Option | Granted By | +===================+=========================+============+====================+===============+ | role | public | usage | false | orgadmin | +-------------------+-------------------------+------------+--------------------+---------------+ | relation | pv | select | false | securityadmin | +-------------------+-------------------------+------------+--------------------+---------------+ ``` ```sh demodb.public/demostore# GRANT INSERT ON RELATION demodb."public".pageviews TO rol1; +-----------------+----------+------------------------------------------+ | Type | Command | Summary | +=================+==========+==========================================+ | privilege grant | ALTER | Privilege(s) "insert" on "pv" granted | | | | to "rol1" | +-----------------+----------+------------------------------------------+ demodb.public/demostore# DESCRIBE ROLE rol1; +-------------------+-------------------------+------------+--------------------+---------------+ | Type | Name | Privilege | With Grant Option | Granted By | +===================+=========================+============+====================+===============+ | role | public | usage | false | orgadmin | +-------------------+-------------------------+------------+--------------------+---------------+ | relation | pv | insert | false | securityadmin | +-------------------+-------------------------+------------+--------------------+---------------+ ``` ## Function Source Privileges ```sql GRANT [ USAGE | ALL PRIVILEGES ] ON FUNCTION_SOURCE function_source_name TO ROLE role_name [, ...] [WITH GRANT OPTION]; ``` ### Description Grants [function source](https://docs.deltastream.io/overview/core-concepts/function) privileges to one or more roles. ### Arguments #### USAGE Allow role to list and use the runction source. #### function\_source\_name The name of the function source on which to grant privileges. #### role\_name \[, ...] One or more [roles](https://docs.deltastream.io/overview/core-concepts/access-control#_role) to which to grant the privileges. #### WITH GRANT OPTION Grants privileges that allow the role to grant those same privileges to other roles. ### Example ```sh demodb.public/demostore# GRANT USAGE ON FUNCTION_SOURCE demofnsrc TO rol1; +-----------------+----------+------------------------------------------+ | Type | Command | Summary | +=================+==========+==========================================+ | privilege grant | ALTER | Privilege(s) "usage" on "demofnsrc" | | | | granted to "rol1" | +-----------------+----------+------------------------------------------+ demodb.public/demostore# DESCRIBE ROLE rol1; +-------------------+-----------+------------+--------------------+---------------+ | Type | Name | Privilege | With Grant Option | Granted By | +===================+===========+============+====================+===============+ | role | public | usage | false | orgadmin | +-------------------+-----------+------------+--------------------+---------------+ | function_source | demofnsrc | usage | false | sysadmin | +-------------------+-----------+------------+--------------------+---------------+ ``` ## Function Privileges ```sql GRANT [ USAGE | ALL PRIVILEGES ] ON FUNCTION function_identifier TO ROLE role_name [, ...] [WITH GRANT OPTION]; ``` ### Description Grants [function](https://docs.deltastream.io/overview/core-concepts/function) privileges to one or more roles. ### Arguments #### USAGE Allow role to list and use the function. #### function\_identifier The name of the function on which to grant privileges. #### role\_name \[, ...] One or more [roles](https://docs.deltastream.io/overview/core-concepts/access-control#_role) to which togrant the privileges. #### WITH GRANT OPTION Grants privileges that allow the role to grant those same privileges to other roles. ### Example ```sh demodb.public/demostore# LIST FUNCTIONS; +----------------------------+-------+--------------+------------------+--------------------+----------+-------------+-------------------------------+-------------------------------+ | Signature | Type | Source Name | Class Name | Egress Allow URIs | Owner | Properties | Created At | Updated At | +============================+=======+==============+==================+====================+==========+=============+===============================+===============================+ | upper(a VARCHAR) VARCHAR | udf | my_src | demo.DSUpperCase | | sysadmin | {} | 2024-06-06 03:35:52 +0000 UTC | 2024-06-06 03:35:52 +0000 UTC | +----------------------------+-------+--------------+------------------+--------------------+----------+-------------+-------------------------------+-------------------------------+ demodb.public/demostore# GRANT USAGE ON FUNCTION upper(a varchar) varchar TO rol1; +-----------------+----------+------------------------------------------+ | Type | Command | Summary | +=================+==========+==========================================+ | privilege grant | ALTER | Privilege(s) "usage" on "upper" | | | | granted to "rol1" | +-----------------+----------+------------------------------------------+ demodb.public/demostore# DESCRIBE ROLE rol1; +-------------------+------------+------------+--------------------+---------------+ | Type | Name | Privilege | With Grant Option | Granted By | +===================+============+============+====================+===============+ | role | public | usage | false | orgadmin | +-------------------+------------+------------+--------------------+---------------+ | function_source | demofnsrc | usage | false | sysadmin | +-------------------+------------+------------+--------------------+---------------+ | function | my_func | usage | false | sysadmin | +-------------------+------------+------------+--------------------+---------------+ ``` ## Region Privileges ```sql GRANT [ USAGE | ALL PRIVILEGES ] ON REGION region_name TO ROLE role_name [, ...] [WITH GRANT OPTION]; ``` ### Description Grants [region](https://docs.deltastream.io/overview/core-concepts/region) usage privileges to one or more roles. By default, the `public` role is granted access to all regions. A role with the `MANAGE_GRANTS` privilege can grant the region `USAGE` privilege to other roles, or revoke it. ### Arguments #### USAGE Allow role to list and use the region to create [stores](https://docs.deltastream.io/overview/core-concepts/store) and launch [queries](https://docs.deltastream.io/overview/core-concepts/queries). #### region\_name The name of the region on which to grant privileges. #### role\_name \[, ...] One or more [roles](https://docs.deltastream.io/overview/core-concepts/access-control#_role) to which to grant the privileges. #### WITH GRANT OPTION Grants privileges that allow the role to grant those same privileges to other roles. ### Example ```sh /# DESCRIBE ROLE "public"; +--------------+----------------+------------+--------------------+---------------+ | Type | Name | Privilege | With Grant Option | Granted By | +==============+================+============+====================+===============+ | role | public | usage | false | orgadmin | +--------------+----------------+------------+--------------------+---------------+ | region | AWS us-east-1 | usage | false | securityadmin | +--------------+----------------+------------+--------------------+---------------+ ``` ```sh /# GRANT USAGE ON REGION "AWS us-east-1" TO rol1; +-----------------+----------+------------------------------------------+ | Type | Command | Summary | +=================+==========+==========================================+ | privilege grant | ALTER | Privilege(s) "usage" on "AWS us-east-1" | | | | granted to "rol1" | +-----------------+----------+------------------------------------------+ /# DESCRIBE ROLE rol1; +-------------------+----------------+------------+--------------------+---------------+ | Type | Name | Privilege | With Grant Option | Granted By | +===================+================+============+====================+===============+ | role | public | usage | false | orgadmin | +-------------------+----------------+------------+--------------------+---------------+ | region | AWS us-east-1 | usage | false | securityadmin | +-------------------+----------------+------------+--------------------+---------------+ ```