# GRANT PRIVILEGES ## Organization Privileges ### Syntax ```sql GRANT [ CREATE_COMPUTE_POOL | CREATE_DATABASE | CREATE_STORE | CREATE_SCHEMA_REGISTRY | CREATE_DESCRIPTOR_SOURCE | CREATE_FUNCTION_SOURCE | CREATE_FUNCTION | CREATE_QUERY | MANAGE_MEMBERS | MANAGE_GRANTS | ALL PRIVILEGES , ... ] ON ORGANIZATION TO ROLE role_name [, ...] [WITH GRANT OPTION]; ``` ### Description Grants [Organization](/overview/core-concepts/access-control.md#_organiation) [privileges](/overview/core-concepts/access-control.md#_privilege) to one or more roles. The current role requires one of the following privileges: * Ownership of Organization * `MANAGE_GRANTS` privilege on Organization * Privilege granted to the current role `WITH GRANT OPTION`. ### Arguments #### CREATE\_COMPUTE\_POOL Allow role to create [compute\_pools](/overview/core-concepts/compute-pools.md) under the organization. #### CREATE\_DATABASE Allow role to create [databases](/overview/core-concepts/databases.md) under the organization. #### CREATE\_STORE Allow role to define [stores](/overview/core-concepts/store.md) under the organization. #### CREATE\_SCHEMA\_REGISTRY Allow role to define [schema registries](/reference/sql-syntax/data-format-serialization.md#_schema_registry) under the organization. #### CREATE\_DESCRIPTOR\_SOURCE Allow role to upload [descriptor sources](/reference/sql-syntax/data-format-serialization.md#protocol-buffers-and-descriptors) to the organization. #### CREATE\_FUNCTION\_SOURCE Allow role to upload [UDF and UDAF sources](/overview/core-concepts/function.md) to the organization. #### CREATE\_FUNCTION Allow role to define a new [UDF or UDAF](/overview/core-concepts/function.md) under the organization. The role will also require `USAGE` privileges to the function source. #### CREATE\_QUERY Allow role to launch a new [query](/overview/core-concepts/queries.md) under the organization. The role also has additional privileges on database, schema, relations, and stores to launch the query. #### MANAGE\_MEMBERS Allow role to manage [roles](/overview/core-concepts/access-control.md#_role), invitations, and users. #### MANAGE\_GRANTS Allow role to manage all privilege grants within the organization. #### ALL PRIVILEGES Grants all the privileges listed above to the role. #### role\_name \[, ...] One or more [roles](/overview/core-concepts/access-control.md#_role) to grant the privileges to. #### WITH GRANT OPTION Grants privileges that allow the role to grant those same privileges to other roles. ### Example ```bash /# GRANT CREATE_DATABASE, CREATE_STORE ON ORGANIZATION TO rol1, rol2; +-----------------+----------+------------------------------------------+ | Type | Command | Summary | +=================+==========+==========================================+ | privilege grant | ALTER | Privilege(s) "create_database, | | | | create_store" on "MR main" granted to | | | | "rol1, rol2" | +-----------------+----------+------------------------------------------+ /# DESCRIBE ROLE rol1; +--------------+---------+-----------------+--------------------+---------------+ | Type | Name | Privilege | With Grant Option | Granted By | +==============+=========+=================+====================+===============+ | role | public | usage | false | orgadmin | +--------------+---------+-----------------+--------------------+---------------+ | organization | MR main | create_database | false | securityadmin | +--------------+---------+-----------------+--------------------+---------------+ | organization | MR main | create_store | false | securityadmin | +--------------+---------+-----------------+--------------------+---------------+ ``` ```bash /# GRANT CREATE_DATABASE, CREATE_STORE ON ORGANIZATION TO rol1, rol2 WITH GRANT OPTION; +-----------------+----------+------------------------------------------+ | Type | Command | Summary | +=================+==========+==========================================+ | privilege grant | ALTER | Privilege(s) "create_database, | | | | create_store" on "MR main" granted to | | | | "rol1, rol2" | +-----------------+----------+------------------------------------------+ /# DESCRIBE ROLE rol1; +--------------+---------+-----------------+--------------------+---------------+ | Type | Name | Privilege | With Grant Option | Granted By | +==============+=========+=================+====================+===============+ | role | public | usage | false | orgadmin | +--------------+---------+-----------------+--------------------+---------------+ | organization | MR main | create_database | true | securityadmin | +--------------+---------+-----------------+--------------------+---------------+ | organization | MR main | create_store | true | securityadmin | +--------------+---------+-----------------+--------------------+---------------+ ``` ## Compute\_pool Privileges ```sql GRANT [ USAGE | ALL PRIVILEGES ] ON COMPUTE_POOL compute_pool_name TO ROLE role_name [, ...] [WITH GRANT OPTION]; ``` ### Description Grants privileges to one or more roles. ### Arguments #### USAGE Allow role to list and use the compute\_pool. #### CREATE Allow role to create compute\_pools. #### ALL PRIVILEGES Grants all the privileges listed above to the role. #### compute\_pool\_name The name of the compute\_pool to grant privileges on. #### role\_name \[, ...] One or more [roles](/overview/core-concepts/access-control.md#_role) to which to grant the privileges. #### WITH GRANT OPTION Grants privileges that allow the role to grant those same privileges to other roles. ## Database Privileges ```sql GRANT [ USAGE | CREATE | ALL PRIVILEGES , ... ] ON DATABASE database_name TO ROLE role_name [, ...] [WITH GRANT OPTION]; ``` ### Description Grants [database](/overview/core-concepts/databases.md) privileges to one or more roles. ### Arguments #### USAGE Allow role to list and use the database. The role also requires additional privileges on schema as well as relations to use them. #### CREATE Allow role to create schemas under the database. #### ALL PRIVILEGES Grants all the privileges listed above to the role. #### database\_name The name of the database to granted privileges on. #### role\_name \[, ...] One or more [roles](/overview/core-concepts/access-control.md#_role) to grant the privileges to. #### WITH GRANT OPTION Grants privileges that allow the role to grant the same privileges to other roles. ### Example ```sh /# GRANT USAGE ON DATABASE user_db TO rol1; +-----------------+----------+------------------------------------------+ | Type | Command | Summary | +=================+==========+==========================================+ | privilege grant | ALTER | Privilege(s) "usage" on "user_db" | | | | granted to "rol1" | +-----------------+----------+------------------------------------------+ /# DESCRIBE ROLE rol1; +----------+---------+------------+--------------------+---------------+ | Type | Name | Privilege | With Grant Option | Granted By | +==========+=========+============+====================+===============+ | role | public | usage | false | orgadmin | +----------+---------+------------+--------------------+---------------+ | database | user_db | usage | false | securityadmin | +----------+---------+------------+--------------------+---------------+ ``` ```sh /# GRANT USAGE,CREATE ON DATABASE user_db TO rol1 WITH GRANT OPTION; +-----------------+----------+------------------------------------------+ | Type | Command | Summary | +=================+==========+==========================================+ | privilege grant | ALTER | Privilege(s) "usage" on "user_db" | | | | granted to "rol1" | +-----------------+----------+------------------------------------------+ /# DESCRIBE ROLE rol1; +----------+---------+------------+--------------------+---------------+ | Type | Name | Privilege | With Grant Option | Granted By | +==========+=========+============+====================+===============+ | role | public | usage | false | orgadmin | +----------+---------+------------+--------------------+---------------+ | database | user_db | usage | true | securityadmin | +----------+---------+------------+--------------------+---------------+ | database | user_db | create | true | securityadmin | +----------+---------+------------+--------------------+---------------+ ``` ## Database Schema Privileges ```sql GRANT [ USAGE | CREATE | ALL PRIVILEGES ] ON SCHEMA schema_name TO ROLE role_name [, ...] [WITH GRANT OPTION]; ``` ### Description Grants schema privileges to one or more roles. ### Arguments #### USAGE Allow role to list and use the schemas. The role also has additional privileges on relations to use them. #### CREATE Allow role to create relations under the schema. #### ALL PRIVILEGES Grants all the privileges listed above to the role. #### schema\_name The qualified name of the schema to grant privileges on. This name can include a specific database name to form a fully-qualified name in the format of `.;` otherwise, the system uses the current database name in the session. #### role\_name \[, ...] One or more [roles](/overview/core-concepts/access-control.md#_role) to which to grant the privileges. #### WITH GRANT OPTION Grants privileges that allow the role to grant those same privileges to other roles. ### Example ```sh /# GRANT USAGE,CREATE ON SCHEMA accounting_db.public TO rol1; +-----------------+----------+------------------------------------------+ | Type | Command | Summary | +=================+==========+==========================================+ | privilege grant | ALTER | Privilege(s) "usage, create" on | | | | "public" granted to "rol1" | +-----------------+----------+------------------------------------------+ /# DESCRIBE ROLE rol1; +----------+---------+------------+--------------------+---------------+ | Type | Name | Privilege | With Grant Option | Granted By | +==========+=========+============+====================+===============+ | role | public | usage | false | orgadmin | +----------+---------+------------+--------------------+---------------+ | database | user_db | usage | true | securityadmin | +----------+---------+------------+--------------------+---------------+ | schema | public | usage | false | securityadmin | +----------+---------+------------+--------------------+---------------+ | database | user_db | create | true | securityadmin | +----------+---------+------------+--------------------+---------------+ | schema | public | create | false | securityadmin | +----------+---------+------------+--------------------+---------------+ ``` ```sh /# GRANT USAGE,CREATE ON SCHEMA accounting_db.public TO rol1 WITH GRANT OPTION; +-----------------+----------+------------------------------------------+ | Type | Command | Summary | +=================+==========+==========================================+ | privilege grant | ALTER | Privilege(s) "usage, create" on | | | | "public" granted to "rol1" | +-----------------+----------+------------------------------------------+ /# DESCRIBE ROLE rol1; +----------+---------+------------+--------------------+---------------+ | Type | Name | Privilege | With Grant Option | Granted By | +==========+=========+============+====================+===============+ | role | public | usage | false | orgadmin | +----------+---------+------------+--------------------+---------------+ | database | user_db | usage | true | securityadmin | +----------+---------+------------+--------------------+---------------+ | schema | public | usage | true | securityadmin | +----------+---------+------------+--------------------+---------------+ | database | user_db | create | true | securityadmin | +----------+---------+------------+--------------------+---------------+ | schema | public | create | true | securityadmin | +----------+---------+------------+--------------------+---------------+ ``` ## Store Privileges ```sql GRANT [ USAGE | ALL PRIVILEGES ] ON STORE store_name TO ROLE role_name [, ...] [WITH GRANT OPTION]; ``` ### Description Grants store privileges to one or more roles. ### Arguments #### USAGE Allow role to list and use the store. #### store\_name The name of the store on which to grant privileges. #### role\_name \[, ...] One or more [roles](/overview/core-concepts/access-control.md#_role) to which to grant the privileges. #### WITH GRANT OPTION Grants privileges that allow the role to grant those same privileges to other roles. ### Example ```sh /# GRANT USAGE ON STORE kafka_pub TO rol2; +-----------------+----------+------------------------------------------+ | Type | Command | Summary | +=================+==========+==========================================+ | privilege grant | ALTER | Privilege(s) "usage" on "kafka_pub" | | | | granted to "rol2" | +-----------------+----------+------------------------------------------+ /# DESCRIBE ROLE rol2; +--------------+-----------+-----------------+--------------------+---------------+ | Type | Name | Privilege | With Grant Option | Granted By | +==============+===========+=================+====================+===============+ | role | public | usage | false | orgadmin | +--------------+-----------+-----------------+--------------------+---------------+ | store | kafka_pub | usage | false | securityadmin | +--------------+-----------+-----------------+--------------------+---------------+ ``` ```sh /# GRANT USAGE ON STORE kafka_pub TO rol2 WITH GRANT OPTION; +-----------------+----------+------------------------------------------+ | Type | Command | Summary | +=================+==========+==========================================+ | privilege grant | ALTER | Privilege(s) "usage" on "kafka_pub" | | | | granted to "rol2" | +-----------------+----------+------------------------------------------+ /# DESCRIBE ROLE rol2; +--------------+-----------+-----------------+--------------------+---------------+ | Type | Name | Privilege | With Grant Option | Granted By | +==============+===========+=================+====================+===============+ | role | public | usage | false | orgadmin | +--------------+-----------+-----------------+--------------------+---------------+ | store | kafka_pub | usage | true | securityadmin | +--------------+-----------+-----------------+--------------------+---------------+ ``` ## Descriptor Source Privileges ```sql GRANT [ USAGE | ALL PRIVILEGES ] ON DESCRIPTOR_SOURCE descriptor_source_name TO ROLE role_name [, ...] [WITH GRANT OPTION]; ``` ### Description Grants [descriptor source](/reference/sql-syntax/data-format-serialization.md#protocol-buffers-and-descriptors) privileges to one or more roles. ### Arguments #### USAGE Allow role to list and use the descriptor source. #### descriptor\_source\_name The name of the descriptor source on which to grant privileges. #### role\_name \[, ...] One or more [roles](/overview/core-concepts/access-control.md#_role) to which to grant the privileges. #### WITH GRANT OPTION Grants privileges that allow the role to grant those same privileges to other roles. ### Example ```sh demodb.public/demostore# GRANT USAGE ON DESCRIPTOR_SOURCE demosource TO rol1; +-----------------+----------+------------------------------------------+ | Type | Command | Summary | +=================+==========+==========================================+ | privilege grant | ALTER | Privilege(s) "usage" on "demosource" | | | | granted to "rol1" | +-----------------+----------+------------------------------------------+ demodb.public/demostore# DESCRIBE ROLE rol1; +-------------------+--------------+------------+--------------------+---------------+ | Type | Name | Privilege | With Grant Option | Granted By | +===================+==============+============+====================+===============+ | role | public | usage | false | orgadmin | +-------------------+-------------------------+------------+--------------------+---------------+ | descriptor_source | demosource | usage | false | securityadmin | +-------------------+--------------+------------+--------------------+---------------+ ``` ## Relation Privileges ```sql GRANT [ SELECT | INSERT | ALL PRIVILEGES ] ON RELATION relation_name TO ROLE role_name [, ...] [WITH GRANT OPTION]; ``` ### Description Grants [relation](/overview/core-concepts/databases.md#_relation) privileges to one or more roles. ### Arguments #### SELECT Allow role to create a [query](/overview/core-concepts/queries.md) and use the relation as a source. #### INSERT Allow role to create a [query](/overview/core-concepts/queries.md) and use the relation as a sink. #### relation\_name The name of the relation to grant privileges on. Optionally, provide [database](/overview/core-concepts/databases.md) and [schema](/overview/core-concepts/databases.md#_schema) name for a fully-qualified relation name in the format of `[..]` — for example, `db1.public.pageviews`. Otherwise, the system uses the current database and schema to identify the relation. #### role\_name \[, ...] One or more [roles](/overview/core-concepts/access-control.md#_role) to which to grant the privileges. #### WITH GRANT OPTION Grants privileges that allow the role to grant those same privileges to other roles. ### Example ```sh demodb.public/demostore# GRANT SELECT ON RELATION demodb."public".pv TO rol1; +-----------------+----------+------------------------------------------+ | Type | Command | Summary | +=================+==========+==========================================+ | privilege grant | ALTER | Privilege(s) "select" on "pv" granted | | | | to "rol1" | +-----------------+----------+------------------------------------------+ demodb.public/demostore# DESCRIBE ROLE rol1; +-------------------+-------------------------+------------+--------------------+---------------+ | Type | Name | Privilege | With Grant Option | Granted By | +===================+=========================+============+====================+===============+ | role | public | usage | false | orgadmin | +-------------------+-------------------------+------------+--------------------+---------------+ | relation | pv | select | false | securityadmin | +-------------------+-------------------------+------------+--------------------+---------------+ ``` ```sh demodb.public/demostore# GRANT INSERT ON RELATION demodb."public".pageviews TO rol1; +-----------------+----------+------------------------------------------+ | Type | Command | Summary | +=================+==========+==========================================+ | privilege grant | ALTER | Privilege(s) "insert" on "pv" granted | | | | to "rol1" | +-----------------+----------+------------------------------------------+ demodb.public/demostore# DESCRIBE ROLE rol1; +-------------------+-------------------------+------------+--------------------+---------------+ | Type | Name | Privilege | With Grant Option | Granted By | +===================+=========================+============+====================+===============+ | role | public | usage | false | orgadmin | +-------------------+-------------------------+------------+--------------------+---------------+ | relation | pv | insert | false | securityadmin | +-------------------+-------------------------+------------+--------------------+---------------+ ``` ## Function Source Privileges ```sql GRANT [ USAGE | ALL PRIVILEGES ] ON FUNCTION_SOURCE function_source_name TO ROLE role_name [, ...] [WITH GRANT OPTION]; ``` ### Description Grants [function source](/overview/core-concepts/function.md) privileges to one or more roles. ### Arguments #### USAGE Allow role to list and use the runction source. #### function\_source\_name The name of the function source on which to grant privileges. #### role\_name \[, ...] One or more [roles](/overview/core-concepts/access-control.md#_role) to which to grant the privileges. #### WITH GRANT OPTION Grants privileges that allow the role to grant those same privileges to other roles. ### Example ```sh demodb.public/demostore# GRANT USAGE ON FUNCTION_SOURCE demofnsrc TO rol1; +-----------------+----------+------------------------------------------+ | Type | Command | Summary | +=================+==========+==========================================+ | privilege grant | ALTER | Privilege(s) "usage" on "demofnsrc" | | | | granted to "rol1" | +-----------------+----------+------------------------------------------+ demodb.public/demostore# DESCRIBE ROLE rol1; +-------------------+-----------+------------+--------------------+---------------+ | Type | Name | Privilege | With Grant Option | Granted By | +===================+===========+============+====================+===============+ | role | public | usage | false | orgadmin | +-------------------+-----------+------------+--------------------+---------------+ | function_source | demofnsrc | usage | false | sysadmin | +-------------------+-----------+------------+--------------------+---------------+ ``` ## Function Privileges ```sql GRANT [ USAGE | ALL PRIVILEGES ] ON FUNCTION function_identifier TO ROLE role_name [, ...] [WITH GRANT OPTION]; ``` ### Description Grants [function](/overview/core-concepts/function.md) privileges to one or more roles. ### Arguments #### USAGE Allow role to list and use the function. #### function\_identifier The name of the function on which to grant privileges. #### role\_name \[, ...] One or more [roles](/overview/core-concepts/access-control.md#_role) to which togrant the privileges. #### WITH GRANT OPTION Grants privileges that allow the role to grant those same privileges to other roles. ### Example ```sh demodb.public/demostore# LIST FUNCTIONS; +----------------------------+-------+--------------+------------------+--------------------+----------+-------------+-------------------------------+-------------------------------+ | Signature | Type | Source Name | Class Name | Egress Allow URIs | Owner | Properties | Created At | Updated At | +============================+=======+==============+==================+====================+==========+=============+===============================+===============================+ | upper(a VARCHAR) VARCHAR | udf | my_src | demo.DSUpperCase | | sysadmin | {} | 2024-06-06 03:35:52 +0000 UTC | 2024-06-06 03:35:52 +0000 UTC | +----------------------------+-------+--------------+------------------+--------------------+----------+-------------+-------------------------------+-------------------------------+ demodb.public/demostore# GRANT USAGE ON FUNCTION upper(a varchar) varchar TO rol1; +-----------------+----------+------------------------------------------+ | Type | Command | Summary | +=================+==========+==========================================+ | privilege grant | ALTER | Privilege(s) "usage" on "upper" | | | | granted to "rol1" | +-----------------+----------+------------------------------------------+ demodb.public/demostore# DESCRIBE ROLE rol1; +-------------------+------------+------------+--------------------+---------------+ | Type | Name | Privilege | With Grant Option | Granted By | +===================+============+============+====================+===============+ | role | public | usage | false | orgadmin | +-------------------+------------+------------+--------------------+---------------+ | function_source | demofnsrc | usage | false | sysadmin | +-------------------+------------+------------+--------------------+---------------+ | function | my_func | usage | false | sysadmin | +-------------------+------------+------------+--------------------+---------------+ ``` ## Region Privileges ```sql GRANT [ USAGE | ALL PRIVILEGES ] ON REGION region_name TO ROLE role_name [, ...] [WITH GRANT OPTION]; ``` ### Description Grants [region](/overview/core-concepts/region.md) usage privileges to one or more roles. By default, the `public` role is granted access to all regions. A role with the `MANAGE_GRANTS` privilege can grant the region `USAGE` privilege to other roles, or revoke it. ### Arguments #### USAGE Allow role to list and use the region to create [stores](/overview/core-concepts/store.md) and launch [queries](/overview/core-concepts/queries.md). #### region\_name The name of the region on which to grant privileges. #### role\_name \[, ...] One or more [roles](/overview/core-concepts/access-control.md#_role) to which to grant the privileges. #### WITH GRANT OPTION Grants privileges that allow the role to grant those same privileges to other roles. ### Example ```sh /# DESCRIBE ROLE "public"; +--------------+----------------+------------+--------------------+---------------+ | Type | Name | Privilege | With Grant Option | Granted By | +==============+================+============+====================+===============+ | role | public | usage | false | orgadmin | +--------------+----------------+------------+--------------------+---------------+ | region | AWS us-east-1 | usage | false | securityadmin | +--------------+----------------+------------+--------------------+---------------+ ``` ```sh /# GRANT USAGE ON REGION "AWS us-east-1" TO rol1; +-----------------+----------+------------------------------------------+ | Type | Command | Summary | +=================+==========+==========================================+ | privilege grant | ALTER | Privilege(s) "usage" on "AWS us-east-1" | | | | granted to "rol1" | +-----------------+----------+------------------------------------------+ /# DESCRIBE ROLE rol1; +-------------------+----------------+------------+--------------------+---------------+ | Type | Name | Privilege | With Grant Option | Granted By | +===================+================+============+====================+===============+ | role | public | usage | false | orgadmin | +-------------------+----------------+------------+--------------------+---------------+ | region | AWS us-east-1 | usage | false | securityadmin | +-------------------+----------------+------------+--------------------+---------------+ ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.deltastream.io/reference/sql-syntax/command/grant-privileges.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.