starburst galaxy > reference > access control > Privilege tables

Privilege tables #

A privilege granted to a role conveys the right to perform specific operations.

This page gathers in one place the tables that list the privileges assignable to each Starburst Galaxy entity, including account, cluster, catalog, schema, table or view, location, and function privileges.

Account level privileges #

Learn more about account level privileges on the Account and cluster privileges page.

Note: You can only manage account level privileges with the user interface. Using SQL statements is not supported.

Privilege	Grants ability to
Apply tag	Apply an existing attribute tag to a data entity.
Cancel submitted queries	Cancel queries submitted by any user. Each user can cancel their own queries, but this privilege is required to be able to cancel any query.
Create catalog	Create a new catalog. Does not convey the right to use, modify or delete any catalog.
Create cluster	Create a new cluster. Does not convey the right to modify, stop or start any cluster.
Create SQL routines	Create new SQL routines to reside in a catalog.
Create role	Create a new role. Does not convey the right to grant, modify or delete any role.
Create tag	Create and manage attribute tags.
Create user	Create user. Does not convey the right to modify or delete any user, nor to grant or revoke roles to the user.
Generative AI features	Enables the Explain Query context menu in the query editor and the Generate SQL for this data option in the cluster explorer's options menu. This privilege is never enabled by default. A grant of this privilege constitutes a deliberate opt-in to use OpenAI's GPT-4 technology in the query editor.
Allow username/password login	This privilege is only visible on Galaxy accounts with SSO enabled. Allows members of a role to log in with username and password authentication, bypassing SSO authentication. Conversely, revoking this privilege forces SSO only logins for a role.
Manage account work	A role with this privilege: Can create, update, or delete scheduled jobs for a service account. The role must also have adequate permissions to perform the task at the scheduled time. Can see the Status column in the list of catalogs and in all levels of the catalog explorer, and can respond to indexing error conditions.
Manage billing	View usage and billing and update account profile.
Manage ingest streams	Enables the Data > Ingest streams subsystem to allow support for ingesting Kafka stream data.
Manage notifications	View and manage settings for in app and email notifications.
Manage OAuth client	View, create, and delete OAuth clients.
Manage security	This is the most powerful privilege for security management. A role with this privilege can: Grant or revoke any privilege on any entity to any role. Grant any role to any user, including themselves, or revoke any role grant. Create, update, or delete any user or any role. By itself, manage security does not grant full administrative access to all privileges, all entities and therefore also to all connected data sources. However a user with this privilege can grant themselves full access to everything. Only grant this privilege to a minimal list of trusted roles. The accountadmin role is granted this privilege by default.
Manage service account	Create and manage a service account that allows a non-human user to authenticate and access cluster data.
Manage Single Sign On	Add, edit, or replace the configuration of this account's relationship with an external identity provider that supports single sign-on.
View all data lineage	View the lineage of any data entity in this Galaxy account.
View all query history	View the query history and query details of queries initiated by all users.
View audit log	View the history of privilege grants and major transactions. If single sign-on is enabled, view the grants and transactions with an identity provider.
View public OAuth client	View public OAuth clients.

Cluster level privileges #

Learn more about cluster-level privileges on the Account and cluster privileges page.

Note: You can only manage cluster level privileges with the user interface. Using SQL statements is not supported.

Privilege	Grants ability to
Start/stop cluster	Start or stop the cluster.
Use cluster	View a cluster and run queries on the cluster. Does not convey the right to modify, stop, or start the cluster, or to access any data in the catalogs attached to the cluster.
Monitor cluster	Expose metrics data for an individual entity that is then readable by any OpenMetrics compliant client such as Prometheus or Datadog.

Catalog level privileges #

Learn more about catalog level privileges on the Data privileges page.

Note: You can only manage catalog level privileges with the user interface. Using SQL statements is not supported.

Privilege	Grants ability to
Create schema	Allows creation of new schemas inside the catalog. To rename a schema, a role must own the schema in addition to having the Create schema privilege on the catalog.

Schema level privileges #

Learn more about schema level privileges on the Data privileges page.

Privilege	Grants ability to
Create table	Allows creation of new tables inside a schema within a catalog. To rename a table, a role must own the table in addition to having the Create table privilege on the schema.

Table and view level privileges #

Learn more about table or view level privileges on the Data privileges

SQL privilege	UI privilege	Grants ability to
SELECT	Select from table	Allows selection of columns from the table.
INSERT	Insert into table	Allows insertion of new rows in the table.
UPDATE	Update table rows	Allows update of rows in the table.
DELETE	Delete from table	Allows deletion of rows in the table.

Location privileges #

Learn more about location privileges on the Data privileges page.

Privilege	Grants ability to
Create SQL	Restricts creation or alteration of schemas or tables to only within the specified location.

Function privileges #

Learn more about function privileges on the Data privileges page.

Privilege	Grants ability to
Execute table function	Allows this role to run the named table function for the selected catalog. For SQL routines, allows the named routine to be run in any catalog in this account. Specify the privilege for each function or routine separately.

Data product privileges #

Learn more about the data product privilege on the Data privileges page.

Privilege	Grants ability to
View data product	If a role does not have the Select from table privilege for a schema, any data product based on that schema is not visible to that role. This View data product privilege lets the role see but not query a data product. Specify the privilege individually per named data product. This privilege grants a role access to the metadata for a specific data product in this account, if the role otherwise lacks the privilege to interact with the data product's schema.

Privilege

Grants ability to

View data product

If a role does not have the Select from table privilege for a schema, any data product based on that schema is not visible to that role. This View data product privilege lets the role see but not query a data product. Specify the privilege individually per named data product. This privilege grants a role access to the metadata for a specific data product in this account, if the role otherwise lacks the privilege to interact with the data product's schema.

Is the information on this page helpful?

Yes

Cancel

Privilege tables