Privilege tables #
A privilege granted to a role conveys the right to perform specific operations.
This page gathers in one place the tables that list the privileges assignable to each Starburst Galaxy entity, including account, cluster, catalog, schema, table or view, location, and function privileges.
Account level privileges #
Learn more about account level privileges on the Account and cluster privileges page.
Note:
You can only manage account level privileges with
the user interface. Using SQL statements is not supported.
| Privilege | Grants ability to |
|---|---|
| Create catalog | Create a new catalog. Does not convey the right to use, modify or delete any catalog. |
| Create cluster | Create a new cluster. Does not convey the right to modify, stop or start any cluster. |
| Create role | Create a new role. Does not convey the right to grant, modify or delete any role. |
| Create user | Create user. Does not convey the right to modify or delete any user, nor to grant or revoke roles to the user. |
| Allow username/password login | This privilege is only visible on Galaxy accounts with SSO
enabled. Allows members of a role to log in with username and password
authentication, bypassing SSO authentication. Conversely, revoking this
privilege forces SSO only logins for a role. By default, this privilege is
assigned to the accountadmin and public
roles. |
| Manage account work | Create, update, or delete scheduled tasks for a service account. The role with this privilege must also have adequate permissions to perform the task at the scheduled time. |
| Manage billing | View usage and billing and update account profile. |
| Manage notifications | View and manage settings for in app and email notifications. |
| Manage security | This is the most powerful privilege for security management. A role
with this privilege can:
|
| Manage OAuth client | View, create, and delete OAuth clients. |
| Manage service account | Create and manage a service account that allows a non-human user to authenticate and access cluster data. |
| Manage single sign on | Add, edit, or replace the configuration of this account's relationship with an external identity provider that supports single sign-on. |
| View all query history | View the query history and query details of queries initiated by all users. |
| View audit log | View the history of privilege grants and major transactions. If single sign-on is enabled, view the grants and transactions with an identity provider. |
| View public OAuth client | View public OAuth clients. All roles have this privilege by default. |
Cluster level privileges #
Learn more about cluster-level privileges on the Account and cluster privileges page.
Note:
You can only manage cluster level privileges with
the user interface. Using SQL statements is not supported.
| Privilege | Grants ability to |
|---|---|
| Start/stop cluster | Start or stop the cluster. |
| Use cluster | View a cluster and run queries on the cluster. Does not convey the right to modify, stop, or start the cluster, or to access any data in the catalogs attached to the cluster. |
Catalog level privileges #
Learn more about catalog level privileges on the Data privileges page.
Note:
You can only manage catalog level privileges with
the user interface. Using SQL statements is not supported.
| Privilege | Grants ability to |
|---|---|
| Create schema | Allows creation of new schemas inside the catalog. To rename a schema, a role must own the schema in addition to having the Create schema privilege on the catalog. |
Schema level privileges #
Learn more about schema level privileges on the Data privileges page.
| Privilege | Grants ability to |
|---|---|
| Create table | Allows creation of new tables inside a schema within a catalog. To rename a table, a role must own the table in addition to having the Create table privilege on the schema. |
Table and view level privileges #
Learn more about table or view level privileges on the Data privileges
| SQL privilege | UI privilege | Grants ability to |
|---|---|---|
| SELECT | Select from table | Allows selection of columns from the table. |
| INSERT | Insert into table | Allows insertion of new rows in the table. |
| UPDATE | Update table rows | Allows update of rows in the table. |
| DELETE | Delete from table | Allows deletion of rows in the table. |
Location privileges #
Learn more about location privileges on the Data privileges page.
| Privilege | Grants ability to |
|---|---|
| Create SQL | Restricts creation or alteration of schemas or tables to only within the specified location. |
Function privileges #
Learn more about function privileges on the Data privileges page.
| Privilege | Grants ability to |
|---|---|
| Execute table function | Allows this role to run the named table function for the selected catalog. For SQL routines, allows the named routine to be run in any catalog in this account. Specify the privilege for each function or routine separately. |
Data product privileges #
Learn more about the data product privilege on the Data privileges page.
| Privilege | Grants ability to |
|---|---|
| View data product | If a role does not have the Select from table privilege for a schema, any data product based on that schema is not visible to that role. This View data product privilege lets the role see but not query a data product. Specify the privilege individually per named data product. This privilege grants a role access to the metadata for a specific data product in this account, if the role otherwise lacks the privilege to interact with the data product's schema. |
Is the information on this page helpful?
Yes
No