A privilege granted to a role conveys the right to perform specific operations.
Learn more about the basics of adding and removing privileges on the Galaxy privileges basics page.
This page discusses the management of account-level and cluster-level privileges.
See Data privileges for a discussion of the different Starburst Galaxy privileges that can be applied to catalogs, schemas, tables, views, and columns, as well as privileges that manage access to object storage locations and the rights to execute functions and SQL routines.
Use the following privileges to control allowed actions on the Account entity. Adding privileges to the Account entity determines the access rights of your Starburst Galaxy account:
MANAGE_SECURITY
to role data_admin
,
execute:
GRANT MANAGE_SECURITY ON MY ACCOUNT TO ROLE data_admin
UI privilege | SQL privilege | Grants ability to |
---|---|---|
Apply tag | APPLY_TAG |
Apply an existing attribute tag to a data entity. |
Cancel submitted queries | CANCEL_QUERY |
Cancel queries submitted by any user. Each user can cancel their own queries, but this privilege is required to be able to cancel any query. |
Create catalog | CREATE_CATALOG |
Create a new catalog. Does not convey the right to use, modify or delete any catalog. |
Create cluster | CREATE_CLUSTER |
Create a new cluster. Does not convey the right to modify, stop or start any cluster. |
Create SQL functions | CREATE_FUNCTION |
Create new
SQL routines in catalog galaxy , schema
functions .
|
Create role | CREATE_ROLE |
Create a new role. Does not convey the right to grant, modify or delete any role. |
Create tag | CREATE_TAG |
Create and manage attribute tags. |
Create user | CREATE_USER |
Create user. Does not convey the right to modify or delete any user, nor to grant or revoke roles to the user. |
Generative AI features | GENERATIVE_AI_FEATURES |
Enables the Explain Query context menu in the query editor and the Generate SQL for this data option in the cluster explorer's options menu. This privilege is never enabled by default. A grant of this privilege constitutes a deliberate opt-in to use OpenAI's GPT-4 technology in the query editor. |
Manage account work | MANAGE_ACCOUNT_WORK |
A role with this privilege:
|
Manage billing | MANAGE_BILLING |
View usage and billing and update account profile. |
Manage ingest streams | MANAGE_INGEST_STREAMS |
Enables the Data > Ingest streams subsystem to allow support for ingesting Kafka stream data. |
Manage notifications | MANAGE_NOTIFICATIONS |
View and manage settings for in app and email notifications. |
Manage OAuth client | MANAGE_OAUTH_CLIENT |
View, create, and delete OAuth clients. |
Manage security | MANAGE_SECURITY |
This is the most powerful privilege for security management. A role
with this privilege can:
|
Manage service account | MANAGE_SERVICE_ACCOUNT |
Create and manage a service account that allows a non-human user to authenticate and access cluster data. |
Manage Single Sign On | MANAGE_SSO |
Add, edit, or replace the configuration of this account's relationship with an external identity provider that supports single sign-on. |
Allow username/password login | SSO_USER_PASSWORD_LOGIN |
This privilege is only visible on Galaxy accounts with SSO enabled. Allows members of a role to log in with username and password authentication, bypassing SSO authentication. Conversely, revoking this privilege forces SSO only logins for a role. |
View all data lineage | VIEW_ALL_DATA_LINEAGE |
View the lineage of any data entity in this Galaxy account. |
View all query history | VIEW_ALL_QUERY_HISTORY |
View the query history and query details of queries initiated by all users. |
View audit log | VIEW_AUDIT_LOG |
View the history of privilege grants and major transactions. If single sign-on is enabled, view the grants and transactions with an identity provider. |
View public OAuth client | VIEW_PUBLIC_OAUTH_CLIENT |
View public OAuth clients. |
You can use the following privileges to control allowed actions on the cluster entities:
UI privilege | SQL privilege | Grants ability to |
---|---|---|
Enable/disable cluster | ENABLE_DISABLE_CLUSTER |
Enable or disable the cluster. |
Use cluster | USE_CLUSTER |
View a cluster and run queries on the cluster. Does not convey the right to modify, stop, or start the cluster, or to access any data in the catalogs attached to the cluster. |
Monitor cluster | MONITOR_CLUSTER |
Expose metrics data for an individual entity that is then readable by any OpenMetrics compliant client such as Prometheus or Datadog. |
Is the information on this page helpful?
Yes
No