Starburst Galaxy

  •  Get started

  •  Working with data

  •  Data engineering

  •  Developer tools

  •  Cluster administration

  •  Security and compliance

  •  Troubleshooting

  • Galaxy status

  •  Reference

  • Account and cluster privileges #

    A privilege granted to a role conveys the right to perform specific operations.

    Learn more about the basics of adding and removing privileges on the Galaxy privileges basics page.

    This page discusses the management of account-level and cluster-level privileges.

    See Data privileges for a discussion of the different Starburst Galaxy privileges that can be applied to catalogs, schemas, tables, views, and columns, as well as privileges that manage access to object storage locations and the rights to execute functions and SQL routines.

    Account privileges #

    Use the following privileges to control allowed actions on the Account entity. Adding privileges to the Account entity determines the access rights of your Starburst Galaxy account:

    UI privilege SQL privilege Grants ability to
    Apply tag APPLY_TAG Apply an existing attribute tag to a data entity.
    Cancel submitted queries CANCEL_QUERY Cancel queries submitted by any user. Each user can cancel their own queries, but this privilege is required to be able to cancel any query.
    Create catalog CREATE_CATALOG Create a new catalog. Does not convey the right to use, modify or delete any catalog.
    Create cluster CREATE_CLUSTER Create a new cluster. Does not convey the right to modify, stop or start any cluster.
    Create SQL functions CREATE_FUNCTION Create new SQL routines in catalog galaxy, schema functions.
    Create role CREATE_ROLE Create a new role. Does not convey the right to grant, modify or delete any role.
    Create tag CREATE_TAG Create and manage attribute tags.
    Create user CREATE_USER Create user. Does not convey the right to modify or delete any user, nor to grant or revoke roles to the user.
    Generative AI features GENERATIVE_AI_FEATURES Enables the Explain Query context menu in the query editor and the Generate SQL for this data option in the cluster explorer's options menu. This privilege is never enabled by default. A grant of this privilege constitutes a deliberate opt-in to use OpenAI's GPT-4 technology in the query editor.
    Manage account work MANAGE_ACCOUNT_WORK A role with this privilege:
    • Can create, update, or delete scheduled jobs for a service account. The role must also have adequate permissions to perform the task at the scheduled time.
    • Can see the Status column in the list of catalogs and in all levels of the catalog explorer, and can respond to indexing error conditions.
    Manage billing MANAGE_BILLING View usage and billing and update account profile.
    Manage ingest streams MANAGE_INGEST_STREAMS Enables the Data > Ingest streams subsystem to allow support for ingesting Kafka stream data.
    Manage notifications MANAGE_NOTIFICATIONS View and manage settings for in app and email notifications.
    Manage OAuth client MANAGE_OAUTH_CLIENT View, create, and delete OAuth clients.
    Manage security MANAGE_SECURITY This is the most powerful privilege for security management. A role with this privilege can:
    • Grant or revoke any privilege on any entity to any role.
    • Grant any role to any user, including themselves, or revoke any role grant.
    • Create, update, or delete any user or any role.
    By itself, manage security does not grant full administrative access to all privileges, all entities and therefore also to all connected data sources. However a user with this privilege can grant themselves full access to everything. Only grant this privilege to a minimal list of trusted roles. The accountadmin role is granted this privilege by default.
    Manage service account MANAGE_SERVICE_ACCOUNT Create and manage a service account that allows a non-human user to authenticate and access cluster data.
    Manage Single Sign On MANAGE_SSO Add, edit, or replace the configuration of this account's relationship with an external identity provider that supports single sign-on.
    Allow username/password login SSO_USER_PASSWORD_LOGIN This privilege is only visible on Galaxy accounts with SSO enabled. Allows members of a role to log in with username and password authentication, bypassing SSO authentication. Conversely, revoking this privilege forces SSO only logins for a role.
    View all data lineage VIEW_ALL_DATA_LINEAGE View the lineage of any data entity in this Galaxy account.
    View all query history VIEW_ALL_QUERY_HISTORY View the query history and query details of queries initiated by all users.
    View audit log VIEW_AUDIT_LOG View the history of privilege grants and major transactions. If single sign-on is enabled, view the grants and transactions with an identity provider.
    View public OAuth client VIEW_PUBLIC_OAUTH_CLIENT View public OAuth clients.

    Cluster privileges #

    You can use the following privileges to control allowed actions on the cluster entities:

    UI privilege SQL privilege Grants ability to
    Enable/disable cluster ENABLE_DISABLE_CLUSTER Enable or disable the cluster.
    Use cluster USE_CLUSTER View a cluster and run queries on the cluster. Does not convey the right to modify, stop, or start the cluster, or to access any data in the catalogs attached to the cluster.
    Monitor cluster MONITOR_CLUSTER Expose metrics data for an individual entity that is then readable by any OpenMetrics compliant client such as Prometheus or Datadog.