Account and cluster privileges #
A privilege granted to a role conveys the right to perform specific operations.
Learn more about the basics of adding and removing privileges on the Galaxy privileges basics page.
This page discusses the management of account-level and cluster-level privileges.
See Data privileges for a discussion of the different Starburst Galaxy privileges that can be applied to catalogs, schemas, tables, views, and columns, as well as privileges that manage access to object storage locations and the rights to execute functions and SQL routines.
Account privileges #
Use the following privileges to control allowed actions on the Account entity. Adding privileges to the Account entity determines the access rights of your Starburst Galaxy account:
| Privilege | Grants ability to |
|---|---|
| Create catalog | Create a new catalog. Does not convey the right to use, modify or delete any catalog. |
| Create cluster | Create a new cluster. Does not convey the right to modify, stop or start any cluster. |
| Create role | Create a new role. Does not convey the right to grant, modify or delete any role. |
| Create user | Create user. Does not convey the right to modify or delete any user, nor to grant or revoke roles to the user. |
| Allow username/password login | This privilege is only visible on Galaxy accounts with SSO
enabled. Allows members of a role to log in with username and password
authentication, bypassing SSO authentication. Conversely, revoking this
privilege forces SSO only logins for a role. By default, this privilege is
assigned to the accountadmin and public
roles. |
| Manage account work | Create, update, or delete scheduled tasks for a service account. The role with this privilege must also have adequate permissions to perform the task at the scheduled time. |
| Manage billing | View usage and billing and update account profile. |
| Manage notifications | View and manage settings for in app and email notifications. |
| Manage security | This is the most powerful privilege for security management. A role
with this privilege can:
|
| Manage OAuth client | View, create, and delete OAuth clients. |
| Manage service account | Create and manage a service account that allows a non-human user to authenticate and access cluster data. |
| Manage single sign on | Add, edit, or replace the configuration of this account's relationship with an external identity provider that supports single sign-on. |
| View all query history | View the query history and query details of queries initiated by all users. |
| View audit log | View the history of privilege grants and major transactions. If single sign-on is enabled, view the grants and transactions with an identity provider. |
| View public OAuth client | View public OAuth clients. All roles have this privilege by default. |
Cluster privileges #
You can use the following privileges to control allowed actions on the cluster entities:
| Privilege | Grants ability to |
|---|---|
| Start/stop cluster | Start or stop the cluster. |
| Use cluster | View a cluster and run queries on the cluster. Does not convey the right to modify, stop, or start the cluster, or to access any data in the catalogs attached to the cluster. |
Is the information on this page helpful?
Yes
No