Starburst Galaxy

  •  Get started

  •  Working with data

  •  Data engineering

  •  Developer tools

  •  Cluster administration

  •  Security and compliance

  •  Troubleshooting

  • Galaxy status

  •  Reference

  • Account and cluster privileges #

    A privilege granted to a role conveys the right to perform specific operations.

    Learn more about the basics of adding and removing privileges on the Galaxy privileges basics page.

    This page discusses the management of account-level and cluster-level privileges.

    See Data privileges for a discussion of the different Starburst Galaxy privileges that can be applied to catalogs, schemas, tables, views, and columns, as well as privileges that manage access to object storage locations and the rights to execute functions and SQL routines.

    Account privileges #

    Use the following privileges to control allowed actions on the Account entity. Adding privileges to the Account entity determines the access rights of your Starburst Galaxy account:

    Privilege Grants ability to
    Create catalog Create a new catalog. Does not convey the right to use, modify or delete any catalog.
    Create cluster Create a new cluster. Does not convey the right to modify, stop or start any cluster.
    Create role Create a new role. Does not convey the right to grant, modify or delete any role.
    Create user Create user. Does not convey the right to modify or delete any user, nor to grant or revoke roles to the user.
    Allow username/password login This privilege is only visible on Galaxy accounts with SSO enabled. Allows members of a role to log in with username and password authentication, bypassing SSO authentication. Conversely, revoking this privilege forces SSO only logins for a role. By default, this privilege is assigned to the accountadmin and public roles.
    Manage account work Create, update, or delete scheduled tasks for a service account. The role with this privilege must also have adequate permissions to perform the task at the scheduled time.
    Manage billing View usage and billing and update account profile.
    Manage notifications View and manage settings for in app and email notifications.
    Manage security This is the most powerful privilege for security management. A role with this privilege can:
    • Grant or revoke any privilege on any entity to any role.
    • Grant any role to any user, including themselves, or revoke any role grant.
    • Create, update, or delete any user or any role.
    By itself, manage security does not grant full administrative access to all privileges, all entities and therefore also to all connected data sources. However a user with this privilege can grant themselves full access to everything. Only grant this privilege to a minimal list of trusted roles. Note that the accountadmin role is granted this privilege.
    Manage OAuth client View, create, and delete OAuth clients.
    Manage service account Create and manage a service account that allows a non-human user to authenticate and access cluster data.
    Manage single sign on Add, edit, or replace the configuration of this account's relationship with an external identity provider that supports single sign-on.
    View all query history View the query history and query details of queries initiated by all users.
    View audit log View the history of privilege grants and major transactions. If single sign-on is enabled, view the grants and transactions with an identity provider.
    View public OAuth client View public OAuth clients. All roles have this privilege by default.

    Cluster privileges #

    You can use the following privileges to control allowed actions on the cluster entities:

    Privilege Grants ability to
    Start/stop cluster Start or stop the cluster.
    Use cluster View a cluster and run queries on the cluster. Does not convey the right to modify, stop, or start the cluster, or to access any data in the catalogs attached to the cluster.