Access control #
The access control system of Starburst Galaxy makes it easy to ensure that each user has the appropriate access rights to perform actions on entities in the system.
A role has a name and an optional description. A role can be granted privileges on entities like clusters, catalogs, and tables. This provides fine-grained control that protects your data, and allows you to define just the right mix of allowed actions and access for each function in your organization.
All actions are controlled by privileges or ownership.
Ownership of entities is controlled with roles. This is often called a Discretionary Access Control (DAC) system, and the following aspects apply:
- Every entity is owned by exactly one role - the owner role. Entities are not owned by users.
- Ownership grants full control over the entity, including:
- Update (alter) the entity.
- Delete (drop) the entity.
- Grant, deny, or revoke privileges on the entity for any other role.
- Full control operations are also available through indirect ownership via a role in the active role set. Effectively the rights of ownership are inherited from child roles, just like other privileges.
- Ownership can be transferred from one role to another with the following
- The active role set must contain the current owner role.
- The current user must have a grant to the new owner role. This ensures that a user can not transfer an entity and lose access. If this is necessary for an entity, another user with both roles in the active role set has to change the ownership.
- The owner role is set from the current role when the object is created.
- By default, a role that owns a catalog owns all the schemas and tables in that catalog. However, a user can change the default ownership on a schema or table as described in the privileges overview.
- Externally created schemas are assigned the owner of the catalog as owner role.
- Externally created tables are assigned the owner of the catalog as owner role.
Roles, privileges, entities, and users #
Privileges and ownership for entities are granted to roles, never to users.
A role can be granted to another role. That other role inherits all the privileges and ownership rights of the granted role.
A role can be granted to a user. When the user assumes that role, the user gets all the privileges and ownership rights of the role.
Session and current role #
When you are using Starburst Galaxy with your account directly in the user interface or with a client application, the following aspects apply:
- You are identified as a specific user, and your usage is contained in a session.
- A specific role is assigned and displayed under your user name in the user interface. This current role is tested for any privilege, and is the owner of any created entity. Only one role can be set as the current role.
- The active role set determines all current available and applicable privileges.
- If no role is selected upon connection with a client tool or when logging into the user interface, a default role is used. This default role can be identical for all users, or configured specifically for each user.
Attribute-based access control #
The attribute-based access control system of Starburst Galaxy allows the combination of policies and attributes, such as tags, to further manage role access to entities such as catalogs, schemas, tables, views, and columns.
A policy can grant privileges that can apply to different entities, such as a schema and a table. A policy is only active if the policy role is contained in the user’s current active role set.
Starburst Galaxy combines attribute-based privilege grants and role-based privilege grants to determine role access to entities.
SQL statements #
You can use the following SQL commands to manage roles and grants:
SHOW ROLE GRANTS
The grants and ownership of entities are updated when a SQL command is executed, or changes are made in the user interface.
Is the information on this page helpful?