Access control privileges

This topic describes the privileges that are available in the Tabular access control model. Privileges are granted to roles, and roles are granted to users, to specify the operations that the users can perform on objects in the system.

Any granted privilege may also be specified as with GRANT, meaning that the target role has the ability to grant the privilege to other roles. This enables access control management of a given object to be easily delegated.

On this page:

Table privileges

PrivilegeDescription
SELECTAllows reading from any column in the table, including columns in all active table snapshots.
UPDATEAllows inserting, updating, and deleting any data in the table.
DROP_TABLEAllows dropping, renaming, or moving the table to another database.
MANAGE_GRANTSAllows modification and revocation of any grant on the table.

Database privileges

PrivilegeDescription
LISTAllows listing all of the tables in a database.
CREATE_TABLEAllows creating a table in the database.
DROP_DBAllows dropping or renaming the database.'
MANAGE_GRANTSAllows modification and revocation of any grant in the database.

Warehouse privileges

PrivilegeDescription
LISTAllows listing all of the databases in a warehouse.
CREATE_DBAllows creating a database in the warehouse.
DROP_WAREHOUSEAllows dropping or renaming the warehouse.
MANAGE_GRANTSAllows modification and revocation of any grant in the warehouse.

Role privileges

PrivilegeDescription
MODIFY_ROLERename, delete, add / remove role members, and general administration of a role.

Organization privileges

PrivilegeDescription
MANAGE_USERSAdd and remove users from the organization.
MANAGE_GRANTSAdd, modify, or revoke any grant on all resources.
CREATE_ROLECreate custom roles.
CREATE_WAREHOUSECreate a new warehouse.