Access control privileges

This topic describes the privileges that are available in the Tabular access control model. Privileges are granted to roles, and roles are granted to users, to specify the operations that the users can perform on objects in the system.

Any granted privilege may also be specified as with GRANT, meaning that the target role has the ability to grant the privilege to other roles. This enables access control management of a given object to be easily delegated.

On this page:

Table privileges

SELECTAllows reading from any column in the table, including columns in all active table snapshots.
UPDATEAllows inserting, updating, and deleting any data in the table.
DROP_TABLEAllows dropping, renaming, or moving the table to another database.

Database privileges

LISTAllows listing all of the tables in a database.
CREATE_TABLEAllows creating a table in the database.
DROP_DBAllows dropping or renaming the database.'

Warehouse privileges

LISTAllows listing all of the databases in a warehouse.
CREATE_DBAllows creating a database in the warehouse.
DROP_WAREHOUSEAllows dropping or renaming the warehouse.

Role privileges

MODIFY_ROLERename, delete, add / remove role members, and general administration of a role.

Organization privileges

MANAGE_USERSAdd and remove users from the organization.
MANAGE_GRANTSAdd, modify, or revoke any grant on all resources.
CREATE_ROLECreate custom roles.
CREATE_WAREHOUSECreate a new warehouse.