This topic describes the privileges that are available in the Tabular access control model.
Privileges are granted to roles, and roles are granted to users, to specify the operations that the users can perform on objects in the system.
Any granted privilege may also be specified as with GRANT, meaning that the target role has the ability to grant the privilege to other roles. This enables access control management of a given object to be easily delegated.
On this page:
Table privileges
| Privilege | Description |
|---|
| SELECT | Allows reading from any column in the table, including columns in all active table snapshots. |
| UPDATE | Allows inserting, updating, and deleting any data in the table. |
| DROP_TABLE | Allows dropping, renaming, or moving the table to another database. |
Database privileges
| Privilege | Description |
|---|
| LIST | Allows listing all of the tables in a database. |
| CREATE_TABLE | Allows creating a table in the database. |
| DROP_DB | Allows dropping or renaming the database.' |
Warehouse privileges
| Privilege | Description |
|---|
| LIST | Allows listing all of the databases in a warehouse. |
| CREATE_DB | Allows creating a database in the warehouse. |
| DROP_WAREHOUSE | Allows dropping or renaming the warehouse. |
Role privileges
| Privilege | Description |
|---|
| MODIFY_ROLE | Rename, delete, add / remove role members, and general administration of a role. |
Organization privileges
| Privilege | Description |
|---|
| MANAGE_USERS | Add and remove users from the organization. |
| MANAGE_GRANTS | Add, modify, or revoke any grant on all resources. |
| CREATE_ROLE | Create custom roles. |
| CREATE_WAREHOUSE | Create a new warehouse. |
