Configuring role access

On this page:

Granting role privileges

Access privileges on resources are granted to (or revoked from) roles. Roles are assigned to individuals. It’s the role that allows you to perform the actions on data you must do as part of your job.

You can grant role privileges at multiple levels, including the warehouse, the database, and the table level.

At the warehouse level you can:

  • grant access and/or admin privileges to other roles for the warehouse
  • set the default privileges for future databases created in the warehouse.
  • Set the default privileges for future tables created in the warehouse

At the database level you can:

  • Grant access and/or admin privileges to other roles for the database
  • set the default privileges for future tables created in the database.

At the individual table level you can:

  • Grant access and/or admin privileges to other roles for data in this table.

In all cases the privilege-granting process functions similarly, and you have the same options. The one exception occurs at the database level, where you have the additional option of cascading privileges – that is, applying future role table settings to existing tables. See Cascading Privileges below.

To grant access to a role

  1. Navigate to the desired resource and click Access Controls.
  2. Click Grant a Role Access.
button

Grant a role access

  1. Grant privileges either to a pre-existing role, or to a new role you create.
    • To grant privileges to a pre-existing role, click the Search box and, from the list that displays, select the role to which you wish to grant access. Then click Next. The Grant a Role Access box displays.
    • To grant privileges to a new role, click Create a New Role. Enter a role name, then click Create a Role.

Tabular displays a grid with all the possible permutations of privilege permissions. Click each item you want.

  • The oblong boxes represent individual access levels.
  • The shields represent admin privileges. Click a shield to grant that specific admin privilege level to the role.
button

Specify the privileges the role will have on the resource and future resources

When you’re done click Apply Changes.

The entire process is modular. That is, you can grant access to any resource – a database or a table – in any combination of levels, with any combination of admin access. There’s one exception: to grant admin privileges to all access levels at once, on the right of each resource click Admin.

Two examples:

button

Specify the privileges the role will have on the resource and future resources

  • For this warehouse, A Team members have privileges to list the databases, create a new database, and modify a database. They can also grant to other roles the ability to create a database in this warehouse.
  • For databases created from this point forward, A Team members can view the list of databases. They can also grant to other roles the ability to list databases.
  • For tables created from this point forward, A Team members can select from data in the tables, and they can drop a table. They can also grant to other roles the ability to drop a table. They do NOT have the ability to update tables.
button

Specify the privileges the role will have on the resource and future resources

  • For this warehouse, A Team members can view a list of databases and create a new database. They also have the ability to grant to other roles the ability to create a database in this warehouse.
  • For databases created from this point forward, A Team members cannot access any of the data. However, they are able to grant to other roles the ability to access the data at any privilege level.
  • For tables created from this point forward, A Team members can update data in the tables, and they can drop a table. They can also grant to other roles the ability to drop a table. They do NOT have the ability to select data in the tables.

Editing privileges for an existing role

You can edit an existing role’s privileges directly from the Access Controls page. To do this, simply scroll to the role you wish to modify. Then make your changes directly and when you’re done click Apply Changes.

button

Specify the privileges the role will have on the resource and future resources

Cascading privileges

When you set or edit future table access privileges for a particular role on a database, you can opt to apply those privileges to existing tables as well. This option simplifies privilege management; you do not have to update privileges manually each time you wish to establish or modify access controls to all of the tables in a database.

From the database access control page you have 2 options:

  1. grant new access and cascade from the new access window
  2. cascade privileges for a role with existing access

The option to cascade displays in the lower-left on both the Grant Role Access page (for new grants) and the existing access control page.

To cascade privileges

  1. Navigate to the database you want.
  2. Click Access Controls.
    • For new privilege grants, click Grant Role Access. Select a role and click Next. From the Grant Role Access page, click the various access controls you want.
button

Specify the privileges the role will have on the resource and future resources

  1. To cascade the privileges you set, check Apply future table access to current tables.

You can also just cascade the existing privileges without making any changes. To do this:

  1. In the lower-left, check Apply future table access to current tables.
  2. Click Apply Changes.
button

Specify the privileges the role will have on the resource and future resources

Note    Cascading privileges is bidirectional – that is, you can cascade either to grant additional privileges or revoke existing privileges.

Important    You may note you can set future table privileges one level up from databases, at the warehouse level. This only sets the default privileges for future tables on any databases that are created in the warehouse. It does not control default privileges for tables created in the warehouse. Those are determined strictly based on the privileges set on the containing database.