Configuring role access

On this page:

Granting role privileges

Access privileges on resources are granted to (or revoked from) roles. Roles are assigned to individuals. It’s the role that allows you to perform the actions on data you must do as part of your job.

You can grant role privileges at multiple levels, including the warehouse, the database, and the table level.

At the warehouse level you can:

  • grant access and/or admin privileges to other roles for the warehouse
  • set the default privileges for future databases created in the warehouse.
  • Set the default privileges for future tables created in the warehouse

At the database level you can:

  • Grant access and/or admin privileges to other roles for the database
  • set the default privileges for future tables created in the database.

At the individual table level you can:

  • Grant access and/or admin privileges to other roles for data in this table.

Separately, you can also grant privileges for a role to access storage profiles and labels.

In all cases the privilege-granting process functions similarly, and you have similar options. The one exception occurs at the database level, where you have the additional option of cascading privileges – that is, applying future role table settings to existing tables. See Cascading Privileges below.

To grant access to a role

  1. Navigate to the desired resource and click Access Controls.
  2. Click Grant a Role Access.
button

Grant a role access

  1. Grant privileges either to a pre-existing role, or to a new role you create.
    • To grant privileges to a pre-existing role, click the Search roles box and, from the list that displays, select the role to which you wish to grant access. Then click Next. The Grant a Role Access box displays.
    • To grant privileges to a new role, click Create a New Role. Enter a role name, then click Create a Role.

Tabular displays a grid with all the possible variations of privilege permissions. Click each item you want.

  • The oblong boxes represent individual access levels.
  • The shields represent admin privileges. Click a shield to grant that specific admin privilege level to the role.
button

When you’re done click Apply Changes.

The entire process is modular. That is, you can grant access to any resource – a database or a table – in any combination of levels, with any combination of admin access. There’s one exception: to grant admin privileges to all access levels at once, on the right of each resource click Admin.

Two examples:

button
  • For this warehouse, A Team members have privileges to list the databases, create a new database, and modify a database. They can also grant to other roles the ability to create a database in this warehouse.
  • For databases created from this point forward, A Team members must can view the list of databases. But they must possess Admin access on the warehouse to be able to grant to other roles the ability to list databases. (Security Admins also have this capability.)
  • For tables created from this point forward, A Team members can select from data in the tables, and they can drop a table. They must possess Admin access on the warehouse to be able to grant to other roles the ability to drop a table. (Again, Security Admins also possess this capability.) A Team members do NOT have the ability to update tables.
button
  • For this warehouse, A Team members can view a list of databases and create a new database. They also have the ability to grant to other roles the ability to create a database in this warehouse.
  • For databases created from this point forward, A Team members cannot access any of the data. However, they are able to grant to other roles the ability to access the data at any privilege level.
  • For tables created from this point forward, A Team members can update data in the tables, and they can drop a table. They can also grant to other roles the ability to drop a table. They do NOT have the ability to select data in the tables.

Tabular enables you to construct an organization in whatever way best fits your business. For example, you can create an Admin role whose members themselves lack all access to data resources but who have the ability to precisely configure data access for every other role in your organization. In other words, they control a role’s access privileges without ever being able to access the data, themselves.

Important    You can grant access to future resources only if one of the following is true:

  • You have Admin privileges on the resource
  • You’re a security admin for your organization

This is what the above looks like:

button

Granting access to future resources

Assigning yourself to a resource

Remember: granting access to a resource and having access to a resource are two distinct things in Tabular. You may need to grant yourself access to a resource before disabling access for other roles; it is possible, albeit unlikely, for you to lock yourself out of a resource.

Editing privileges for an existing role

You can edit an existing role’s privileges directly from the Access Controls page. To do this, simply scroll to the role you wish to modify. Then make your changes directly and when you’re done click Apply Changes.

button

Specify the privileges the role will have on the resource and future resources

Cascading privileges

When you set or edit future table access privileges for a particular role on a database, you can opt to apply those privileges to existing tables as well. This option simplifies privilege management; you do not have to update privileges manually each time you wish to establish or modify access controls to all of the tables in a database.

From the database access control page you have 2 options:

  1. grant new access and cascade from the new access window
  2. cascade privileges for a role with existing access

The option to cascade displays in the lower-left on both the Grant Role Access page (for new grants) and the existing access control page.

To cascade privileges

  1. Navigate to the database you want.
  2. Click Access Controls.
    • For new privilege grants, click Grant Role Access. Select a role and click Next. From the Grant Role Access page, click the various access controls you want.
button

Specify the privileges the role will have on the resource and future resources

  1. To cascade the privileges you set, check Apply future table access to current tables.

You can also just cascade the existing privileges without making any changes. To do this:

  1. In the lower-left, check Apply future table access to current tables.
  2. Click Apply Changes.
button

Specify the privileges the role will have on the resource and future resources

Note    Cascading privileges is bidirectional – that is, you can cascade either to grant additional privileges or revoke existing privileges.

Important    You may note you can set future table privileges one level up from databases, at the warehouse level. This only sets the default privileges for future tables on any databases that are created in the warehouse. It does not control default privileges for tables created in the warehouse. Those are determined strictly based on the privileges set on the containing database.