Starburst Galaxy

  •  Get started

  •  Working with data

  •  Data engineering

  •  Developer tools

  •  Cluster administration

  •  Security and compliance

  •  Troubleshooting

  • Galaxy status

  •  Reference

  • Privilege tables #

    A privilege granted to a role conveys the right to perform specific operations.

    This page gathers in one place the tables that list the privileges assignable to each Starburst Galaxy entity, including account, cluster, catalog, schema, table or view, location, and function privileges.

    Account level privileges #

    Learn more about account level privileges on the Account and cluster privileges page.

    Privilege Grants ability to
    Create catalog Create a new catalog. Does not convey the right to use, modify or delete any catalog.
    Create cluster Create a new cluster. Does not convey the right to modify, stop or start any cluster.
    Create role Create a new role. Does not convey the right to grant, modify or delete any role.
    Create user Create user. Does not convey the right to modify or delete any user, nor to grant or revoke roles to the user.
    Allow username/password login This privilege is only visible on Galaxy accounts with SSO enabled. Allows members of a role to log in with username and password authentication, bypassing SSO authentication. Conversely, revoking this privilege forces SSO only logins for a role. By default, this privilege is assigned to the accountadmin and public roles.
    Manage account work A role with this privilege:
    • Can create, update, or delete scheduled tasks for a service account. The role must also have adequate permissions to perform the task at the scheduled time.
    • Can see the Status column in the list of catalogs and in all levels of the catalog explorer, and can respond to indexing error conditions.
    Manage billing View usage and billing and update account profile.
    Manage notifications View and manage settings for in app and email notifications.
    Manage security This is the most powerful privilege for security management. A role with this privilege can:
    • Grant or revoke any privilege on any entity to any role.
    • Grant any role to any user, including themselves, or revoke any role grant.
    • Create, update, or delete any user or any role.
    By itself, manage security does not grant full administrative access to all privileges, all entities and therefore also to all connected data sources. However a user with this privilege can grant themselves full access to everything. Only grant this privilege to a minimal list of trusted roles. The accountadmin role is granted this privilege by default.
    Manage OAuth client View, create, and delete OAuth clients.
    Manage service account Create and manage a service account that allows a non-human user to authenticate and access cluster data.
    Manage single sign on Add, edit, or replace the configuration of this account's relationship with an external identity provider that supports single sign-on.
    View all query history View the query history and query details of queries initiated by all users.
    View audit log View the history of privilege grants and major transactions. If single sign-on is enabled, view the grants and transactions with an identity provider.
    View public OAuth client View public OAuth clients. All roles have this privilege by default.

    Cluster level privileges #

    Learn more about cluster-level privileges on the Account and cluster privileges page.

    Privilege Grants ability to
    Start/stop cluster Start or stop the cluster.
    Use cluster View a cluster and run queries on the cluster. Does not convey the right to modify, stop, or start the cluster, or to access any data in the catalogs attached to the cluster.

    Catalog level privileges #

    Learn more about catalog level privileges on the Data privileges page.

    Privilege Grants ability to
    Create schema Allows creation of new schemas inside the catalog. To rename a schema, a role must own the schema in addition to having the Create schema privilege on the catalog.

    Schema level privileges #

    Learn more about schema level privileges on the Data privileges page.

    Privilege Grants ability to
    Create table Allows creation of new tables inside a schema within a catalog. To rename a table, a role must own the table in addition to having the Create table privilege on the schema.

    Table and view level privileges #

    Learn more about table or view level privileges on the Data privileges

    SQL privilege UI privilege Grants ability to
    SELECT Select from table Allows selection of columns from the table.
    INSERT Insert into table Allows insertion of new rows in the table.
    UPDATE Update table rows Allows update of rows in the table.
    DELETE Delete from table Allows deletion of rows in the table.

    Location privileges #

    Learn more about location privileges on the Data privileges page.

    Privilege Grants ability to
    Create SQL Restricts creation or alteration of schemas or tables to only within the specified location.

    Function privileges #

    Learn more about function privileges on the Data privileges page.

    Privilege Grants ability to
    Execute table function Allows this role to run the named table function for the selected catalog. For SQL routines, allows the named routine to be run in any catalog in this account. Specify the privilege for each function or routine separately.

    Data product privileges #

    Learn more about the data product privilege on the Data privileges page.

    Privilege Grants ability to
    View data product If a role does not have the Select from table privilege for a schema, any data product based on that schema is not visible to that role. This View data product privilege lets the role see but not query a data product. Specify the privilege individually per named data product. This privilege grants a role access to the metadata for a specific data product in this account, if the role otherwise lacks the privilege to interact with the data product's schema.