Starburst Documentation
Starburst Galaxy
  •  Get started
  •  Working with data
  •  Data engineering
  •  Developer tools
  •  Cluster administration
  •  Security and compliance
  •  Troubleshooting
  • Galaxy status
  •  Reference

    • starburst galaxy > security and compliance > manage galaxy access > manage users roles and tags > Account and cluster privileges

    Account and cluster privileges #

    A privilege granted to a role conveys the right to perform specific operations.

    Learn more about the basics of adding and removing privileges on the Galaxy privileges basics page.

    This page discusses the management of account-level and cluster-level privileges.

    See Data privileges for a discussion of the different Starburst Galaxy privileges that can be applied to catalogs, schemas, tables, views, and columns, as well as privileges that manage access to object storage locations and the rights to execute functions and SQL routines.

    Account privileges #

    Use the following privileges to control allowed actions on the Account entity. Adding privileges to the Account entity determines the access rights of your Starburst Galaxy account:

    Privilege Grants ability to
    Apply tag Apply an existing attribute tag to a data entity.
    Cancel submitted queries Cancel queries submitted by any user. Each user can cancel their own queries, but this privilege is required to be able to cancel any query.
    Create catalog Create a new catalog. Does not convey the right to use, modify or delete any catalog.
    Create cluster Create a new cluster. Does not convey the right to modify, stop or start any cluster.
    Create SQL routines Create new SQL routines to reside in a catalog.
    Create role Create a new role. Does not convey the right to grant, modify or delete any role.
    Create tag Create and manage attribute tags.
    Create user Create user. Does not convey the right to modify or delete any user, nor to grant or revoke roles to the user.
    Generative AI features Enables the Explain Query context menu in the query editor and the Generate SQL for this data option in the cluster explorer's options menu. This privilege is never enabled by default. A grant of this privilege constitutes a deliberate opt-in to use OpenAI's GPT-4 technology in the query editor.
    Allow username/password login This privilege is only visible on Galaxy accounts with SSO enabled. Allows members of a role to log in with username and password authentication, bypassing SSO authentication. Conversely, revoking this privilege forces SSO only logins for a role.
    Manage account work A role with this privilege:
    • Can create, update, or delete scheduled jobs for a service account. The role must also have adequate permissions to perform the task at the scheduled time.
    • Can see the Status column in the list of catalogs and in all levels of the catalog explorer, and can respond to indexing error conditions.
    Manage billing View usage and billing and update account profile.
    Manage ingest streams Enables the Data > Ingest streams subsystem to allow support for ingesting Kafka stream data.
    Manage notifications View and manage settings for in app and email notifications.
    Manage OAuth client View, create, and delete OAuth clients.
    Manage security This is the most powerful privilege for security management. A role with this privilege can:
    • Grant or revoke any privilege on any entity to any role.
    • Grant any role to any user, including themselves, or revoke any role grant.
    • Create, update, or delete any user or any role.
    By itself, manage security does not grant full administrative access to all privileges, all entities and therefore also to all connected data sources. However a user with this privilege can grant themselves full access to everything. Only grant this privilege to a minimal list of trusted roles. The accountadmin role is granted this privilege by default.
    Manage service account Create and manage a service account that allows a non-human user to authenticate and access cluster data.
    Manage Single Sign On Add, edit, or replace the configuration of this account's relationship with an external identity provider that supports single sign-on.
    View all data lineage View the lineage of any data entity in this Galaxy account.
    View all query history View the query history and query details of queries initiated by all users.
    View audit log View the history of privilege grants and major transactions. If single sign-on is enabled, view the grants and transactions with an identity provider.
    View public OAuth client View public OAuth clients.

    Cluster privileges #

    You can use the following privileges to control allowed actions on the cluster entities:

    Privilege Grants ability to
    Start/stop cluster Start or stop the cluster.
    Use cluster View a cluster and run queries on the cluster. Does not convey the right to modify, stop, or start the cluster, or to access any data in the catalogs attached to the cluster.
    Monitor cluster Expose metrics data for an individual entity that is then readable by any OpenMetrics compliant client such as Prometheus or Datadog.