Access control #
The access control system of Starburst Galaxy makes it easy to ensure that each
user has the appropriate access rights to perform actions on entities in the
A role has a name and an optional description. A role can be
granted privileges on entities such as
clusters, catalogs, and tables. This provides fine-grained control that protects
your data, and allows you to define just the right mix of allowed actions and
access for each function in your organization.
Ownership of entities is controlled with roles. This is often called a
Discretionary Access Control (DAC) system, and the following aspects apply:
- Every entity is owned by exactly one role - the owner role.
Entities are not owned by users.
- Ownership grants full control over the entity, including:
- Update (alter) the entity.
- Delete (drop) the entity.
- Grant, deny, or revoke privileges on the entity for any other role.
- Full control operations are also available through indirect ownership via a
role in the active role
Effectively the rights of ownership are inherited from child roles, just like
- Ownership can be transferred from one role to another with the following
- The active role set must contain the current owner role.
- The current user must have a grant to the new owner role. This ensures that
a user can not transfer an entity and lose access. If this is necessary for
an entity, another user with both roles in the active role set has to change
- The owner role is set from the current role when the object is created.
- By default, a role that owns a catalog owns all the schemas and tables in that
catalog. However, a user can change the ownership of a schema or table after
creation as described in the privileges
- Externally created schemas are assigned the owner of the catalog as owner
- Externally created tables are assigned the owner of the catalog as owner role.
Roles, privileges, entities, and users #
Privileges and ownership for entities are granted to roles, never to users.
A role can be granted to another role. That other role inherits all the
privileges and ownership rights of the granted role.
A role can be granted to a user. When the user assumes that role, the user gets
all the privileges and ownership rights of the role.
Session and current role #
When you are using Starburst Galaxy with your account directly in the user
interface or with a client application, the following aspects apply:
- You are identified as a specific user, and your usage is contained in a
- A specific role is assigned and displayed under your user name in the user
interface. This current role is tested for any privilege, and is the owner
of any created entity. Only one role can be set as the current role.
- The active role
determines all current available and applicable privileges.
- If no role is selected upon connection with a client tool or when logging into
the user interface, a default role is used. This default role can be identical
for all users, or configured specifically for each user.
SQL statements #
You can use the following SQL commands to manage roles and grants:
SHOW ROLE GRANTS
Find examples on roles.
The grants and ownership of entities are updated when a SQL command is executed,
or changes are made in the user interface.
Is the information on this page helpful?