A privilege granted to a role conveys the right to perform specific operations.
The grantor of a privilege is not recorded as part of grant, it is only stored in the audit log. Issuing a grant with a specified grantor is not supported, and results in an error.
Entity privileges grant rights to a single entity or a
collection of entities of the same kind, for example, the right to
SELECT rows from a specific table, the entity in this case.
Account privileges are not associated with a specific entity. Account privileges include rights to create new top-level entities, such as clusters, catalogs and users, and rights to manage security for all entities.
Grant a privilege #
One role can be used to grant a privilege for a specific entity to any other role under the following circumstances:
- Role includes the grant WITH ADMIN OPTION
- Role is the owner of the entity.
- Role has the MANAGE_SECURITY role.
Account privileges #
You can use the following privileges to control allowed actions on the account entity, so your specific Starburst Galaxy account:
|MANAGE_SECURITY||MANAGE_SECURITY is the most powerful privilege for security
management. A role with privilege MANAGE_SECURITY can:
|CREATE_CLUSTER||Create a new cluster. Does not convey the right to modify, stop or start any cluster.|
|CREATE_CATALOG||Create a new catalog. Does not convey the right to use, modify or delete any catalog.|
|CREATE_ROLE||Create a new role. Does not convey the right to grant, modify or delete any role.|
|CREATE_USER||Create a new user. Does not convey the right to modify or delete any user, nor to grant or revoke roles to the user.|
|VIEW_AUDIT_LOG||View the Audit log page.|
|MANAGE_BILLING||View usage and billing and update account profile.|
Cluster privileges #
You can use the following privileges to control allowed actions on the cluster entities:
|START_STOP_CLUSTER||Start or stop the cluster.|
|USE_CLUSTER||View a cluster and run queries on the cluster. Does not convey the right to modify, stop, or start the cluster, or access any data in the catalogs attached to the cluster.|
Catalog privileges #
Catalogs are identified by catalog name, and catalog names must be unique within your Starburst Galaxy account. The only privilege on a catalog is CREATE_SCHEMA, allowing a role with that privilege to create new schemas in the catalog.
A catalog is visible to a role in the following situations:
- The role has privilege CREATE_SCHEMA on the catalog.
- The role has some privilege on a schema or table contained in the catalog.
- The role is the catalog owner.
- The role has the MANAGE_SECURITY privilege.
When a catalog is created the user is prompted to specify roles that can read and/or write to the catalog. These roles are granted wildcard permissions on schemas and tables in the catalog.
|CREATE_SCHEMA||Allows creation of new schemas inside the catalog. To rename a schema, a role must own the schema and must also have privilege CREATE_SCHEMA on the catalog.|
Schema privileges #
Schemas have names and are contained in a catalog. By default, the role that owns the catalog containing the schema also owns the schema, but you can change the schema owner in the UI and in Trino.
In SQL, you can set the owner of a schema
monthly_sales in catalog
sysadmin this way:
ALTER SCHEMA prod_data.monthly_sales SET AUTHORIZATION ROLE sysadmin
You can see the current owner of a schema from the create statement:
SHOW CREATE SCHEMA prod_data.monthly_sales
A schema can contain one or more tables and/or views.
|CREATE_TABLE||Allows creation of new table entities inside a schema within a catalog. To rename a table, a role must own the table and must also have privilege CREATE_TABLE on the schema.|
Is the information on this page helpful?