Privileges #

A privilege granted to a role conveys the right to perform specific operations.

The grantor of a privilege is not recorded as part of grant, it is only stored in the audit log. Issuing a grant with a specified grantor is not supported, and results in an error.

Entity privileges grant rights to a single entity or a collection of entities of the same kind, for example, the right to SELECT rows from a specific table, the entity in this case.

Account privileges are not associated with a specific entity. Account privileges include rights to create new top-level entities, such as clusters, catalogs and users, and rights to manage security for all entities.

Grant a privilege #

One role can be used to grant a privilege for a specific entity to any other role under the following circumstances:

  • Role includes the grant WITH ADMIN OPTION
  • Role is the owner of the entity.
  • Role has the MANAGE_SECURITY role.

Account privileges #

You can use the following privileges to control allowed actions on the account entity, so your specific Starburst Galaxy account:

Privilege Description
MANAGE_SECURITY MANAGE_SECURITY is the most powerful privilege for security management. A role with privilege MANAGE_SECURITY can:
  • Grant or revoke any privilege on any entity to any role.
  • Grant any role to any user, including themselves, or revoke any role grant.
  • Create, update or delete any user or any role.
CREATE_CLUSTER Create a new cluster. Does not convey the right to modify, stop or start any cluster.
CREATE_CATALOG Create a new catalog. Does not convey the right to use, modify or delete any catalog.
CREATE_ROLE Create a new role. Does not convey the right to grant, modify or delete any role.
CREATE_USER Create a new user. Does not convey the right to modify or delete any user, nor to grant or revoke roles to the user.
VIEW_AUDIT_LOG View the Audit log page.
MANAGE_BILLING View usage and billing and update account profile.

Cluster privileges #

You can use the following privileges to control allowed actions on the cluster entities:

Privilege Description
START_STOP_CLUSTER Start or stop the cluster.
USE_CLUSTER View a cluster and run queries on the cluster. Does not convey the right to modify, stop, or start the cluster, or access any data in the catalogs attached to the cluster.

Catalog privileges #

Catalogs are identified by catalog name, and catalog names must be unique within your Starburst Galaxy account. The only privilege on a catalog is CREATE_SCHEMA, allowing a role with that privilege to create new schemas in the catalog.

A catalog is visible to a role in the following situations:

  • The role has privilege CREATE_SCHEMA on the catalog.
  • The role has some privilege on a schema or table contained in the catalog.
  • The role is the catalog owner.
  • The role has the MANAGE_SECURITY privilege.

When a catalog is created the user is prompted to specify roles that can read and/or write to the catalog. These roles are granted wildcard permissions on schemas and tables in the catalog.

Privilege Description
CREATE_SCHEMA Allows creation of new schemas inside the catalog. To rename a schema, a role must own the schema and must also have privilege CREATE_SCHEMA on the catalog.

Schema privileges #

Schemas have names and are contained in a catalog. By default, the role that owns the catalog containing the schema also owns the schema, but you can change the schema owner in the UI and in Trino.

In SQL, you can set the owner of a schema monthly_sales in catalog prod_data to role sysadmin this way:

ALTER SCHEMA prod_data.monthly_sales
SET AUTHORIZATION ROLE sysadmin

You can see the current owner of a schema from the create statement:

SHOW CREATE SCHEMA prod_data.monthly_sales

A schema can contain one or more tables and/or views.

Privilege Description
CREATE_TABLE Allows creation of new table entities inside a schema within a catalog. To rename a table, a role must own the table and must also have privilege CREATE_TABLE on the schema.