Use Role Based Access Control (RBAC) to granularly control which users within an account can create new engines, use, operate, monitor and modify existing engines. Accordingly, Firebolt provides CREATE, USAGE, OPERATE, MONITOR and MODIFY permissions to control these actions. You can use RBAC to control whether a user has permissions to perform these actions for specific engines or for all engines in a given account. Note that permissions for CREATE ENGINE can only be granted at the account level.

Follow the below steps to control what permissions a user has for a given engine or for any engine within an account:

  • Create a new role
  • Grant permissions to the role
  • Assign role to a user

Example 1: We want to provide a user kate with permissions to create and operate engines

User, organization, and role names that contain non-alphanumeric characters other than underscores (_) must be enclosed in double-quotes. Double-quotes also preserve uppercase characters when needed. For more information about the full set of naming rules, see the object identifiers guide.

CREATE ROLE my_role;

GRANT CREATE ENGINE ON ACCOUNT "my-account" IN ORGANIZATION my_organization TO my_role; 

GRANT OPERATE ON ENGINE "my-account" IN ACCOUNT "my-account" TO my_role; 

GRANT ROLE my_role TO USER kate;

Example 2: We want to provide a user kate with permissions to only use and operate engines

CREATE ROLE my_role;

GRANT USAGE ON ENGINE my_engine IN ACCOUNT "my-account" TO my_role; 

GRANT OPERATE ON ENGINE my_engine IN ACCOUNT "my-account" TO my_role; 

GRANT ROLE my_role TO USER kate;

Example 3: We want to provide a user kate with permissions to use, operate and monitor engine metrics

CREATE ROLE my_role;

GRANT USAGE ON ENGINE my_engine IN ACCOUNT "my-account" TO my_role;

GRANT MONITOR USAGE ON ENGINE my_engine IN ACCOUNT "my-account" TO my_role; 

GRANT OPERATE ON ENGINE my_engine IN ACCOUNT "my-account" TO my_role; 

GRANT ROLE my_role TO USER kate;

Example 4: We want to provide a user kate with permissions to create and modify engines

CREATE ROLE my_role;

GRANT CREATE ENGINE ON ACCOUNT "my-account" IN ORGANIZATION myOrg TO my_role; 

GRANT MODIFY ON ENGINE my_engine IN ACCOUNT "my-account" TO my_role; 

GRANT ROLE my_role TO USER kate;

Engines permissions reference guide can be found here

Use Role Based Access Control (RBAC) to granularly control which users within an account can create new engines, use, operate, monitor and modify existing engines. Accordingly, Firebolt provides CREATE, USAGE, OPERATE, MONITOR and MODIFY permissions to control these actions. You can use RBAC to control whether a user has permissions to perform these actions for specific engines or for all engines in a given account. Note that permissions for CREATE ENGINE can only be granted at the account level.

Follow the below steps to control what permissions a user has for a given engine or for any engine within an account:

  • Create a new role
  • Grant permissions to the role
  • Assign role to a user

Example 1: We want to provide a user kate with permissions to create and operate engines

User, organization, and role names that contain non-alphanumeric characters other than underscores (_) must be enclosed in double-quotes. Double-quotes also preserve uppercase characters when needed. For more information about the full set of naming rules, see the object identifiers guide.

CREATE ROLE my_role;

GRANT CREATE ENGINE ON ACCOUNT "my-account" IN ORGANIZATION my_organization TO my_role; 

GRANT OPERATE ON ENGINE "my-account" IN ACCOUNT "my-account" TO my_role; 

GRANT ROLE my_role TO USER kate;

Example 2: We want to provide a user kate with permissions to only use and operate engines

CREATE ROLE my_role;

GRANT USAGE ON ENGINE my_engine IN ACCOUNT "my-account" TO my_role; 

GRANT OPERATE ON ENGINE my_engine IN ACCOUNT "my-account" TO my_role; 

GRANT ROLE my_role TO USER kate;

Example 3: We want to provide a user kate with permissions to use, operate and monitor engine metrics

CREATE ROLE my_role;

GRANT USAGE ON ENGINE my_engine IN ACCOUNT "my-account" TO my_role;

GRANT MONITOR USAGE ON ENGINE my_engine IN ACCOUNT "my-account" TO my_role; 

GRANT OPERATE ON ENGINE my_engine IN ACCOUNT "my-account" TO my_role; 

GRANT ROLE my_role TO USER kate;

Example 4: We want to provide a user kate with permissions to create and modify engines

CREATE ROLE my_role;

GRANT CREATE ENGINE ON ACCOUNT "my-account" IN ORGANIZATION myOrg TO my_role; 

GRANT MODIFY ON ENGINE my_engine IN ACCOUNT "my-account" TO my_role; 

GRANT ROLE my_role TO USER kate;

Engines permissions reference guide can be found here