Ownership
Ownership allows users to perform all operations on objects they created without having to manually grant privileges for these operations. This provides a smoother user experience because objects are immediately available to use once created. These operations include granting privileges on owned objects.
Ownership Levels
Firebolt implements ownership at two distinct levels:
- Account-level ownership — Applies to objects within an account
- Organization-level ownership — Applies to objects at the organization level
These two ownership levels are isolated from each other— you cannot make a user the owner of an organization-level object, and you cannot make a login or service account the owner of an account-level object.
Supported Object Types
Account-Level Objects
The account-level object types that support ownership are:
- Role
- User
- Engine
- Database
- Schema
- Table
- View
Organization-Level Objects
The organization-level object types that support ownership are:
- Organization
- Account
- Login
- Service Account
- Network Policy
Viewing Current Owners
The current owner of an object can be viewed in the corresponding information_schema view:
Account-Level Objects
Object | View |
---|---|
Role | N/A |
User | information_schema.users |
Database | information_schema.catalogs |
Engine | information_schema.engines |
Schema | information_schema.schemata |
Table | information_schema.tables |
View | information_schema.views or information_schema.tables |
Index ownership, shown in information_schema.indexes, will always show the table owner as an index’s owner.
Organization-Level Objects
Object | View |
---|---|
Organization | information_schema.organization |
Account | information_schema.accounts |
Login | information_schema.logins |
Service Account | information_schema.service_accounts |
Network Policy | information_schema.network_policies |
Changing an Object’s Owner
Account-Level Objects
The owner of an account-level object may alter its ownership using the following syntax:
ALTER <object type> <object name> OWNER TO <user>
Examples:
ALTER DATABASE db OWNER TO new_owner
ALTER ENGINE eng OWNER TO new_owner
ALTER ROLE r OWNER TO new_owner
ALTER USER u OWNER TO new_owner
ALTER SCHEMA public OWNER TO new_owner
ALTER TABLE t OWNER TO new_owner
ALTER VIEW v OWNER TO new_owner
Organization-Level Objects
The owner of an organization-level object may alter its ownership using the following syntax:
ALTER <object type> <object name> OWNER TO <identity>
Where <identity>
refers to a login or service account.
Examples:
ALTER ORGANIZATION my_organization OWNER TO "alice@acme.com"
ALTER ACCOUNT dev OWNER TO "alice@acme.com"
ALTER LOGIN "bob@acme.com" OWNER TO "alice@acme.com"
ALTER SERVICE ACCOUNT "machine_user" OWNER TO "alice@acme.com"
ALTER NETWORK POLICY "my_policy" OWNER TO "alice@acme.com"
Dropping Objects with Ownership Relationships
Dropping Users that Own Objects
Any objects owned by a user must first be dropped or have their owner changed before dropping the user.
A table owner can drop the table even if there are views referencing it that are not owned by the table’s owner, using the CASCADE
parameter to DROP TABLE.
Dropping Logins or Service Accounts that Own Objects
Similarly, any organization-level objects owned by a login or service account must first be dropped or have their owner changed before dropping the login or service account.
Managing Ownership in the Firebolt Workspace
You can use the user interface in the Firebolt Workspace to transfer ownership of objects as follows:
- Log in to the Firebolt Workspace. If you don’t yet have an account with Firebolt, you can sign up for one.
- Select the Govern icon (
) in the left navigation pane to open the Govern Space.
- Select Ownership from the left navigation pane.
- Select the three horizontal dots (…) to the right of the object that you want to transfer ownership of.
- Select Transfer ownership from the drop-down list.
- In the Transfer ownership window that opens, choose a new owner from the drop-down list.
- Select the Transfer ownership button to confirm.
Viewing all Objects Owned by a User
- From the Firebolt Workspace, select the Govern icon (
) in the left navigation pane to open the Govern Space.
- Select Users from the left navigation pane.
- Select the user from the User Name column.
- Select the Ownership tab to view a list of objects owned by the selected user.
Bulk Transferring or Deleting Objects Owned by a User
- From the Firebolt Workspace, select the Govern icon (
) in the left navigation pane to open the Govern Space.
- Select Users from the left navigation pane.
- Select the three horizontal dots (…) to the right of the user whose objects you want to transfer ownership of.
- Select Transfer ownership from the drop-down list.
- In the window that opens, select the checkboxes next to objects that you want to delete or transfer ownership of.
- Select the Delete object or Transfer ownership button to apply changes.
Ownership transfer using the Firebolt Workspace is not available for Schema
, Table
, and View
objects. These must be modified using SQL commands in the Develop Workspace or using the Firebolt API.
The Firebolt Workspace currently only supports managing ownership for account-level objects. Organization-level object ownership must be managed using SQL commands.