Account permissions
Accounts represent the physical instance of your data warehouse in Firebolt and are created in Firebolt-supported regions. All objects within an account—such as databases, engines, roles, and users—are scoped to that specific account.
| Privilege | Description | GRANT Syntax | REVOKE Syntax |
|---|---|---|---|
| CREATE DATABASE | Allows creating new databases in an account. | GRANT CREATE DATABASE ON ACCOUNT <account_name> TO <role>; | REVOKE CREATE DATABASE ON ACCOUNT <account_name> FROM <role>; |
| USAGE ANY DATABASE | Allows using all current and future databases in an account. | GRANT USAGE ANY DATABASE ON ACCOUNT <account_name> TO <role>; | REVOKE USAGE ANY DATABASE ON ACCOUNT <account_name> FROM <role>; |
| MODIFY ANY DATABASE | Allows editing all current and future databases in an account. | GRANT MODIFY ANY DATABASE ON ACCOUNT <account_name> TO <role>; | REVOKE MODIFY ANY DATABASE ON ACCOUNT <account_name> FROM <role>; |
| CREATE ENGINE | Allows creating new engines in an account. | GRANT CREATE ENGINE ON ACCOUNT <account_name> TO <role>; | REVOKE CREATE ENGINE ON ACCOUNT <account_name> FROM <role>; |
| USAGE ANY ENGINE | Allows using all current and future engines in an account. | GRANT USAGE ANY ENGINE ON ACCOUNT <account_name> TO <role>; | REVOKE USAGE ANY ENGINE ON ACCOUNT <account_name> FROM <role>; |
| OPERATE ANY ENGINE | Allows starting and stopping all current and future engines in the account. | GRANT OPERATE ANY ENGINE ON ACCOUNT <account_name> TO <role>; | REVOKE OPERATE ANY ENGINE ON ACCOUNT <account_name> FROM <role>; |
| MODIFY ANY ENGINE | Allows editing all current and future engines in the account. | GRANT MODIFY ANY ENGINE ON ACCOUNT <account_name> TO <role>; | REVOKE MODIFY ANY ENGINE ON ACCOUNT <account_name> FROM <role>; |
| CREATE ROLE | Allows creating new roles in the account. | GRANT CREATE ROLE ON ACCOUNT <account_name> TO <role>; | REVOKE CREATE ROLE ON ACCOUNT <account_name> FROM <role>; |
| MODIFY ANY ROLE | Allows editing all current and future roles in the account. | GRANT MODIFY ANY ROLE ON ACCOUNT <account_name> TO <role>; | REVOKE MODIFY ANY ROLE ON ACCOUNT <account_name> FROM <role>; |
| CREATE USER | Allows creating new users in the account. | GRANT CREATE USER ON ACCOUNT <account_name> TO <role>; | REVOKE CREATE USER ON ACCOUNT <account_name> FROM <role>; |
| MODIFY ANY USER | Allows editing all current and future users in the account. | GRANT MODIFY ANY USER ON ACCOUNT <account_name> TO <role>; | REVOKE MODIFY ANY USER ON ACCOUNT <account_name> FROM <role>; |
| MONITOR [ANY USAGE] | Enables the tracking of engine queries through the engine_running_queries view for active queries and the engine_query_history view for past queries in information_schema. | GRANT MONITOR ANY USAGE ON ACCOUNT <account_name> TO <role>; | REVOKE MONITOR ANY USAGE ON ACCOUNT <account_name> FROM <role>; |
| ALL [PRIVILEGES] | Grants all direct privileges for a specified account to a specified role. | GRANT ALL ON ACCOUNT <account_name> TO <role>; | REVOKE ALL ON ACCOUNT <account_name> FROM <role>; |
Revoking a privilege removes it from a role but does not explicitly deny the privilege. If the privilege was not previously granted, revoking it has no effect.
Examples of granting account-level permissions
CREATE DATABASE permission
The following code example grants the role developer_role permission to create new databases within the account_name:
GRANT CREATE DATABASE ON ACCOUNT account_name TO developer_role;
USAGE ANY DATABASE permission
The following code example gives permission to the role developer_role to access all current and future databases within the account_name:
GRANT USAGE ANY DATABASE ON ACCOUNT account_name TO developer_role;
MODIFY ANY DATABASE permission
The following code example grants the role developer_role permission to modify or delete all current and future databases within the account_name:
GRANT MODIFY ANY DATABASE ON ACCOUNT account_name TO developer_role;
CREATE ENGINE permission
The following code example gives the role developer_role permission to create new engines within the account_name:
GRANT CREATE ENGINE ON ACCOUNT account_name TO developer_role;
USAGE ANY ENGINE permission
The following code example grants the role developer_role permission to use all current and future engines within the account_name:
GRANT USAGE ANY ENGINE ON ACCOUNT account_name TO developer_role;
OPERATE ANY ENGINE permission
The following code example gives the role developer_role permission to start and stop all current and future engines within the account_name:
GRANT USAGE ANY DATABASE ON ACCOUNT account_name TO developer_role;
MODIFY ANY ENGINE permission
The following code example grants the role developer_role permission to modify or delete all current and future engines within the account_name:
GRANT MODIFY ANY ENGINE ON ACCOUNT account_name TO developer_role;
CREATE ROLE permission
The following code example gives the role developer_role permission to create new roles within the account_name:
GRANT CREATE ROLE ON ACCOUNT account_name TO developer_role;
MODIFY ANY ROLE permission
The following code example grants the role developer_role permission to modify or delete all current and future roles within the account_name:
GRANT MODIFY ANY ROLE ON ACCOUNT account_name TO developer_role;
CREATE USER permission
The following code example gives the role developer_role permission to create new users within the account_name:
GRANT CREATE USER ON ACCOUNT account_name TO developer_role;
MODIFY ANY USER permission
The following code example grants the role developer_role permission to modify or delete all current and future users within the account_name:
GRANT MODIFY ANY USER ON ACCOUNT account_name TO developer_role;
MONITOR [ANY USAGE] permission
The following code example grants the role developer_role permission to see the query history and currently running queries on all the engines within account_name:
GRANT MONITOR ANY USAGE ON ACCOUNT "account-1" TO developer_role;