Engine permissions
In Firebolt, an engine is a compute resource that processes data and serves queries. Engines provide full workload isolation, allowing multiple workloads to run independently while sharing access to the same data. Engines are also decoupled from databases, which means:
- An engine can connect to multiple databases.
- A database can be accessed by multiple engines.
The following table outlines the privileges that can be granted for engines within a particular account:
| Privilege | Description | GRANT Syntax | REVOKE Syntax |
|---|---|---|---|
| USAGE | Allows using an engine to run queries. | GRANT USAGE ON ENGINE <engine_name> TO <role>; | REVOKE USAGE ON ENGINE <engine_name> FROM <role>; |
| OPERATE | Allows stopping and starting an engine. | GRANT OPERATE ON ENGINE <engine_name> TO <role>; | REVOKE OPERATE ON ENGINE <engine_name> FROM <role>; |
| MODIFY | Allows altering engine properties or dropping the engine. | GRANT MODIFY ON ENGINE <engine_name> TO <role>; | REVOKE MODIFY ON ENGINE <engine_name> FROM <role>; |
If a user lacks USAGE and OPERATE privileges for an engine, they will not be able to select or interact with the engine via the Firebolt UI.
Examples of granting engine permissions
USAGE permission
The following code example grants the role developer_role permission to use the myEngine engine for executing queries:
GRANT USAGE ON ENGINE "myEngine" TO developer_role;
OPERATE permission
The following code example gives the role developer_role permission to start and stop the myEngine engine:
GRANT OPERATE ON ENGINE "myEngine" TO developer_role;
MODIFY permission
The following code example grants the role developer_role permission to alter properties or drop the myEngine engine:
GRANT MODIFY ON ENGINE "myEngine" TO developer_role;