Skip to main content
In Firebolt, system-defined roles are automatically created for each organization and account. These roles provide predefined privileges and serve specific purposes. While system-defined roles cannot be modified or dropped, you can grant them additional privileges as needed.

Organization system roles

Role NameDescription
organization_adminEnables all the permissions and the ability to manage the organization.
The organization_admin role cannot be granted using SQL. It can only be granted using the Firebolt Workspace user interface (UI). To manage resources at the organization level, you must assign the organization_admin role to your login using the UI.

Account system roles

Role NameDescription
publicIncludes USAGE on all databases and both USAGE and CREATE on every public schema.
system_adminEnables managing databases, engines, schemas, tables, and views. This includes setting database and engine properties as well as access to the observability functionality on all engines.
account_adminGrants full permissions to manage the organization.
By default, every newly created user is granted the public role. You can also revoke this role from a user.

Default privileges for system roles

System roles come with predefined default privileges that are automatically applied when objects are created. These default privileges are built into the system and cannot be revoked from system roles.

account_admin privileges

The account_admin role has comprehensive default privileges across the entire account:
  • Account-level: Full administrative access including user and role management
  • Database-level: CREATE, MODIFY, USAGE, and DROP on all databases
  • Schema-level: Default privileges include CREATE, MODIFY, USAGE, and DROP on all schemas
  • Table-level: Default privileges include SELECT, INSERT, UPDATE, DELETE, TRUNCATE, and DROP on all tables
  • Engine-level: Full engine management and monitoring capabilities
  • Location-level: Full location management and configuration capabilities
  • User-level: Full user management and administration capabilities
  • Role-level: Full role management and administration capabilities

system_admin privileges

The system_admin role has operational privileges for database and engine management:
  • Database-level: CREATE, MODIFY, USAGE, and DROP on all databases
  • Schema-level: Default privileges include CREATE, MODIFY, USAGE, and DROP on all schemas
  • Table-level: Default privileges include SELECT, INSERT, UPDATE, DELETE, TRUNCATE, and DROP on all tables
  • Engine-level: Engine management and monitoring capabilities
  • Limitation: Cannot manage users, roles, or account-level settings

public privileges

The public role provides basic access for all users:
  • Database-level: USAGE on all databases
  • Schema-level: Default privileges include USAGE and CREATE on public schemas only
  • Table-level: No default table privileges (must be explicitly granted)

Important notes about system role privileges

  • Immutable privileges: Default privileges for system roles are hardcoded and cannot be modified using ALTER DEFAULT PRIVILEGES or REVOKE commands
  • Automatic application: These default privileges apply immediately when objects are created, without requiring explicit grants
  • Additional privileges: You can grant additional privileges to system roles, but you cannot revoke their built-in default privileges
To view the current default privileges for system roles, query the object_default_privileges information schema view: 
SELECT 
  grantor,
  grantee,
  object_name,
  object_type,
  privilege_type
FROM information_schema.object_default_privileges
WHERE grantee IN ('account_admin', 'system_admin', 'public')
ORDER BY grantee, object_type;
I