Manage role-based access control
Role-based access control provides the ability to control permissions and determine who can access and perform operations on specific objects in Firebolt. Permissions are assigned to roles which are, in turn, assigned to users or other roles. A user can be assigned multiple roles.
A user interacting with Firebolt must have the appropriate permissions to use an object. Permissions from all roles assigned to a user are considered in each interaction in Firebolt.
To view all roles, click Govern to open the govern space, then choose Roles from the menu, or query the information_schema.applicable_roles view.
System-defined roles
Roles are assigned to users to allow them to complete tasks on relevant objects to fulfill their business needs. Firebolt comes with system-defined roles per account.
Role Name | Description |
---|---|
public | Enables querying any database in the account. |
security_admin | Enables managing all account roles (with the ability to manage grants) and users. |
system_admin | Enables managing databases, engines, schemas, tables, views, external tables, and grants, as well as setting database and engine properties. In addition, the system_admin role enables access to the observability functionality on all engines. |
account_admin | Enables all the permissions of the system_admin and security_admin roles alongside the ability to manage the account. |
System defined roles can neither be modified nor dropped. Users with the account_admin
role can grant roles to other users.
Custom roles
A user with either the account_admin
or security_admin
role can create custom roles. You can create a custom role using SQL, or via the UI.
Permissions
A set of permissions can be granted for every securable object. See which permissions are available for accounts, databases and engines below. To view all permissions, query the information_schema.object_permissions view.
Account
Permissions can be granted for accounts to allow creating databases and engines.
Permission | Description |
---|---|
CREATE DATABASE | Enables creating new databases in the account. |
USAGE ANY DATABASE | Enables using all current and future databases in the account. |
MODIFY ANY DATABASE | Enables editing all current and future databases in the account. |
CREATE ENGINE | Enables creating new engines in the account. |
USAGE ANY ENGINE | Enables using all current and future engines in the account. |
OPERATE ANY ENGINE | Enables starting and stopping all current and future engines in the account. |
MODIFY ANY ENGINE | Enables editing all current and future engines in the account. |
Database
Permissions can be granted for databases to allow usage and modification of databases per account.
Permission | Description |
---|---|
USAGE | Enables querying tables and views, and attaching engines to the database. |
MODIFY | Enables: Creating or dropping tables, views, and indexes on the database. Inserting data into the database’s tables. Altering the properties of a database. Dropping a database. |
Engine
Permissions can be granted for engines to allow usage, operation and modification of engines per account.
Permission | Description |
---|---|
USAGE | Enables using the engine to execute queries. |
OPERATE | Enables stopping and starting the engine. |
MODIFY | Enables dropping or altering any properties of the engine. |
Create role
SQL
To create a custom role using SQL, use the CREATE ROLE
statement. For example:
CREATE ROLE user_role;
UI
To create a custom role via the UI:
- Click Govern to open the govern space, then choose Roles from the menu.
- From the Roles management page, choose New role.
- Enter a role name.
- Choose the object type you want to grant permissions on for the role from the left-hand list; databases or engines.
- Choose the permissions you want to grant for each object type. You can use the toggles at the top to grant permissions over all databases or engines, or you can define permissions more granularly on existing databases or engines using the table views, where you can also search by database or engine name.
Delete role
To delete a custom role using SQL, use the DROP ROLE
statement. For example:
DROP ROLE user_role;
UI
To delete a custom role via the UI:
- Click Govern to open the govern space, then choose Roles from the menu.
- Search for the relevant role using the top search filters or by scrolling through the list. Hover over the right-most column to make the role menu appear, then choose Delete role.
- Choose Confirm.
Grant permissions to a role
SQL
To grant a permission to a role using SQL, use the GRANT
statement. For example:
GRANT USAGE ON DATABASE my_db TO user_role;
UI
To grant a permission to a role via the UI:
- Click Govern to open the govern space, then choose Roles from the menu:
- Search for the relevant role using the top search filters, or by scrolling through the list of logins. Hover over the right-most column to make the role menu appear, then choose Edit role.
- Choose the permissions tab for the object type you want to manage permissions for, then select the desired permissions. To grant permissions over all objects of that type, choose the topmost line.
- Click Update.
Grant role
SQL
To grant a role to a user or another role using SQL, use the GRANT ROLE
statement. For example:
GRANT ROLE user_role TO ROLE user2_role;
UI
To grant a role to a user via the UI:
- Click Govern to open the govern space, then choose Users from the menu:
- Search for the relevant user using the top search filters, or by scrolling through the list of logins. Hover over the right-most column to make the user menu appear, then choose Edit user details.
- Check all the roles you want assigned to the user.
- Click Update.
Revoke permissions
SQL
To revoke a permission from a role using SQL, use the REVOKE
statement. For example:
REVOKE USAGE ON DATABASE my_db FROM user_role;
UI
To revoke a permission from a role via the UI, follow the same steps above that you would to grant permissions.
Revoke role
SQL
To revoke a role from a user or another role using SQL, use the REVOKE ROLE
statement. For example:
REVOKE ROLE user_role FROM USER alex;
UI
To revoke a role from a user or another role via the UI, follow the same steps above that you would to grant a role.