Role-based access control (RBAC)
Learn about managing RBAC authorization for Firebolt users.
Role-Based Access Control (RBAC) allows you to manage user permissions by controlling who can access or perform operations on specific objects in Firebolt. This guide provides a step-by-step process for setting RBAC in Firebolt.
Prerequisites
The following material can help you understand key concepts related to organizations and RBAC in Firebolt:
- Organizations and accounts – How Firebolt provides a structure for managing users, resources, and permissions.
- Role-Based Access Control – How administrators manage user permissions and control access to resources based on predefined roles.
View all roles
To view all roles using the Firebolt Workspace, do the following:
- Login to the Firebolt Workspace.
- Select the Govern icon (
)from the left navigation bar to open the Govern Space.
- Choose Roles from the left panel under Govern.
To view all roles using SQL, query the information_schema.applicable_roles view as shown in the following code example:
Create a role
You can create a role using the Firebolt Workspace user interface (UI) or using SQL.
Create a role using SQL
The following code example uses CREATE ROLE to create the role user_role
:
Create a role using the UI
To create a custom role using the UI:
- Select the Govern icon (
) from the left navigation bar to open the Govern Space.
- Choose Roles from the left panel under Govern.
- Choose the + New Role button in the upper-right corner of the page.
- Under Define role, enter a role name.
- Select Configure permissions.
- Under Configure permissions for each category you can select objects that you want to grant permissions for. For each category you can have multiple groups of permissions. To add additional group use Add another group button.
- Configure permissions for each group:
- Grant permissions to operate, usage, modify, etc group of objects, using the Add permissions button.
- Select Assign role.
- Select the users for which you want to assign this role or create the role without any assignment.
- Select *Create role
Delete a role
You can delete a role using either the UI in the Govern Workspace or using SQL.
Delete a role using SQL
To delete a role using SQL, use DROP ROLE as shown in the following code example:
Delete a role using the UI
To delete a role via the UI:
- Select the Govern icon (
) from the left navigation bar to open the Govern Space.
- Choose Roles from the left panel under Govern.
- Search for the relevant role using the top search filters or by scrolling through the list. Hover over the right-most column to make the role menu appear, then choose Delete role.
- Choose Confirm.
Grant permissions to a role
Grant permissions using SQL
To grant a permission to a role using SQL, use GRANT as shown in the following code example:
Grant permissions using the UI
To grant a permission to a role via the UI:
-
Select Govern to open the govern space, then choose Roles from the menu:
-
Search for the relevant role either by using the search filters at the top of the page, or by scrolling through the list of logins. Hover over the right-most column to make the role menu appear, then choose Edit role.
-
Navigate to the Configure permissions tab to add or remove permissions.
-
Navigate to the Configure database permissions tab and select the database for which you want to edit permissions.
- Edit the desired permissions, relevant to the selected database.
- Choose a different database if you need to edit its permissions. Repeat this step as many times as needed.
-
Select Assign role.
-
Select checkbox next to the users that you want to grant role to.
-
Select Save role
Grant a role to users
Grant a role to users using SQL
To grant a role to a user or another role using SQL, use GRANT ROLE as shown in the following code example:
Grant a role using the UI
To grant a role to a user via the UI:
-
Select Govern, then choose Users from the menu:
-
In the user’s row, select the three horizontal dots to the right.
-
Select Edit user details.
-
Select the drop-down list next to Role.
-
Select the checkbox next to the roles that you want to grant.
-
Select Edit user.
Revoke permissions
You can revoke permissions using the UI in the Govern Space or using SQL.
Revoke permissions using SQL
To revoke a permission from a role using SQL, use REVOKE as shown in the following example:
Revoke permissions using the UI
To revoke permissions, follow the same steps described in Grant permissions to a role.
Revoke role
You can revoke a role from either a user or another role using either the UI in the Govern Space or SQL.
Revoke a role using SQL
To revoke a role from a user or another role using SQL, use the REVOKE ROLE statement. For example:
Revoke a role using the UI
To revoke a role, follow the steps in Grant a role to users.
Check assigned privileges using SQL
To check the effective privileges for the current user, run the following example query:
Returns:
grantee | role_name | privilege_type | object_type | object_name |
---|---|---|---|---|
test_user | account_admin | USAGE | engine | engine1 |
test_user | account_admin | USAGE | database | db1 |
Owner rights
When a query is run on a view, the database checks and uses the permissions of the view’s owner to access the underlying objects that view references, rather than the permissions of the user that ran the query on the view. The view’s owner is the user that created the view.
The following code example shows how granting and revoking privileges affects access to a base table and its view, ultimately causing an authorization failure when the view’s owner loses schema usage privileges:
If the view owner’s privileges are revoked, the query will fail even if the user has access to the view.