Role-Based Access Control (RBAC) allows you to manage user permissions by controlling who can access or perform operations on specific objects in Firebolt. Firebolt supports RBAC at two different levels:

  • Organization level – for global objects like logins, service accounts or network policies.
  • Account level – for regional objects like databases, tables or engines.

This guide includes both account-level RBAC and organization-level RBAC.

Prerequisites

The following material can help you understand key concepts related to organizations and RBAC in Firebolt:

🔐 Account-Level RBAC

View all roles

To view all roles using the Firebolt Workspace, do the following:

  1. Login to the Firebolt Workspace.
  2. Select the Govern icon (The Firebolt Govern Space icon.)from the left navigation bar to open the Govern Space.
  3. Choose Roles from the left panel under Govern.

To view all roles using SQL, query the information_schema.enabled_roles view as shown in the following code example:

SELECT
  *
FROM
  information_schema.enabled_roles;

Create a role

You can create a role using the Firebolt Workspace user interface (UI) or using SQL.

Create a role using SQL

The following code example uses CREATE ROLE to create the role user_role:

CREATE ROLE user_role;

Create a role using the UI

To create a custom role using the UI:

  1. Select the Govern icon (The Firebolt Govern Space icon.) from the left navigation bar to open the Govern Space.
  2. Choose Roles from the left panel under Govern.
  3. Choose the + New Role button in the upper-right corner of the page.
  4. Under Define role, enter a role name.
  5. Select Configure permissions.
  6. Under Configure permissions for each category you can select objects that you want to grant permissions for. For each category you can have multiple groups of permissions. To add additional group use Add another group button.
  7. Configure permissions for each group:
  • Grant permissions to operate, usage, modify, etc group of objects, using the Add permissions button.
  1. Select Assign role.
  2. Select the users for which you want to assign this role or create the role without any assignment.
  3. Select *Create role

Delete a role

You can delete a role using either the UI in the Govern Workspace or using SQL.

Delete a role using SQL

To delete a role using SQL, use DROP ROLE as shown in the following code example:

DROP ROLE user_role;

Delete a role using the UI

To delete a role via the UI:

  1. Select the Govern icon (The Firebolt Govern Space icon.) from the left navigation bar to open the Govern Space.
  2. Choose Roles from the left panel under Govern.
  3. Search for the relevant role using the top search filters or by scrolling through the list. Hover over the right-most column to make the role menu appear, then choose Delete role.
  4. Choose Confirm.

Grant permissions to a role

Grant permissions using SQL

To grant a permission to a role using SQL, use GRANT as shown in the following code example:

GRANT USAGE ON DATABASE my_db TO user_role;

Grant permissions using the UI

To grant a permission to a role via the UI:

  1. Select Govern to open the govern space, then choose Roles from the menu:

  2. Search for the relevant role either by using the search filters at the top of the page, or by scrolling through the list of logins. Hover over the right-most column to make the role menu appear, then choose Edit role.

  3. Navigate to the Configure permissions tab to add or remove permissions.

  4. Navigate to the Configure database permissions tab and select the database for which you want to edit permissions.

    • Edit the desired permissions, relevant to the selected database.
    • Choose a different database if you need to edit its permissions. Repeat this step as many times as needed.
  5. Select Assign role.

  6. Select checkbox next to the users that you want to grant role to.

  7. Select Save role

Grant a role to users

Grant a role to users using SQL

To grant a role to a user or another role using SQL, use GRANT ROLE as shown in the following code example:

GRANT ROLE user_role TO ROLE user2_role;

Grant a role using the UI

To grant a role to a user via the UI:

  1. Select Govern, then choose Users from the menu:

  2. In the user’s row, select the three horizontal dots to the right.

  3. Select Edit user details.

  4. Select the drop-down list next to Role.

  5. Select the checkbox next to the roles that you want to grant.

  6. Select Edit user.

Revoke permissions

You can revoke permissions using the UI in the Govern Space or using SQL.

Revoke permissions using SQL

To revoke a permission from a role using SQL, use REVOKE as shown in the following example:

REVOKE USAGE ON DATABASE my_db FROM user_role;

Revoke permissions using the UI

To revoke permissions, follow the same steps described in Grant permissions to a role.

Revoke role

You can revoke a role from either a user or another role using either the UI in the Govern Space or SQL.

Revoke a role using SQL

To revoke a role from a user or another role using SQL, use the REVOKE ROLE statement. For example:

REVOKE ROLE user_role FROM USER alex;

Revoke a role using the UI

To revoke a role, follow the steps in Grant a role to users.

Check assigned privileges using SQL

To check the effective privileges for the current user, run the following example query:

SELECT
  AR.grantee,
  AR.role_name,
  OP.privilege_type,
  OP.object_type,
  OP.object_name
FROM information_schema.transitive_applicable_roles AS AR
JOIN information_schema.object_privileges AS OP
ON (AR.role_name = OP.grantee)
WHERE
  AR.grantee = session_user();

Returns:

granteerole_nameprivilege_typeobject_typeobject_name
test_useraccount_adminUSAGEengineengine1
test_useraccount_adminUSAGEdatabasedb1

Owner rights

When a query is run on a view, the database checks and uses the permissions of the view’s owner to access the underlying objects that view references, rather than the permissions of the user that ran the query on the view. The view’s owner is the user that created the view.

The following code example shows how granting and revoking privileges affects access to a base table and its view, ultimately causing an authorization failure when the view’s owner loses schema usage privileges:

CREATE USER user1 WITH ROLE=role1;
CREATE USER user2 WITH ROLE=role2;

CREATE TABLE base_table (a int); -- executed by user1
CREATE VIEW view_over_base_table AS SELECT * FROM base_table; -- executed by user1

GRANT SELECT ON VIEW view_over_base_table TO role2;
REVOKE SELECT ON TABLE base_table FROM role2;

SELECT * FROM base_table; -- executed by user2, fails with an authorization error
SELECT * FROM view_over_base_table; -- executed by user2, successfully

REVOKE USAGE ON SCHEMA public FROM role1;
-- role1 no longer has no access to the table due to missing schema usage privileges
SELECT * FROM view_over_base_table; -- executed by user2 and fails because the view owner's role1 cannot access table t

If the view owner’s privileges are revoked, the query will fail even if the user has access to the view.

🌐 Organization-Level RBAC

View all organization roles

To view all organization roles using the Firebolt Workspace, do the following:

  1. Login to the Firebolt Workspace.
  2. Select the Configure icon (The Firebolt Configure Space icon.)from the left navigation bar to open the Configure Space.
  3. Choose Organization roles from the left panel under Configure.

Create Organization Role

The following code example creates an organization role if it doesn’t already exist:

CREATE ORGANIZATION ROLE [IF NOT EXISTS] my_role;

Create Organization Role using the UI

  1. Select the Configure icon (The Firebolt Configure Space icon.) from the left navigation bar to open the Configure Space.
  2. Choose Organization roles from the left panel under Configure.
  3. Choose the Create organization role button in the upper-right corner of the page.
  4. Under Define organization role, enter a role name.
  5. Select Next step.
  6. Under Configure permissions for each category you can select objects that you want to grant permissions for. For each category you can have multiple groups of permissions. To add additional group use Add another group button.
  7. Configure permissions for each group:
    • Grant permissions to Create Account, Create Login, Modify, etc group of objects, using the Add permissions button.
  8. Select Next step.
  9. Select the Logins, Service accounts and Organization roles for which you want to assign this role or create the role without any assignment.
  10. Select Create role

Drop Organization Role

The following code example drops an organization role if it exists:

DROP ORGANIZATION ROLE [IF EXISTS] my_role [RESTRICT | CASCADE];

Drop organization role using the UI

  1. Select the Configure icon (The Firebolt Configure Space icon.) from the left navigation bar to open the Configure Space.
  2. Choose Organization roles from the left panel under Configure.
  3. Search for the relevant role using the top search filters or by scrolling through the list. Hover over the right-most column to make the role menu appear, then choose Delete role.
  4. Choose Delete.

Alter Organization Role

The following code example changes the owner of the organization role my_role to new_owner and then renames the role to new_name:

ALTER ORGANIZATION ROLE my_role OWNER TO new_owner;
ALTER ORGANIZATION ROLE my_role RENAME TO new_name;

Alter Organization Role using the UI

  1. Select the Configure icon (The Firebolt Configure Space icon.) from the left navigation bar to open the Configure Space.
  2. Choose Organization roles from the left panel under Configure.
  3. Search for the relevant role using the top search filters or by scrolling through the list. Hover over the right-most column to make the role menu appear, then choose Edit role.
  4. Navigate to the Configure permissions tab to add or remove permissions.
  5. Select Assign role.
  6. Select checkbox next to the Logins | Service accounts | Organization roles that you want to grant role to.
  7. Select Save role

Grant Organization Role

The following code example grants the organization role my_role to a login, a service account, and another organization role:

GRANT ORGANIZATION ROLE my_role TO LOGIN "john@acme.com";
GRANT ORGANIZATION ROLE my_role TO SERVICE ACCOUNT svc_account;
GRANT ORGANIZATION ROLE my_role TO ORGANIZATION ROLE another_org_role;

Grant Organization Role using the UI

  1. Select the Configure icon (The Firebolt Configure Space icon.) from the left navigation bar to open the Configure Space.
  2. Choose Organization roles from the left panel under Configure.
  3. Search for the relevant role using the top search filters or by scrolling through the list. Hover over the right-most column to make the role menu appear, then choose Grant to login | service account | role.
  4. Select the object you want to assign to.
  5. Select Grant.

Revoke Organization Role

The following code example revokes the organization role my_role from the login john@acme.com:

REVOKE ORGANIZATION ROLE my_role FROM LOGIN "john@acme.com";

Revoke organization Role using the UI

To revoke permissions, follow the same steps described in Grant Organization Role using the UI.


Grant Privileges

The following code example grants the MODIFY ANY LOGIN privilege to the organization role my_role, allowing it to modify any login in the organization:

GRANT MODIFY ANY LOGIN TO ORGANIZATION ROLE my_role;

Revoke Privileges

The following code example revokes the MODIFY privilege on the login john@acme.com from the organization role my_role:

REVOKE MODIFY ON LOGIN "john@acme.com" FROM ORGANIZATION ROLE my_role;

Grant or Revoke privileges using the UI

To grant or revoke privileges, follow the same steps described in Alter Organization Role using the UI.


Query Organization RBAC Metadata

The following queries list information about organization roles and privileges: applicable roles, transitive applicable roles, enabled roles, and granted object privileges from org_db.information_schema:

-- List applicable organization roles
SELECT * FROM org_db.information_schema.applicable_roles;

-- List transitive organization roles
SELECT * FROM org_db.information_schema.transitive_applicable_roles;

-- List enabled organization roles
SELECT * FROM org_db.information_schema.enabled_roles;

-- List granted privileges
SELECT * FROM org_db.information_schema.object_privileges;

📊 RBAC Comparison Summary

FeatureOrganization-Level RBACAccount-Level RBAC
ScopeGlobalRegional (per-account)
Role TypeORGANIZATION ROLEROLE
GranteesLogin, Service Account, Organization RoleUser, Role
Metadata Viewsorg_db.information_schema.*information_schema.*
UI SupportComing SoonAvailable

🧑‍💼 Ownership of Global Organization-Level Objects

Ownership at the organization level functions similarly to account-level ownership. The owner of an organization-level object is implicitly granted full control over that object. This includes the ability to modify, drop, grant, and revoke privileges on it, regardless of any explicit privileges.

This model ensures that the object’s creator, or reassigned owner, retains administrative authority, providing a clear and secure access model.

For more details, see the Ownership documentation.