> ## Documentation Index
> Fetch the complete documentation index at: https://docs.firebolt.io/llms.txt
> Use this file to discover all available pages before exploring further.
> Learn about managing RBAC authorization for Firebolt users.
# Role-based access control (RBAC)
Role-Based Access Control (RBAC) allows you to manage user permissions by controlling who can access or perform operations on specific objects in Firebolt.
Firebolt supports RBAC at two different levels:
* **Organization level** – for global objects like logins, service accounts or network policies.
* **Account level** – for regional objects like databases, tables or engines.
This guide includes both **account-level RBAC** and **organization-level RBAC**.
## Prerequisites
The following material can help you understand key concepts related to organizations and RBAC in Firebolt:
* [Organizations and accounts](/overview/organizations-accounts) – How Firebolt provides a structure for managing users, resources, and permissions.
* [Role-Based Access Control](/overview/security/rbac) – How administrators manage user permissions and control access to resources based on predefined roles.
## 🔐 Account-Level RBAC
## View all roles
To view all roles using the **Firebolt Workspace**, do the following:
1. Login to the [Firebolt Workspace](https://firebolt.go.firebolt.io/signup).
2. Select the **Govern** icon (
)from the left navigation bar to open the **Govern Space**.
3. Choose **Roles** from the left panel under **Govern**.
To view all roles using SQL, query the [information\_schema.enabled\_roles](/reference-sql/information-schema/enabled-roles) view as shown in the following code example:
```sql theme={"theme":{"light":"github-light","dark":"github-dark"}}
SELECT
*
FROM
information_schema.enabled_roles;
```
## Create a role
You can create a role using the **Firebolt Workspace** user interface (UI) or using SQL.
### Create a role using SQL
The following code example uses [CREATE ROLE](/reference-sql/commands/access-control/create-role) to create the role `user_role`:
```sql theme={"theme":{"light":"github-light","dark":"github-dark"}}
CREATE ROLE user_role;
```
### Create a role using the UI
To create a custom role using the UI:
1. Select the **Govern** icon () from the left navigation bar to open the **Govern Space**.
2. Choose **Roles** from the left panel under **Govern**.
3. Choose the **+ New Role** button in the upper-right corner of the page.
4. Under **Define role**, enter a role name.
5. Select **Configure permissions**.
6. Under **Configure permissions** for each category you can select objects that you want to grant permissions for. For each category you can have multiple groups of permissions. To add additional group use **Add another group** button.
7. Configure permissions for each group:
* Grant permissions to **operate**, **usage**, **modify**, etc group of objects, using the **Add permissions** button.
8. Select **Assign role**.
9. Select the users for which you want to assign this role or create the role without any assignment.
10. Select \**Create role*
## Delete a role
You can delete a role using either the UI in the **Govern Workspace** or using SQL.
### Delete a role using SQL
To delete a role using SQL, use [DROP ROLE](/reference-sql/commands/access-control/drop-role) as shown in the following code example:
```sql theme={"theme":{"light":"github-light","dark":"github-dark"}}
DROP ROLE user_role;
```
### Delete a role using the UI
To delete a role via the UI:
1. Select the **Govern** icon () from the left navigation bar to open the **Govern Space**.
2. Choose **Roles** from the left panel under **Govern**.
3. Search for the relevant role using the top search filters or by scrolling through the list. Hover over the right-most column to make the role menu appear, then choose **Delete role**.
4. Choose **Confirm**.
## Grant permissions to a role
### Grant permissions using SQL
To grant a permission to a role using SQL, use [GRANT](/reference-sql/commands/access-control/grant) as shown in the following code example:
```sql theme={"theme":{"light":"github-light","dark":"github-dark"}}
GRANT USAGE ON DATABASE my_db TO user_role;
```
### Grant permissions using the UI
To grant a permission to a role via the UI:
1. Select **Govern** to open the govern space, then choose **Roles** from the menu:
2. Search for the relevant role either by using the search filters at the top of the page, or by scrolling through the list of logins. Hover over the right-most column to make the role menu appear, then choose **Edit role**.
3. Navigate to the **Configure permissions** tab to add or remove permissions.
4. Navigate to the **Configure database permissions** tab and select the database for which you want to edit permissions.
* Edit the desired permissions, relevant to the selected database.
* Choose a different database if you need to edit its permissions. Repeat this step as many times as needed.
5. Select **Assign role**.
6. Select checkbox next to the users that you want to grant role to.
7. Select **Save role**
## Grant a role to users
### Grant a role to users using SQL
To grant a role to a user or another role using SQL, use [GRANT ROLE](/reference-sql/commands/access-control/grant) as shown in the following code example:
```sql theme={"theme":{"light":"github-light","dark":"github-dark"}}
GRANT ROLE user_role TO ROLE user2_role;
```
### Grant a role using the UI
To grant a role to a user via the UI:
1. Select **Govern**, then choose **Users** from the menu:
2. In the user's row, select the three horizontal dots to the right.
3. Select **Edit user details**.
4. Select the drop-down list next to **Role**.
5. Select the checkbox next to the roles that you want to grant.
6. Select **Edit user**.
## Revoke permissions
You can revoke permissions using the UI in the **Govern Space** or using SQL.
### Revoke permissions using SQL
To revoke a permission from a role using SQL, use [REVOKE](/reference-sql/commands/access-control/revoke) as shown in the following example:
```sql theme={"theme":{"light":"github-light","dark":"github-dark"}}
REVOKE USAGE ON DATABASE my_db FROM user_role;
```
### Revoke permissions using the UI
To revoke permissions, follow the same steps described in [Grant permissions to a role](#grant-permissions-to-a-role).
## Revoke role
You can revoke a role from either a user or another role using either the UI in the **Govern Space** or SQL.
### Revoke a role using SQL
To revoke a role from a user or another role using SQL, use the [REVOKE ROLE](/reference-sql/commands/access-control/revoke) statement. For example:
```sql theme={"theme":{"light":"github-light","dark":"github-dark"}}
REVOKE ROLE user_role FROM USER alex;
```
### Revoke a role using the UI
To revoke a role, follow the steps in [Grant a role to users](#grant-a-role-to-users).
### Check assigned privileges using SQL
To check the effective privileges for the current user, run the following example query:
```sql theme={"theme":{"light":"github-light","dark":"github-dark"}}
SELECT
AR.grantee,
AR.role_name,
OP.privilege_type,
OP.object_type,
OP.object_name
FROM information_schema.transitive_applicable_roles AS AR
JOIN information_schema.object_privileges AS OP
ON (AR.role_name = OP.grantee)
WHERE
AR.grantee = session_user();
```
**Returns**:
| grantee | role\_name | privilege\_type | object\_type | object\_name |
| :--------- | :------------- | :-------------- | :----------- | :----------- |
| test\_user | account\_admin | USAGE | engine | engine1 |
| test\_user | account\_admin | USAGE | database | db1 |
#### Owner rights
When a query is run on a view, the database checks and uses the permissions of the view's owner to access the underlying objects that view references, rather than the permissions of the user that ran the query on the view. The view's owner is the user that created the view.
The following code example shows how granting and revoking privileges affects access to a base table and its view, ultimately causing an authorization failure when the view's owner loses schema usage privileges:
```sql theme={"theme":{"light":"github-light","dark":"github-dark"}}
CREATE USER user1 WITH ROLE=role1;
CREATE USER user2 WITH ROLE=role2;
CREATE TABLE base_table (a int); -- executed by user1
CREATE VIEW view_over_base_table AS SELECT * FROM base_table; -- executed by user1
GRANT SELECT ON VIEW view_over_base_table TO role2;
REVOKE SELECT ON TABLE base_table FROM role2;
SELECT * FROM base_table; -- executed by user2, fails with an authorization error
SELECT * FROM view_over_base_table; -- executed by user2, successfully
REVOKE USAGE ON SCHEMA public FROM role1;
-- role1 no longer has no access to the table due to missing schema usage privileges
SELECT * FROM view_over_base_table; -- executed by user2 and fails because the view owner's role1 cannot access table t
```
If the view owner's privileges are revoked, the query will fail even if the user has access to the view.
For a detailed guide on using the owner rights model to implement column-level and row-level security with views, see [Using secure views](/guides/security/rbac-views-security).
## Grant default permissions to a role
Default privileges allow you to automatically grant permissions on future objects upon their creation to roles .
### Grant default privileges on schemas
To grant default privileges that apply to all future schemas in the account using [ALTER DEFAULT PRIVILEGES](/reference-sql/commands/access-control/alter-default-privileges):
```sql theme={"theme":{"light":"github-light","dark":"github-dark"}}
ALTER DEFAULT PRIVILEGES GRANT USAGE ON SCHEMAS TO reader_role;
ALTER DEFAULT PRIVILEGES GRANT CREATE ON SCHEMAS TO writer_role;
```
### Revoke default privileges
You can revoke default privileges using the same syntax:
```sql theme={"theme":{"light":"github-light","dark":"github-dark"}}
ALTER DEFAULT PRIVILEGES REVOKE USAGE ON SCHEMAS FROM reader_role;
```
### View default privileges
Query the [object\_default\_privileges](/reference-sql/information-schema/object-default-privileges) view to see current default privilege settings:
```sql theme={"theme":{"light":"github-light","dark":"github-dark"}}
SELECT
grantor,
grantee,
object_name,
object_type,
privilege_type
FROM information_schema.object_default_privileges
WHERE grantee = 'role_name';
```
## 🌐 Organization-Level RBAC
### View all organization roles
To view all organization roles using the **Firebolt Workspace**, do the following:
1. Login to the [Firebolt Workspace](https://firebolt.go.firebolt.io/signup).
2. Select the **Configure** icon (
)from the left navigation bar to open the **Configure Space**.
3. Choose **Organization roles** from the left panel under **Configure**.
### Create Organization Role
The following code example creates an organization role if it doesn't already exist:
```sql theme={"theme":{"light":"github-light","dark":"github-dark"}}
CREATE ORGANIZATION ROLE [IF NOT EXISTS] my_role;
```
### Create Organization Role using the UI
1. Select the **Configure** icon () from the left navigation bar to open the **Configure Space**.
2. Choose **Organization roles** from the left panel under **Configure**.
3. Choose the **Create organization role** button in the upper-right corner of the page.
4. Under **Define organization role**, enter a role name.
5. Select **Next step**.
6. Under **Configure permissions** for each category you can select objects that you want to grant permissions for. For each category you can have multiple groups of permissions. To add additional group use **Add another group** button.
7. Configure permissions for each group:
* Grant permissions to **Create Account**, **Create Login**, **Modify**, etc group of objects, using the **Add permissions** button.
8. Select **Next step**.
9. Select the Logins, Service accounts and Organization roles for which you want to assign this role or create the role without any assignment.
10. Select **Create role**
***
### Drop Organization Role
The following code example drops an organization role if it exists:
```sql theme={"theme":{"light":"github-light","dark":"github-dark"}}
DROP ORGANIZATION ROLE [IF EXISTS] my_role [RESTRICT | CASCADE];
```
### Drop organization role using the UI
1. Select the **Configure** icon () from the left navigation bar to open the **Configure Space**.
2. Choose **Organization roles** from the left panel under **Configure**.
3. Search for the relevant role using the top search filters or by scrolling through the list. Hover over the right-most column to make the role menu appear, then choose **Delete role**.
4. Choose **Delete**.
***
### Alter Organization Role
The following code example changes the owner of the organization role `my_role` to `new_owner` and then renames the role to `new_name`:
```sql theme={"theme":{"light":"github-light","dark":"github-dark"}}
ALTER ORGANIZATION ROLE my_role OWNER TO new_owner;
ALTER ORGANIZATION ROLE my_role RENAME TO new_name;
```
### Alter Organization Role using the UI
1. Select the **Configure** icon () from the left navigation bar to open the **Configure Space**.
2. Choose **Organization roles** from the left panel under **Configure**.
3. Search for the relevant role using the top search filters or by scrolling through the list. Hover over the right-most column to make the role menu appear, then choose **Edit role**.
4. Navigate to the **Configure permissions** tab to add or remove permissions.
5. Select **Assign role**.
6. Select checkbox next to the Logins | Service accounts | Organization roles that you want to grant role to.
7. Select **Save role**
***
### Grant Organization Role
The following code example grants the organization role `my_role` to a login, a service account, and another organization role:
```sql theme={"theme":{"light":"github-light","dark":"github-dark"}}
GRANT ORGANIZATION ROLE my_role TO LOGIN "john@acme.com";
GRANT ORGANIZATION ROLE my_role TO SERVICE ACCOUNT svc_account;
GRANT ORGANIZATION ROLE my_role TO ORGANIZATION ROLE another_org_role;
```
### Grant Organization Role using the UI
1. Select the **Configure** icon () from the left navigation bar to open the **Configure Space**.
2. Choose **Organization roles** from the left panel under **Configure**.
3. Search for the relevant role using the top search filters or by scrolling through the list. Hover over the right-most column to make the role menu appear, then choose **Grant to** login | service account | role.
4. Select the object you want to assign to.
5. Select **Grant**.
***
### Revoke Organization Role
The following code example revokes the organization role `my_role` from the login `john@acme.com`:
```sql theme={"theme":{"light":"github-light","dark":"github-dark"}}
REVOKE ORGANIZATION ROLE my_role FROM LOGIN "john@acme.com";
```
### Revoke organization Role using the UI
To revoke permissions, follow the same steps described in [Grant Organization Role using the UI](#grant-organization-role-using-the-ui).
***
### Grant Privileges
The following code example grants the `MODIFY ANY LOGIN` privilege to the organization role `my_role`, allowing it to modify any login in the organization:
```sql theme={"theme":{"light":"github-light","dark":"github-dark"}}
GRANT MODIFY ANY LOGIN TO ORGANIZATION ROLE my_role;
```
***
### Revoke Privileges
The following code example revokes the `MODIFY` privilege on the login `john@acme.com` from the organization role `my_role`:
```sql theme={"theme":{"light":"github-light","dark":"github-dark"}}
REVOKE MODIFY ON LOGIN "john@acme.com" FROM ORGANIZATION ROLE my_role;
```
### Grant or Revoke privileges using the UI
To grant or revoke privileges, follow the same steps described in [Alter Organization Role using the UI](#alter-organization-role-using-the-ui).
***
### Query Organization RBAC Metadata
The following queries list information about organization roles and privileges: applicable roles, transitive applicable roles, enabled roles, and granted object privileges from `org_db.information_schema`:
```sql theme={"theme":{"light":"github-light","dark":"github-dark"}}
-- List applicable organization roles
SELECT * FROM org_db.information_schema.applicable_roles;
-- List transitive organization roles
SELECT * FROM org_db.information_schema.transitive_applicable_roles;
-- List enabled organization roles
SELECT * FROM org_db.information_schema.enabled_roles;
-- List granted privileges
SELECT * FROM org_db.information_schema.object_privileges;
```
***
## 📊 RBAC Comparison Summary
| Feature | Organization-Level RBAC | Account-Level RBAC |
| -------------- | ----------------------------------------- | ---------------------- |
| Scope | Global | Regional (per-account) |
| Role Type | `ORGANIZATION ROLE` | `ROLE` |
| Grantees | Login, Service Account, Organization Role | User, Role |
| Metadata Views | `org_db.information_schema.*` | `information_schema.*` |
| UI Support | Coming Soon | Available |
## 🧑💼 Ownership of Global Organization-Level Objects
Ownership at the organization level functions similarly to account-level ownership. The **owner of an organization-level object** is implicitly granted **full control** over that object. This includes the ability to **modify, drop, grant, and revoke privileges** on it, regardless of any explicit privileges.
This model ensures that the object's creator, or reassigned owner, retains administrative authority, providing a clear and secure access model.
For more details, see the [Ownership documentation](/overview/security/rbac/ownership).