Role-Based Access Control
Account Permissions
Learn about account-level permissions in Firebolt.
Accounts represent the physical instance of your data warehouse in Firebolt and are created in Firebolt-supported regions. All objects within an account—such as databases, engines, roles, and users—are scoped to that specific account.
For more detailed information about location permissions and their usage, see Location permissions.
| Privilege | Description | GRANT Syntax | REVOKE Syntax |
|---|---|---|---|
| CREATE DATABASE | Allows creating new databases in an account. | GRANT CREATE DATABASE ON ACCOUNT <account_name> TO <role>; | REVOKE CREATE DATABASE ON ACCOUNT <account_name> FROM <role>; |
| USAGE ANY DATABASE | Allows using all current and future databases in an account. | GRANT USAGE ANY DATABASE ON ACCOUNT <account_name> TO <role>; | REVOKE USAGE ANY DATABASE ON ACCOUNT <account_name> FROM <role>; |
| MODIFY ANY DATABASE | Allows editing all current and future databases in an account. | GRANT MODIFY ANY DATABASE ON ACCOUNT <account_name> TO <role>; | REVOKE MODIFY ANY DATABASE ON ACCOUNT <account_name> FROM <role>; |
| CREATE ENGINE | Allows creating new engines in an account. | GRANT CREATE ENGINE ON ACCOUNT <account_name> TO <role>; | REVOKE CREATE ENGINE ON ACCOUNT <account_name> FROM <role>; |
| USAGE ANY ENGINE | Allows using all current and future engines in an account. | GRANT USAGE ANY ENGINE ON ACCOUNT <account_name> TO <role>; | REVOKE USAGE ANY ENGINE ON ACCOUNT <account_name> FROM <role>; |
| OPERATE ANY ENGINE | Allows starting and stopping all current and future engines in the account. | GRANT OPERATE ANY ENGINE ON ACCOUNT <account_name> TO <role>; | REVOKE OPERATE ANY ENGINE ON ACCOUNT <account_name> FROM <role>; |
| MODIFY ANY ENGINE | Allows editing all current and future engines in the account. | GRANT MODIFY ANY ENGINE ON ACCOUNT <account_name> TO <role>; | REVOKE MODIFY ANY ENGINE ON ACCOUNT <account_name> FROM <role>; |
| MONITOR [ANY USAGE] | Enables the tracking of engine queries through the engine_running_queries view for active queries and the engine_query_history view for past queries in information_schema. | GRANT MONITOR ANY USAGE ON ACCOUNT <account_name> TO <role>; | REVOKE MONITOR ANY USAGE ON ACCOUNT <account_name> FROM <role>; |
| CREATE ROLE | Allows creating new roles in the account. | GRANT CREATE ROLE ON ACCOUNT <account_name> TO <role>; | REVOKE CREATE ROLE ON ACCOUNT <account_name> FROM <role>; |
| MODIFY ANY ROLE | Allows editing all current and future roles in the account. | GRANT MODIFY ANY ROLE ON ACCOUNT <account_name> TO <role>; | REVOKE MODIFY ANY ROLE ON ACCOUNT <account_name> FROM <role>; |
| CREATE USER | Allows creating new users in the account. | GRANT CREATE USER ON ACCOUNT <account_name> TO <role>; | REVOKE CREATE USER ON ACCOUNT <account_name> FROM <role>; |
| MODIFY ANY USER | Allows editing all current and future users in the account. | GRANT MODIFY ANY USER ON ACCOUNT <account_name> TO <role>; | REVOKE MODIFY ANY USER ON ACCOUNT <account_name> FROM <role>; |
| CREATE LOCATION | Allows creating new location objects in the account. | GRANT CREATE LOCATION ON ACCOUNT <account_name> TO <role>; | REVOKE CREATE LOCATION ON ACCOUNT <account_name> FROM <role>; |
| MODIFY ANY LOCATION | Allows editing all current and future locations in the account. | GRANT MODIFY ANY LOCATION ON ACCOUNT <account_name> TO <role>; | REVOKE MODIFY ANY LOCATION ON ACCOUNT <account_name> FROM <role>; |
| USAGE ANY LOCATION | Allows using all current and future locations in the account. | GRANT USAGE ANY LOCATION ON ACCOUNT <account_name> TO <role>; | REVOKE USAGE ANY LOCATION ON ACCOUNT <account_name> FROM <role>; |
| ALL [PRIVILEGES] | Grants all direct privileges for a specified account to a specified role. | GRANT ALL ON ACCOUNT <account_name> TO <role>; | REVOKE ALL ON ACCOUNT <account_name> FROM <role>; |
Revoking a privilege removes it from a role but does not explicitly deny the privilege. If the privilege was not previously granted, revoking it has no effect.
Examples of granting account-level permissions
CREATE DATABASE permission
The following code example grants the roledeveloper_role permission to create new databases within the account_name:
USAGE ANY DATABASE permission
The following code example gives permission to the roledeveloper_role to access all current and future databases within the account_name:
MODIFY ANY DATABASE permission
The following code example grants the roledeveloper_role permission to modify or delete all current and future databases within the account_name:
CREATE ENGINE permission
The following code example gives the roledeveloper_role permission to create new engines within the account_name:
USAGE ANY ENGINE permission
The following code example grants the roledeveloper_role permission to use all current and future engines within the account_name:
OPERATE ANY ENGINE permission
The following code example gives the roledeveloper_role permission to start and stop all current and future engines within the account_name:
MODIFY ANY ENGINE permission
The following code example grants the roledeveloper_role permission to modify or delete all current and future engines within the account_name:
CREATE ROLE permission
The following code example gives the roledeveloper_role permission to create new roles within the account_name:
MODIFY ANY ROLE permission
The following code example grants the roledeveloper_role permission to modify or delete all current and future roles within the account_name:
CREATE USER permission
The following code example gives the roledeveloper_role permission to create new users within the account_name:
MODIFY ANY USER permission
The following code example grants the roledeveloper_role permission to modify or delete all current and future users within the account_name:
MONITOR [ANY USAGE] permission
The following code example grants the roledeveloper_role permission to see the query history and currently running queries on all the engines within account_name:
CREATE LOCATION permission
The following code example grants rolemy_role permission to create locations:
MODIFY ANY LOCATION permission
The following code example grants rolemy_role permission to modify or delete all current and future locations within the my_account:
USAGE ANY LOCATION permission
The following code example grants rolemy_role permission to use all current and future locations within the my_account: