The Firebolt information schema provides system views that allow you to view metadata and permissions for objects within your current account or database. This page explains how to query and validate user and role privileges at both the account and database levels.

Viewing effective privileges

The following code example shows how to view the effective privileges of the current user:

SELECT
  AR.grantee,
  AR.role_name,
  OP.privilege_type,
  OP.object_type,
  OP.object_name
FROM information_schema.transitive_applicable_roles AS AR
JOIN information_schema.object_privileges AS OP
ON (AR.role_name = OP.grantee)
WHERE
  AR.grantee = session_user();

Usage examples

The following examples demonstrate how to validate privileges at both the account level and the database level. By running a query against the information_schema views, you can check the effective permissions granted to a user or role. Each scenario includes an example query and output to illustrate the scope of the retrieved privileges.

Validating privileges at the account level

If no database is selected, the query runs at the account level and shows account-scoped privileges.

Example

In the following code example, a user test_user with an account_admin role retrieves their privileges and associated roles for their current user session:

SELECT
  AR.grantee,
  AR.role_name,
  OP.privilege_type,
  OP.object_type,
  OP.object_name
FROM information_schema.transitive_applicable_roles AS AR
JOIN information_schema.object_privileges AS OP
ON (AR.role_name = OP.grantee)
WHERE
  AR.grantee = session_user();

Returns

Granteerole_nameprivilege_typeobject_typeobject_name
test_useraccount_adminMODIFY ANY ENGINEaccountaccount-1
test_useraccount_adminMODIFY ANY DATABASEaccountaccount-1
test_useraccount_adminOPERATE ANY ENGINEaccountaccount-1
test_useraccount_adminMODIFY ANY ROLEaccountaccount-1
test_useraccount_adminUSAGE ANY DATABASEaccountaccount-1
test_useraccount_adminMONITOR ANY USAGEaccountaccount-1
test_useraccount_adminMANAGE GRANTSaccountaccount-1
test_useraccount_adminUSAGE ANY ENGINEaccountaccount-1
test_useraccount_adminMODIFY ANY USERaccountaccount-1
test_useraccount_adminMETER USAGEaccountaccount-1
test_useraccount_adminCREATE SCHEMAdatabaseUltraFast
test_useraccount_adminCREATE USERaccountaccount-1
test_useraccount_adminCREATE DATABASEaccountaccount-1
test_useraccount_adminCREATE ROLEaccountaccount-1
test_useraccount_adminCREATE ENGINEaccountaccount-1

The previous table confirms that test_user has account-level privileges, such as permission to create engines, roles, and databases, as well as permission to modify users and engines.

Validating privileges at the database level

When a specific database is selected, the query retrieves privileges scoped to that database.

Example

The following code example retrieves the applicable roles and associated privileges, object types, and object names for test_user, who holds an account_admin role from the information schema.

SELECT
  AR.grantee,
  AR.role_name,
  OP.privilege_type,
  OP.object_type,
  OP.object_name
FROM information_schema.transitive_applicable_roles AS AR
JOIN information_schema.object_privileges AS OP
ON (AR.role_name = OP.grantee)
WHERE
  AR.grantee = session_user();

Returns

Granteerole_nameprivilege_typeobject_typeobject_name
test_useraccount_adminSELECT ANYschemapublic
test_useraccount_adminDELETE ANYschemapublic
test_useraccount_adminVACUUM ANYschemapublic
test_useraccount_adminINSERT ANYschemapublic
test_useraccount_adminMODIFYschemapublic
test_useraccount_adminCREATEschemapublic
test_useraccount_adminUSAGEschemapublic
test_useraccount_adminMODIFY ANYschemapublic
test_useraccount_adminTRUNCATE ANYschemapublic

The previous output confirms that test_user has database-level privileges, such as SELECT, INSERT, DELETE, and schema-level MODIFY permissions.