> ## Documentation Index
> Fetch the complete documentation index at: https://docs.firebolt.io/llms.txt
> Use this file to discover all available pages before exploring further.

> Learn about the permissions that can be assigned to tables in Firebolt, including controlling access to table data and managing table-level operations.

# Table permissions

In Firebolt, a **table** is a structured data object within a database, composed of rows and columns. Tables are the foundational units for organizing, querying, and managing data in your Firebolt data warehouse. Table-level permissions allow roles to perform actions such as selecting, modifying, or managing data within specific tables.

<Note>
  To perform actions on a table, roles must also have **USAGE** permissions on both the parent schema and the parent database of the table.
</Note>

## Table-level privileges

| Privilege                                                          | Description                                                                                  | GRANT Syntax                                           | REVOKE Syntax                                             |
| ------------------------------------------------------------------ | -------------------------------------------------------------------------------------------- | ------------------------------------------------------ | --------------------------------------------------------- |
| SELECT                                                             | Allows selecting rows from the table.                                                        | `GRANT SELECT ON TABLE <table_name> TO <role_name>;`   | `REVOKE SELECT ON TABLE <table_name> FROM <role_name>;`   |
| [INSERT](/reference-sql/commands/data-management/insert)           | Allows inserting rows into the table. Applies to managed tables only.                        | `GRANT INSERT ON TABLE <table_name> TO <role_name>;`   | `REVOKE INSERT ON TABLE <table_name> FROM <role_name>;`   |
| MODIFY                                                             | Allows modifying and dropping the table.                                                     | `GRANT MODIFY ON TABLE <table_name> TO <role_name>;`   | `REVOKE MODIFY ON TABLE <table_name> FROM <role_name>;`   |
| [DELETE](/reference-sql/commands/data-management/delete)           | Allows deleting rows and dropping partitions from the table. Applies to managed tables only. | `GRANT DELETE ON TABLE “<table_name>” TO <role_name>;` | `REVOKE DELETE ON TABLE “<table_name>” FROM <role_name>;` |
| [UPDATE](/reference-sql/commands/data-management/update)           | Allows updating rows in the table. Applies to managed tables only.                           | `GRANT UPDATE ON TABLE <table_name> TO <role_name>;`   | `REVOKE UPDATE ON TABLE <table_name> FROM <role_name>;`   |
| [TRUNCATE](/reference-sql/commands/data-management/truncate-table) | Allows truncating a table. Applies to managed tables only.                                   | `GRANT TRUNCATE ON TABLE <table_name> TO <role_name>;` | `REVOKE TRUNCATE ON TABLE <table_name> FROM <role_name>;` |
| [VACUUM](/reference-sql/commands/data-management/vacuum)           | Allows running the `VACUUM` operation. Applies to managed tables only.                       | `GRANT VACUUM ON TABLE <table_name> TO <role_name>;`   | `REVOKE VACUUM ON TABLE <table_name> FROM <role_name>;`   |
| ALL \[PRIVILEGES]                                                  | Grants all privileges over the table to a role.                                              | `GRANT ALL ON TABLE <table_name> TO <role_name>;`      | `REVOKE ALL ON TABLE <table_name> FROM <role_name>;`      |

<Note>
  To grant permissions across all tables in a schema, use [schema-level privileges](/overview/security/rbac/database-permissions/schema-permissions). For example, privileges like **SELECT ANY**, **INSERT ANY**, or **DELETE ANY** at the schema level will apply to all current and future tables within that schema.
</Note>

## Indexes

In Firebolt, indexes can be used to accelerate query performance.
An [aggregating index](/overview/indexes/aggregating-index) accelerates queries involving aggregate functions on large tables.
A \[vector search index] allows to quickly find vectors that are similar (i.e., in close distance) to a query vector.

To **create** or **drop** an index, a role must have the following permissions:

* `MODIFY` permission on the table.
* `CREATE` permission on the parent schema.
* `USAGE` permission on the parent schema.
* `USAGE` permission on the parent database.

To drop an index, the role requires:

* `MODIFY` permission on the table.
* `USAGE` permission on the parent schema.
* `USAGE` permission on the parent database.

## Examples of modifying table permissions

The following example use [`GRANT`](/reference-sql/commands/access-control/grant) to grant permissions. You can also replace `GRANT` with [REVOKE](/reference-sql/commands/access-control/revoke) in any of the examples to remove any granted privileges.

### SELECT permission

The following code example [grants](/reference-sql/commands/access-control/grant) the role `developer_role` permission to read data from the `games` table:

```sql theme={"theme":{"light":"github-light","dark":"github-dark"}}
GRANT SELECT ON TABLE games TO developer_role;
```

### INSERT permission

The following code example gives the role `developer_role` permissions to [insert](/reference-sql/commands/data-management/insert)  rows into the `games` table:

```sql theme={"theme":{"light":"github-light","dark":"github-dark"}}
GRANT INSERT ON TABLE games TO developer_role;
```

### MODIFY permission

The following code example grants the role `developer_role` permission to alter or drop the `games` table:

```sql theme={"theme":{"light":"github-light","dark":"github-dark"}}
GRANT MODIFY ON TABLE games TO developer_role;
```

### DELETE permission

The following code example gives the role `developer_role` permission to [delete](/reference-sql/commands/data-management/delete) rows or partitions from the `games` table:

```sql theme={"theme":{"light":"github-light","dark":"github-dark"}}
GRANT DELETE ON TABLE games TO developer_role;
```

### UPDATE permission

The following code example grants the role `developer_role` permission to [update](/reference-sql/commands/data-management/update) rows in the `games` table:

```sql theme={"theme":{"light":"github-light","dark":"github-dark"}}
GRANT UPDATE ON TABLE games TO developer_role;
```

### TRUNCATE permission

The following code example gives the role `developer_role` permission to [truncate](/reference-sql/commands/data-management/truncate-table) the `games` table, removing all rows:

```sql theme={"theme":{"light":"github-light","dark":"github-dark"}}
GRANT TRUNCATE ON TABLE games TO developer_role;
```

### VACUUM permission

The following code example grants the role `developer_role` permission to run the [`VACUUM`](/reference-sql/commands/data-management/vacuum) operation on the `games` table:

```sql theme={"theme":{"light":"github-light","dark":"github-dark"}}
GRANT VACUUM ON TABLE games TO developer_role;
```

### ALL permissions

The following code example grants the role `developer_role` with all permissions on the table `games`:

```sql theme={"theme":{"light":"github-light","dark":"github-dark"}}
GRANT ALL ON TABLE games TO developer_role;
```

## Considerations

* Use the [REVOKE](/reference-sql/commands/access-control/revoke) statement to remove any granted privileges. Replace [`GRANT`](/reference-sql/commands/access-control/grant) with [`REVOKE`](/reference-sql/commands/access-control/revoke) in the examples above.
* Table-level permissions apply only to the specified table. For broader control, consider granting schema-level privileges.