> ## Documentation Index
> Fetch the complete documentation index at: https://docs.firebolt.io/llms.txt
> Use this file to discover all available pages before exploring further.

<AgentInstructions>

## Submitting Feedback

If you encounter incorrect, outdated, or confusing documentation on this page, submit feedback:

POST https://docs.firebolt.io/feedback

```json
{
  "path": "/overview/security/rbac/role-management/system-roles",
  "feedback": "Description of the issue"
}
```

Only submit feedback when you have something specific and actionable to report.

</AgentInstructions>

> Learn about the default system roles in Firebolt, their permissions, and how they help manage access control across different database objects and operations.

# Default System Roles

In Firebolt, **system-defined** roles are automatically created for each organization and account. These roles provide predefined privileges and serve specific purposes. While system-defined roles **cannot** be modified or dropped, you can grant them additional privileges as needed.

## Organization system roles

| Role Name           | Description                                                             |
| ------------------- | ----------------------------------------------------------------------- |
| organization\_admin | Enables all the permissions and the ability to manage the organization. |

<Note>
  The [organization\_admin](/overview/organizations-accounts#organizational-administrative-role) role cannot be granted using SQL. It can only be granted using the [Firebolt Workspace](https://go.firebolt.io/signup) user interface (UI). To manage resources at the organization level, you must assign the `organization_admin` role to your login using the UI.
</Note>

## Account system roles

| Role Name      | Description                                                                                                                                                                                |
| -------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| public         | Includes `USAGE` on all databases and both `USAGE` and `CREATE` on every public schema.                                                                                                    |
| system\_admin  | Enables managing databases, engines, schemas, tables, and views. This includes setting database and engine properties as well as access to the observability functionality on all engines. |
| account\_admin | Grants full permissions to manage the organization.                                                                                                                                        |

<Note>
  By default, every newly created user is granted the [public](/overview/organizations-accounts#public-role) role. You can also revoke this role from a user.
</Note>

## Default privileges for system roles

System roles come with predefined default privileges that are automatically applied when objects are created. These default privileges are built into the system and **cannot be revoked** from system roles.

### account\_admin privileges

The `account_admin` role has comprehensive default privileges across the entire account:

* **Account-level**: Full administrative access including user and role management
* **Database-level**: `CREATE`, `MODIFY`, `USAGE`, and `DROP` on all databases
* **Schema-level**: Default privileges include `CREATE`, `MODIFY`, `USAGE`, and `DROP` on all schemas
* **Table-level**: Default privileges include `SELECT`, `INSERT`, `UPDATE`, `DELETE`, `TRUNCATE`, and `DROP` on all tables
* **Engine-level**: Full engine management and monitoring capabilities
* **Location-level**: Full location management and configuration capabilities
* **User-level**: Full user management and administration capabilities
* **Role-level**: Full role management and administration capabilities

### system\_admin privileges

The `system_admin` role has operational privileges for database and engine management:

* **Database-level**: `CREATE`, `MODIFY`, `USAGE`, and `DROP` on all databases
* **Schema-level**: Default privileges include `CREATE`, `MODIFY`, `USAGE`, and `DROP` on all schemas
* **Table-level**: Default privileges include `SELECT`, `INSERT`, `UPDATE`, `DELETE`, `TRUNCATE`, and `DROP` on all tables
* **Engine-level**: Engine management and monitoring capabilities
* **Limitation**: Cannot manage users, roles, or account-level settings

### public privileges

The `public` role provides basic access for all users:

* **Database-level**: `USAGE` on all databases
* **Schema-level**: Default privileges include `USAGE` and `CREATE` on public schemas only
* **Table-level**: No default table privileges (must be explicitly granted)

### Important notes about system role privileges

* **Immutable privileges**: Default privileges for system roles are hardcoded and cannot be modified using `ALTER DEFAULT PRIVILEGES` or `REVOKE` commands
* **Automatic application**: These default privileges apply immediately when objects are created, without requiring explicit grants
* **Additional privileges**: You can grant additional privileges to system roles, but you cannot revoke their built-in default privileges

To view the current default privileges for system roles, query the [object\_default\_privileges](/reference-sql/information-schema/object-default-privileges) information schema view:

```sql theme={"theme":{"light":"github-light","dark":"github-dark"}}
SELECT 
  grantor,
  grantee,
  object_name,
  object_type,
  privilege_type
FROM information_schema.object_default_privileges
WHERE grantee IN ('account_admin', 'system_admin', 'public')
ORDER BY grantee, object_type;
```