Skip to main content

Access Control Privileges

Databend leverages a role-based access control model to secure your data. In Databend, you can control which operations a user can perform on a specific database object (for example, database, table, view, stage, or UDF) by granting privileges to a role and then assigning the role to the user, or granting privileges to the user directly. The privileges granted to a user literally determine which operations the user can perform. To learn about the available commands for managing users and roles, as well as granting or revoking privileges, please refer to the following link: https://databend.rs/doc/reference/sql/ddl/user

Databend offers a range of privileges that allow you to exercise fine-grained control over your database objects. Databend privileges can be categorized into the following types:

All Privileges

PrivilegeObject TypeDescription
ALLAllGrants all the privileges for the specified object type.
ALTERGlobal, Database, Table, ViewAlters a database, table, user or UDF.
CREATEGlobal, Database, TableCreates a database, table or UDF.
DELETETableDeletes or truncates rows in a table.
DROPGlobal, Database, Table, ViewDrops a database, table, view or UDF. Undrops a table.
INSERTTableInserts rows into a table.
SELECTDatabase, TableSelects rows from a table. Shows or uses a database.
UPDATETableUpdates rows in a table.
GRANTGlobalGrants / revokes privileges to / from a user or role.
SUPERGlobal, TableKills a query. Sets global configs. Optimizes a table. Analyzes a table. Operates a stage, catalog or share.
USAGEGlobalSynonym for “no privileges”.
CREATE ROLEGlobalCreates a role.
DROP ROLEGlobalDrops a role.
CREATE USERGlobalCreates a SQL user.
CREATE USERGlobalDrops a SQL user.

Global Privileges

PrivilegeDescription
ALLGrants all the privileges for the specified object type.
ALTERAdds or drops a table column. Alters a cluster key. Re-clusters a table.
CREATEROLECreates a role.
DROPUSERDrops a user.
CREATEUSERCreates a user.
DROPROLEDrops a role.
SUPERKills a query. Sets or unsets a setting. Operates a stage, catalog or share. Calls a function. COPY INTO a stage.
USAGEConnects to a databend query only.
CREATECreates a UDF.
DROPDrops a UDF.
ALTERAlters a UDF. Alters a SQL user.

Table Privileges

PrivilegeDescription
ALLGrants all the privileges for the specified object type.
ALTERAdds or drops a table column. Alters a cluster key. Re-clusters a table.
CREATECreates a table.
DELETEDeletes rows in a table. Truncates a table.
DROPDrops or undrops a table. Restores the recent version of a dropped table.
INSERTInserts rows into a table. COPY INTO a table.
SELECTSelects rows from a table. SHOW CREATE a table. DESCRIBE a table.
UPDATEUpdates rows in a table.
SUPEROptimizes or analyzes a table.

View Privileges

PrivilegeDescription
ALLGrants all the privileges for the specified object type
ALTERCreates or drops a view. Alters the existing view using another QUERY.
DROPDrops a view.

Database Privileges

Please note that you can use the USE DATABASE command to specify a database once you have any of the following privileges to the database or any privilege to a table in the database.

PrivilegeDescription
AlterRenames a database.
CREATECreates a database.
DROPDrops or undrops a database. Restores the recent version of a dropped database.
SELECTSHOW CREATE a database.

Session Policy Privileges

PrivilegeDescription
SUPERKills a query. Sets or unsets a setting.
ALLGrants all the privileges for the specified object type.

Stage Privileges

PrivilegeDescription
SUPERLists stages. Creates, drops or removes a stage.
ALLGrants all the privileges for the specified object type.

Catalog Privileges

PrivilegeDescription
SUPERSHOW CREATE catalog. Creates or drops a catalog.
ALLGrants all the privileges for the specified object type.

Share Privileges

PrivilegeDescription
SUPERCreates, drops, or describes a share. Shows shares.
ALLGrants all the privileges for the specified object type.