System permissions for RBAC - Amazon Redshift

System permissions for RBAC

Following is a list of system permissions that you can grant to or revoke from a role.

Command You must have permission by one of the following ways to run the command
CREATE ROLE

  • Superuser.

  • Users with the CREATE ROLE permission.
DROP ROLE

  • Superuser.

  • Role owner who is either the user that created the role or a user that has been granted the role with the WITH ADMIN OPTION permission.
CREATE USER

  • Superuser.

  • Users with the CREATE USER permission. These users can't create superusers.
DROP USER

  • Superuser.

  • Users with the DROP USER permission.
ALTER USER

  • Superuser.

  • Users with the ALTER USER permission. These users can't change users to superusers or change superusers to users.

  • Current user who wants to change their own password.
CREATE SCHEMA

  • Superuser.

  • Users with the CREATE SCHEMA permission.
DROP SCHEMA

  • Superuser.

  • Users with the DROP SCHEMA permission.

  • Schema owner.
ALTER DEFAULT PRIVILEGES

  • Superuser.

  • Users with the ALTER DEFAULT PRIVILEGES permission.

  • Users changing their own default access permissions.

  • Users setting permissions for schemas that they have access permissions to.
ACCESS CATALOG

  • Superuser.

  • Users with the ACCESS CATALOG permission.
ACCESS SYSTEM TABLE

  • Superuser.

  • Users with the ACCESS SYSTEM TABLE permission.
CREATE TABLE

  • Superuser.

  • Users with the CREATE TABLE permission.

  • Users with the CREATE permission on schemas.
DROP TABLE

  • Superuser.

  • Users with the DROP TABLE permission.

  • Table owner with the USAGE permission on the schema.
ALTER TABLE

  • Superuser.

  • Users with the ALTER TABLE permission.

  • Table owner with the USAGE permission on the schema.
CREATE OR REPLACE FUNCTION

  • For CREATE FUNCTION:

    • Superuser.

    • Users with the CREATE OR REPLACE FUNCTION permission.

    • Users with the USAGE permission on language.

  • For REPLACE FUNCTION:

    • Superuser.

    • Users with the CREATE OR REPLACE FUNCTION permission.

    • Function owner.
CREATE OR REPLACE EXTERNAL FUNCTION

  • Superuser.

  • Users with the CREATE OR REPLACE EXTERNAL FUNCTION permission.
DROP FUNCTION

  • Superuser.

  • Users with the DROP FUNCTION permission.

  • Function owner.
CREATE OR REPLACE PROCEDURE

  • For CREATE PROCEDURE:

    • Superuser.

    • Users with the CREATE OR REPLACE PROCEDURE permission.

    • Users with the USAGE permission on language.

  • For REPLACE PROCEDURE:

    • Superuser.

    • Users with the CREATE OR REPLACE PROCEDURE permission.

    • Procedure owner.
DROP PROCEDURE

  • Superuser.

  • Users with the DROP PROCEDURE permission.

  • Procedure owner.
CREATE OR REPLACE VIEW

  • For CREATE VIEW:

    • Superuser.

    • Users with the CREATE OR REPLACE VIEW permission.

    • Users with the CREATE permission on schemas.

  • For REPLACE VIEW:

    • Superuser.

    • Users with the CREATE OR REPLACE VIEW permission.

    • View owner.
DROP VIEW

  • Superuser.

  • Users with the DROP VIEW permission.

  • View owner.
CREATE MODEL

  • Superuser.

  • Users with the CREATE MODEL system permission, who should be able to read the relation of the CREATE MODEL.

  • Users with the CREATE MODEL permission.
DROP MODEL

  • Superuser.

  • Users with the DROP MODEL permission.

  • Model owner.

  • Schema owner.
CREATE DATASHARE

  • Superuser.

  • Users with the CREATE DATASHARE permission.

  • Database owner.
ALTER DATASHARE

  • Superuser.

  • User with the ALTER DATASHARE permission.

  • Users who have the ALTER or ALL permission on the datashare.

  • To add specific objects to a datashare, these users must have the permission on the objects. Users should be the owners of objects or have SELECT, USAGE, or ALL permissions on the objects.
DROP DATASHARE

  • Superuser.

  • Users with the DROP DATASHARE permission.

  • Database owner.
CREATE LIBRARY

  • Superuser.

  • Users with the CREATE LIBRARY permission or with the permission of the specified language.
DROP LIBRARY

  • Superuser.

  • Users with the DROP LIBRARY permission.

  • Library owner.
ANALYZE

  • Superuser.

  • Users with the ANALYZE permission.

  • Owner of the relation.

  • Database owner whom the table is shared to.
CANCEL

  • Superuser canceling their own query.

  • Superuser canceling a user's query.

  • Users with the CANCEL permission canceling a user's query.

  • User canceling their own query.
TRUNCATE TABLE

  • Superuser.

  • Users with the TRUNCATE TABLE permission.

  • Table owner.
VACUUM

  • Superuser.

  • Users with the VACUUM permission.

  • Table owner.

  • Database owner whom the table is shared to.
IGNORE RLS

  • Superuser.

  • Users within the sys:secadmin role.
EXPLAIN RLS

  • Superuser.

  • Users within the sys:secadmin role.
EXPLAIN MASKING

  • Superuser.

  • Users within the sys:secadmin role.