LogoLogo
  • Welcome to e6data
  • Introduction to e6data
    • Concepts
    • Architecture
      • e6data in VPC Deployment Model
      • Connect to e6data serverless compute
  • Get Started
  • Sign Up
  • Setup
    • AWS Setup
      • In VPC Deployment (AWS)
        • Prerequisite Infrastructure
        • Infrastructure & Permissions for e6data
        • Setup Kubernetes Components
        • Setup using Terraform in AWS
          • Update a AWS Terraform for your Workspace
        • AWS PrivateLink and e6data
        • VPC Peering | e6data on AWS
      • Connect to e6data serverless compute (AWS)
        • Workspace Creation
        • Catalog Creation
          • Glue Metastore
          • Hive Metastore
          • Unity Catalog
        • Cluster Creation
    • GCP Setup
      • In VPC Deployment (GCP)
        • Prerequisite Infrastructure
        • Infrastructure & Permissions for e6data
        • Setup Kubernetes Components
        • Setup using Terraform in GCP
        • Update a GCP Terraform for your Workspace
      • Connect to e6data serverless compute (GCP)
    • Azure Setup
      • Prerequisite Infrastructure
      • Infrastructure & Permissions for e6data
      • Setup Kubernetes Components
      • Setup using Terraform in AZURE
        • Update a AZURE Terraform for your Workspace
  • Workspaces
    • Create Workspaces
    • Enable/Disable Workspaces
    • Update a Workspace
    • Delete a Workspace
  • Catalogs
    • Create Catalogs
      • Hive Metastore
        • Connect to a Hive Metastore
        • Edit a Hive Metastore Connection
        • Delete a Hive Metastore Connection
      • Glue Metastore
        • Connect to a Glue Metastore
        • Edit a Glue Metastore Connection
        • Delete a Glue Metastore Connection
      • Unity Catalog
        • Connect to Unity Catalog
        • Edit Unity Catalog
        • Delete Unity Catalog
      • Cross-account Catalog Access
        • Configure Cross-account Catalog to Access AWS Hive Metastore
        • Configure Cross-account Catalog to Access Unity Catalog
        • Configure Cross-account Catalog to Access AWS Glue
        • Configure Cross-account Catalog to Access GCP Hive Metastore
    • Manage Catalogs
    • Privileges
      • Access Control
      • Column Masking
      • Row Filter
  • Clusters
    • Edit & Delete Clusters
    • Suspend & Resume Clusters
    • Cluster Size
    • Load Based Sizing
    • Auto Suspension
    • Query Timeout
    • Monitoring
    • Connection Info
  • Pools
    • Delete Pools
  • Query Editor
    • Editor Pane
    • Results Pane
    • Schema Explorer
    • Data Preview
  • Notebook
    • Editor Pane
    • Results Pane
    • Schema Explorer
    • Data Preview
  • Query History
    • Query Count API
  • Connectivity
    • IP Sets
    • Endpoints
    • Cloud Resources
    • Network Firewall
  • Access Control
    • Users
    • Groups
    • Roles
      • Permissions
      • Policies
    • Single Sign-On (SSO)
      • AWS SSO
      • Okta
      • Microsoft My Apps-SSO
      • Icons for IdP
    • Service Accounts
    • Multi-Factor Authentication (Beta)
  • Usage and Cost Management
  • Audit Log
  • User Settings
    • Profile
    • Personal Access Tokens (PAT)
  • Advanced Features
    • Cross-Catalog & Cross-Schema Querying
  • Supported Data Types
  • SQL Command Reference
    • Query Syntax
      • General functions
    • Aggregate Functions
    • Mathematical Functions & Operators
      • Arithematic Operators
      • Rounding and Truncation Functions
      • Exponential and Root Functions
      • Trigonometric Functions
      • Logarithmic Functions
    • String Functions
    • Date-Time Functions
      • Constant Functions
      • Conversion Functions
      • Date Truncate Function
      • Addition and Subtraction Functions
      • Extraction Functions
      • Format Functions
      • Timezone Functions
    • Conditional Expressions
    • Conversion Functions
    • Window Functions
    • Comparison Operators & Functions
    • Logical Operators
    • Statistical Functions
    • Bitwise Functions
    • Array Functions
    • Regular Expression Functions
    • Generate Functions
    • Cardinality Estimation Functions
    • JSON Functions
    • Checksum Functions
    • Unload Function (Copy into)
    • Struct Functions
  • Equivalent Functions & Operators
  • Connectors & Drivers
    • DBeaver
    • DbVisualiser
    • Apache Superset
    • Jupyter Notebook
    • Tableau Cloud
    • Tableau Desktop
    • Power BI
    • Metabase
    • Zeppelin
    • Python Connector
      • Code Samples
    • JDBC Driver
      • Code Samples
      • API Support
    • Configure Cluster Ingress
      • ALB Ingress in Kubernetes
      • GCE Ingress in Kubernetes
      • Ingress-Nginx in Kubernetes
  • Security & Trust
    • Best Practices
      • AWS Best Practices
    • Features & Responsibilities Matrix
    • Data Protection Addendum(DPA)
  • Tutorials and Best Practices
    • How to configure HIVE metastore if you don't have one?
    • How-To Videos
  • Known Limitations
    • SQL Limitations
    • Other Limitations
    • Restart Triggers
    • Cloud Provider Limitations
  • Error Codes
    • General Errors
    • User Account Errors
    • Workspace Errors
    • Catalog Errors
    • Cluster Errors
    • Data Governance Errors
    • Query History Errors
    • Query Editor Errors
    • Pool Errors
    • Connectivity Errors
  • Terms & Condition
  • Privacy Policy
    • Cookie Policy
  • FAQs
    • Workspace Setup
    • Security
    • Catalog Privileges
  • Services Utilised for e6data Deployment
    • AWS supported regions
    • GCP supported regions
    • AZURE supported regions
  • Release Notes & Updates
    • 6th Sept 2024
    • 6th June 2024
    • 18th April 2024
    • 9th April 2024
    • 30th March 2024
    • 16th March 2024
    • 14th March 2024
    • 12th March 2024
    • 2nd March 2024
    • 10th February 2024
    • 3rd February 2024
    • 17th January 2024
    • 9th January 2024
    • 3rd January 2024
    • 18th December 2023
    • 12th December 2023
    • 9th December 2023
    • 4th December 2023
    • 27th November 2023
    • 8th September 2023
    • 4th September 2023
    • 26th August 2023
    • 21st August 2023
    • 19th July 2023
    • 23rd May 2023
    • 5th May 2023
    • 28th April 2023
    • 19th April 2023
    • 15th April 2023
    • 10th April 2023
    • 30th March 2023
Powered by GitBook
On this page
  • Key Features
  • Points to Remember:
  • Create a Privilege
  • Update a Privilege
  • Access Type
  • Allow Privileges
  • Deny Privilege
  • Delete a Privilege
  • Privileges Behaviour in Schema Explorer
  1. Catalogs
  2. Privileges

Access Control

Key Features

Features provided by e6data's catalog privileges:

  • Catalog Privileges: Create and manage Privileges.

  • Users & groups: Supporting data access management to users and groups.

Points to Remember:

  • You can select all the resources by selecting the select all (*) option.

  • The schema selection dropdown can display up to 250 options at once in the privileges. Further relevant options will be displayed based on the searched term.

  • When no resources are chosen, the default selection encompasses all resources, represented by an asterisk (*).

  • The permission hierarchy follows this order: Catalog → Database → Tables → Columns.

    • Upon selecting a database, all tables within that database are automatically included in the privilege unless specific tables are individually selected as resources.

    • Likewise, selecting a table automatically includes all columns within it in the privilege, unless specific columns are chosen as resources.

  • In cases where no privilege is defined for a catalog, access is automatically denied by default.

  • "Allow" indicates permission for query execution on the selected databases, tables, and columns.

  • After adding a new privilege or modifying an existing one, please allow up to 60 seconds for the changes to be recognized and applied by the SQL engine.

  • A user or group can belong to multiple privileges simultaneously.

  • When a new user is added, they will not have access to run queries by default. To grant access, the user must be assigned to the specific catalog privilege.

Create a Privilege

Upon catalog creation, access is automatically denied by default. To grant access, you must create the necessary privileges. Access to catalog privileges can be attained by selecting the specific catalog for which access is desired. To create a privilege, follow these steps:

  1. Navigate to catalogs, and click on the desired catalog.

  2. Select the Privilege(Beta) tab.

  3. Click on Create Privileges to create a new privilege.

  4. Provide a name to privilege.

  5. Enter a description of the privilege (optional).

  6. Select the Access Control type of privilege.

  7. Select the databases, tables, and columns.

  8. Choose the access type: allow or deny.

  9. Select the user(s)/group(s) to whom you wish to provide access to the selected schema.

  10. Click on "Create."

  11. The privilege will be created and can be viewed in the privileges tab list.

Update a Privilege

To edit a privilege, follow these steps:

  1. Click on the three dots next to the privilege you want to edit.

  2. Select "Edit" from the dropdown menu.

  3. The privilege form will now be available for modification.

  4. If you want to change the description, update it accordingly.

  5. Choose the databases, tables, and columns as needed.

  6. Specify the access type (allow or deny).

  7. Select the users and groups you wish to grant access to for the selected schema.

  8. Finally, click on "Update" to save your changes.

Access Type

When establishing privileges, you have the option to create two distinct types of access:

Allow Privileges

This privilege type grants access to designated resources (database, table, column). Multiple access policies can be established, and if anyone grants access, query execution is permitted. However, if a Deny privilege exists, it always takes precedence, resulting in query execution denial. Below are several examples demonstrating the utilization of the allow privilege:

Allow access to all databases

  • To provide access to all databases, create/update privileges and select all databases.

  • If the table and column selection fields are left empty, full access will be granted to the entire catalog by default.

To verify the above example:

  • Navigate to Query Editor

  • Select the catalog, database and cluster

  • Execute queries to verify only authorised queries are allowed.

Allow access to selected databases

  • To grant access to specific databases, create or update privileges, and then select the necessary databases, tables, and columns within them.

To verify the above example:

  • Navigate to Query Editor

  • Select the catalog, database and cluster

  • Execute queries to verify only authorised databases are allowed.

  • As the database wasn't chosen, the user lacks access to its data.

Allow access to selected tables and columns

  • Modify the privilege to create or update it, adjusting the access to specific columns within the permitted table.

  • Select the schema, and table and in the column select specific columns.

  • In our example, we selected access to only 3 columns.

To verify the above example:

  • Navigate to Query Editor

  • Select the catalog, database and cluster

  • Attempting to query all columns will result in an authentication failure as only selected columns are accessible to the user.

  • Querying only the permitted columns should yield results as authorized by the privileges.

Deny Privilege

This particular type of privilege restricts access to designated resources, including databases, tables, and columns. The Deny privilege holds precedence, and if the criteria for denial are met, the query will be rejected.

The existence of this privilege solely results in access denial; it does not imply permission for other resources. To grant access, you must create an additional privilege explicitly allowing it.

Below are several examples demonstrating the utilization of the deny privilege:

  • Deny access to all databases

  • Deny access to selected databases

  • Deny access to selected tables and columns

Deny access to all databases

  • To deny access to all databases, Create/Update privilege with Deny option with all databases selected.

To verify the above example:

  • Navigate to Query Editor

  • Select the catalog, database and cluster

  • When running a query in any of the selected databases, access will be denied due to the privilege.

Deny access to selected databases

  • To deny access to all databases, create/update privilege with the deny option with specifically selected databases.

To verify the above example:

  • Navigate to Query Editor

  • Select the catalog, database and cluster

  • Attempt to query a table that has been denied access. For instance, in the database tpcds_100_delta, access is denied.

Deny access to selected tables and columns

  • To deny access to all databases, create/update privilege with the deny option with specifically selected databases.

  • Also, create another privilege and create/update another privilege to allow specified resources.

To verify the above example:

  • Navigate to Query Editor

  • Select the catalog, database and cluster

  • Below are a few scenarios to confirm that queries are executed for permitted tables and columns and denied for those specified in the deny privilege, regardless of whether the allow privilege contains the same tables or columns.

  • Attempting to query a table included in both the deny and allow privileges should not be permitted, as the Deny privilege takes precedence.

  • Querying a table not listed in the deny privilege but included in the allow privilege is permitted since it is not restricted by the Deny privilege and is explicitly allowed.

  • Attempt to query all columns in a table that includes some columns listed in the deny privilege.

  • In the same table, query a column that is not selected in the deny privilege.

Delete a Privilege

To delete a privilege, follow these steps:

  1. Click on the three dots next to the privilege you want to delete.

  2. Select "Delete" from the dropdown menu.

  3. Confirm the deletion by typing "Delete" in the alert box.

Privileges Behaviour in Schema Explorer

When users create catalog privileges based on a specific database, they gain access to view and interact with the schemas contained within that database through Schema Explorer. Conversely, suppose the user does not have the necessary access privileges assigned to them. In that case, they cannot view or interact with the database and its schemas within the Schema Explorer.

PreviousPrivilegesNextColumn Masking

Last updated 1 year ago

Please refer to the for more understanding.

FAQ's
Allow Privileges
Deny Privileges
Allow access to all databases
Allow access to selected databases
Allow access to selected tables and columns
Create Privilege
Privilege Listing Page
Selected some databases
Access Denied
selected some tables and databases
Access Denied
Access granted for authorised tables and columns
Deny Privileges
Access Denied for all database
Access Denied in selected database (tpcds_100_delta)
Allow and Deny Privileges for same catalog