Amazon Redshift system-defined roles - Amazon Redshift

Amazon Redshift system-defined roles

Amazon Redshift provides a few system-defined roles that are defined with specific permissions. System-specific roles start with a sys: prefix. Only users with appropriate access can alter system-defined roles or create custom system-defined roles. You can't use the sys: prefix for a custom system-defined role.

The following table summarizes the roles and their permissions.

Role name Description
sys:monitor This role has the permission to access catalog or system tables.
sys:operator This role has the permissions to access catalog or system tables, analyze, vacuum, or cancel queries.
sys:dba This role has the permissions to create schemas, create tables, drop schemas, drop tables, and truncate tables. It has the permissions to create or replace stored procedures, drop procedures, create or replace functions, create or replace external functions, create views, and drop views. Also, this role inherits all the permissions from the sys:operator role.
sys:superuser This role has the same permissions as the Amazon Redshift superuser.
sys:secadmin This role has the permissions to create users, alter users, drop users, create roles, drop roles, and grant roles. This role can have access to user tables only when the permission is explicitly granted to the role.