Amazon Redshift system-defined roles

Amazon Redshift provides a few system-defined roles that are defined with specific permissions. System-specific roles start with a sys: prefix. Only users with appropriate access can alter system-defined roles or create custom system-defined roles. You can't use the sys: prefix for a custom system-defined role.

The following table summarizes the roles and their permissions.

Role name	Description
`sys:monitor`	This role has the permission to access catalog or system tables.
`sys:operator`	This role has the permissions to access catalog or system tables, analyze, vacuum, or cancel queries.
`sys:dba`	This role has the permissions to create schemas, create tables, drop schemas, drop tables, and truncate tables. It has the permissions to create or replace stored procedures, drop procedures, create or replace functions, create or replace external functions, create views, and drop views. Also, this role inherits all the permissions from the sys:operator role.
`sys:superuser`	This role has all the supported system privileges defined in System permissions for RBAC.
`sys:secadmin`	This role has the permissions to create users, alter users, drop users, create roles, drop roles, and grant roles. This role can have access to user tables only when the permission is explicitly granted to the role.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Role assignment

System permissions