System permissions for RBAC - Amazon Redshift

System permissions for RBAC

Following is a list of system permissions that you can grant to or revoke from a role.

Command You must have permission by one of the following ways to run the command
CREATE ROLE
  • Superuser.

  • Users with the CREATE ROLE permission.

DROP ROLE
  • Superuser.

  • Role owner who is either the user that created the role or a user that has been granted the role with the WITH ADMIN OPTION permission.

CREATE USER
  • Superuser.

  • Users with the CREATE USER permission. These users can't create superusers.

DROP USER
  • Superuser.

  • Users with the DROP USER permission.

ALTER USER
  • Superuser.

  • Users with the ALTER USER permission. These users can't change users to superusers or change superusers to users.

  • Current user who wants to change their own password.

CREATE SCHEMA
  • Superuser.

  • Users with the CREATE SCHEMA permission.

DROP SCHEMA
  • Superuser.

  • Users with the DROP SCHEMA permission.

  • Schema owner.

ALTER DEFAULT PRIVILEGES
  • Superuser.

  • Users with the ALTER DEFAULT PRIVILEGES permission.

  • Users changing their own default access permissions.

  • Users setting permissions for schemas that they have access permissions to.

CREATE TABLE
  • Superuser.

  • Users with the CREATE TABLE permission.

  • Users with the CREATE permission on schemas.

DROP TABLE
  • Superuser.

  • Users with the DROP TABLE permission.

  • Table owner with the USAGE permission on the schema.

ALTER TABLE
  • Superuser.

  • Users with the ALTER TABLE permission.

  • Table owner with the USAGE permission on the schema.

CREATE OR REPLACE FUNCTION
  • For CREATE FUNCTION:

    • Superuser.

    • Users with the CREATE OR REPLACE FUNCTION permission.

    • Users with the USAGE permission on language.

  • For REPLACE FUNCTION:

    • Superuser.

    • Users with the CREATE OR REPLACE FUNCTION permission.

    • Function owner.

CREATE OR REPLACE EXTERNAL FUNCTION
  • Superuser.

  • Users with the CREATE OR REPLACE EXTERNAL FUNCTION permission.

DROP FUNCTION
  • Superuser.

  • Users with the DROP FUNCTION permission.

  • Function owner.

CREATE OR REPLACE PROCEDURE
  • For CREATE PROCEDURE:

    • Superuser.

    • Users with the CREATE OR REPLACE PROCEDURE permission.

    • Users with the USAGE permission on language.

  • For REPLACE PROCEDURE:

    • Superuser.

    • Users with the CREATE OR REPLACE PROCEDURE permission.

    • Procedure owner.

DROP PROCEDURE
  • Superuser.

  • Users with the DROP PROCEDURE permission.

  • Procedure owner.

CREATE OR REPLACE VIEW
  • For CREATE VIEW:

    • Superuser.

    • Users with the CREATE OR REPLACE VIEW permission.

    • Users with the CREATE permission on schemas.

  • For REPLACE VIEW:

    • Superuser.

    • Users with the CREATE OR REPLACE VIEW permission.

    • View owner.

DROP VIEW
  • Superuser.

  • Users with the DROP VIEW permission.

  • View owner.

CREATE MODEL
  • Superuser.

  • Users with the CREATE MODEL system permission, who should be able to read the relation of the CREATE MODEL.

  • Users with the CREATE MODEL permission.

DROP MODEL
  • Superuser.

  • Users with the DROP MODEL permission.

  • Model owner.

  • Schema owner.

CREATE DATASHARE
  • Superuser.

  • Users with the CREATE DATASHARE permission.

  • Database owner.

ALTER DATASHARE
  • Superuser.

  • User with the ALTER DATASHARE permission.

  • Users who have the ALTER or ALL permission on the datashare.

  • To add specific objects to a datashare, these users must have the permission on the objects. Users should be the owners of objects or have SELECT, USAGE, or ALL permissions on the objects.

DROP DATASHARE
  • Superuser.

  • Users with the DROP DATASHARE permission.

  • Database owner.

CREATE LIBRARY
  • Superuser.

  • Users with the CREATE LIBRARY permission or with the permission of the specified language.

DROP LIBRARY
  • Superuser.

  • Users with the DROP LIBRARY permission.

  • Library owner.

ANALYZE
  • Superuser.

  • Users with the ANALYZE permission.

  • Owner of the relation.

  • Database owner whom the table is shared to.

CANCEL
  • Superuser canceling their own query.

  • Superuser canceling a user's query.

  • Users with the CANCEL permission canceling a user's query.

  • User canceling their own query.

TRUNCATE TABLE
  • Superuser.

  • Users with the TRUNCATE TABLE permission.

  • Table owner.

VACUUM
  • Superuser.

  • Users with the VACUUM permission.

  • Table owner.

  • Database owner whom the table is shared to.

IGNORE RLS
  • Superuser.

  • Users within the sys:secadmin role.

EXPLAIN RLS
  • Superuser.

  • Users within the sys:secadmin role.

EXPLAIN MASKING
  • Superuser.

  • Users within the sys:secadmin role.