Roles

Roles are the fundamental unit of permission management in the Lakehouse, packaging a set of privileges under a name and granting them to users. Role-Based Access Control (RBAC) enables centralized permission management and batch authorization.

RBAC Model


Privilege
  └── Role           ← Privileges packaged as roles
        └── User      ← Roles granted to users

A user can have multiple roles, and the effective permissions are the union of all assigned role permissions.

System Preset Roles

Role	Scope	Permission Description
`account_admin`	Account-level	Manage all resources under the account
`workspace_admin`	Workspace-level	Manage all resources within the workspace
`workspace_dev`	Workspace-level	Develop tasks, use data and compute clusters
`workspace_user`	Workspace-level	Read-only access to tasks and instances

Custom Roles


-- Create a custom role
CREATE ROLE analyst;

-- Grant privileges
GRANT SELECT ON TABLE orders TO ROLE analyst;
GRANT USAGE ON SCHEMA ods TO ROLE analyst;

-- Grant a role to a user
GRANT ROLE analyst TO USER alice;

-- View role privileges
SHOW GRANTS TO ROLE analyst;

Roles

RBAC Model

System Preset Roles

Custom Roles

Related Documentation