h2

8 minute read · July 20, 2022

Introducing New RBAC Privileges for Admin Operations

Nithin Krishna Reghunathan

Nithin Krishna Reghunathan · Staff Product Manager, Dremio
Sidhartha Das

Sidhartha Das · Director of Engineering, Dremio
Thumbnail for RBAC blog 2
Home / Dremio Blog / Introducing New RBAC Privileges for Admin Operations

Table of Contents

Introducing New RBAC Privileges for Admin Operations

Summary
What is role-based access control?
New RBAC privileges for admin-like operations
RBAC in action for delegating admin operations 
Conclusion
Get Started with Dremio Cloud today - It's Free!

Summary

Since version 16, Dremio has provided role-based access control (RBAC) to grant or revoke user permissions on objects in Dremio. In our latest update to Dremio Cloud and our software release v22, we have added additional RBAC privileges that enable Dremio admins to selectively provide privileges for admin operations. 

What is role-based access control?

Role-based access control (RBAC) enables admins to assign permissions for data access and Dremio operations to other users based on their role within an organization. Each role has a set of defined privileges, and groups of users are associated with that role, thus defining what those users can and cannot do in Dremio.

Dremio supports RBAC for actions on specific objects, such as datasets, projects, or clouds. This enables admins to limit access to users by their role in the organization. To grant or revoke these privileges, you can use the SQL editor or privileges screen in the Dremio UI or the Dremio REST APIs.

New RBAC privileges for admin-like operations

Dremio version 22.0 and Dremio Cloud now allow admins to selectively enable other users and roles with permissions to perform admin operations. Admins can now delegate specific privileges associated with the admin role  instead of letting that user assume the admin role,  which gives full admin permissions.

  • CREATE USER
    • USERS/ROLES with this privilege have the ability to create a new user.
    • Note: This privilege only allows the creation of USER. If you want to assign roles to the users then it requires the CREATE ROLE privilege as well.
  • CREATE ROLE
    • USERS/ROLES with this privilege have the ability to create new roles. 
    • Note: This privilege does not provide access to editing ADMIN role memberships.
  • CREATE SOURCE
    • USERS/ROLES with this privilege have the ability to create new data sources.
  • UPLOAD
    • USERS/ROLES with this privilege have the ability to upload files to their home space. 
    • Note: This privilege enables customers to allow uploads for specific users/roles. 
  • MODIFY
    • USERS/ROLES with this privilege have the ability to access and modify workload management (e.g., engine, engine routing, queues, view node activity, manage support keys, etc.).
  • SELECT
    • USERS/ROLES with this privilege have the ability to query a specific Dremio system table. 
    • Note: Anyone with access to the system table called sys.views can view dremio metadata on all views. This privilege is different from the non-system tables (regular tables, views etc.) where we already support SELECT, ALTER etc. using different syntax.

Please visit our documentation to learn more about RBAC privileges in Dremio.

RBAC in action for delegating admin operations 

Use case #1:

A Dremio admin wants to delegate the ability to create new sources to another user (say johndoe). The admin executes the following command to delegate the ability to create new sources to johndoe:

GRANT CREATE SOURCE ON SYSTEM TO USER "johndoe"

 The following video shows how to add this privilege via Dremio’s  SQL editor: 

Use case #2:

A Dremio admin wants to delegate some of the workload management and configuration management options (such as managing Engine, Engine Routing, Queues, View Node Activity, and Manage Support Keys) to another user (say [email protected]). The admin executes the following command in the SQL editor:

GRANT MODIFY ON SYSTEM TO USER "[email protected]"

The following video shows how to add this privilege via  Dremio’s  SQL editor:

Use case #3:

A Dremio admin wants  to selectively allow some users to upload files to their home space after setting the support key ‘ui.upload.allow’ to ‘false’ so that users can’t upload files to their home spaces by default. The admin executes the following command in the SQL editor to give a user “jenny” the ability to upload files:

GRANT UPLOAD ON SYSTEM TO USER "jenny"

 The following video shows how to add this privilege via Dremio’s SQL editor: 

Conclusion

With the above key enhancements in Dremio 22.0 release and Dremio Cloud, admin users can now assign several admin operations to non-admin users/roles. Please visit our documentation to learn more about RBAC in Dremio. 

Get Started with Dremio Cloud today - It's Free!

Article Topics

Dremio Blog: Product Insights

Ready to Get Started?

Bring your users closer to the data with organization-wide self-service analytics and lakehouse flexibility, scalability, and performance at a fraction of the cost. Run Dremio anywhere with self-managed software or Dremio Cloud.

Start for Free Book a Meeting