- Release Notes
- Get Started
- Clusters
- Cloud Settings
- Table Type
- Query Data Lakes
- Integration
- Query Acceleration
- Data Loading
- Concepts
- Batch load data from Amazon S3
- Batch load data from Azure cloud storage
- Load data from a local file system
- Load data from Confluent Cloud
- Load data from Amazon MSK
- Load data from Amazon Kinesis
- Data Unloading
- Data Backup
- Security
- Console Access Control
- Data Access Control
- Application keys
- Service accounts
- Use SSL connection
- Alarm
- Usage and Billing
- Organizations and Accounts
- Reference
- Amazon Web Services (AWS)
- Microsoft Azure
- SQL Reference
- Keywords
- ALL statements
- User Account Management
- Cluster Management
- ADMIN CANCEL REPAIR
- ADMIN CHECK TABLET
- ADMIN REPAIR
- ADMIN SET CONFIG
- ADMIN SET REPLICA STATUS
- ADMIN SHOW CONFIG
- ADMIN SHOW REPLICA DISTRIBUTION
- ADMIN SHOW REPLICA STATUS
- ALTER RESOURCE GROUP
- ALTER SYSTEM
- CANCEL DECOMMISSION
- CREATE FILE
- CREATE RESOURCE GROUP
- DROP FILE
- DROP RESOURCE GROUP
- EXPLAIN
- INSTALL PLUGIN
- SET
- SHOW BACKENDS
- SHOW BROKER
- SHOW COMPUTE NODES
- SHOW FRONTENDS
- SHOW FULL COLUMNS
- SHOW INDEX
- SHOW PLUGINS
- SHOW PROCESSLIST
- SHOW RESOURCE GROUP
- SHOW TABLE STATUS
- SHOW FILE
- SHOW VARIABLES
- UNINSTALL PLUGIN
- DDL
- ALTER DATABASE
- ALTER MATERIALIZED VIEW
- ALTER TABLE
- ALTER VIEW
- ANALYZE TABLE
- BACKUP
- CANCEL ALTER TABLE
- CANCEL BACKUP
- CANCEL RESTORE
- CREATE ANALYZE
- CREATE DATABASE
- CREATE EXTERNAL CATALOG
- CREATE INDEX
- CREATE MATERIALIZED VIEW
- CREATE REPOSITORY
- CREATE TABLE AS SELECT
- CREATE TABLE LIKE
- CREATE TABLE
- CREATE VIEW
- CREATE FUNCTION
- DROP ANALYZE
- DROP STATS
- DROP CATALOG
- DROP DATABASE
- DROP INDEX
- DROP MATERIALIZED VIEW
- DROP REPOSITORY
- DROP TABLE
- DROP VIEW
- DROP FUNCTION
- KILL ANALYZE
- RECOVER
- REFRESH EXTERNAL TABLE
- RESTORE
- SET CATALOG
- SHOW ANALYZE JOB
- SHOW ANALYZE STATUS
- SHOW META
- SHOW FUNCTION
- TRUNCATE TABLE
- USE
- DML
- ALTER LOAD
- ALTER ROUTINE LOAD
- BROKER LOAD
- CANCEL LOAD
- CANCEL EXPORT
- CANCEL REFRESH MATERIALIZED VIEW
- CREATE ROUTINE LOAD
- DELETE
- EXPORT
- GROUP BY
- INSERT
- PAUSE ROUTINE LOAD
- RESUME ROUTINE LOAD
- REFRESH MATERIALIZED VIEW
- SELECT
- SHOW ALTER
- SHOW ALTER MATERIALIZED VIEW
- SHOW BACKUP
- SHOW CATALOGS
- SHOW CREATE CATALOG
- SHOW CREATE MATERIALIZED VIEW
- SHOW CREATE TABLE
- SHOW CREATE VIEW
- SHOW DATA
- SHOW DATABASES
- SHOW DELETE
- SHOW DYNAMIC PARTITION TABLES
- SHOW EXPORT
- SHOW LOAD
- SHOW MATERIALIZED VIEW
- SHOW PARTITIONS
- SHOW REPOSITORIES
- SHOW RESTORE
- SHOW ROUTINE LOAD
- SHOW ROUTINE LOAD TASK
- SHOW SNAPSHOT
- SHOW TABLES
- SHOW TABLET
- SHOW TRANSACTION
- STOP ROUTINE LOAD
- STREAM LOAD
- SUBMIT TASK
- UPDATE
- Auxiliary Commands
- Data Types
- Keywords
- SQL Functions
- Function list
- Java UDFs
- Window functions
- Lambda expression
- Date Functions
- add_months
- adddate
- convert_tz
- current_date
- current_time
- current_timestamp
- date
- date_add
- date_diff
- date_format
- date_slice
- date_sub, subdate
- date_trunc
- datediff
- day
- dayofweek_iso
- dayname
- dayofmonth
- dayofweek
- dayofyear
- days_add
- days_diff
- days_sub
- from_days
- from_unixtime
- hour
- hours_add
- hours_diff
- hours_sub
- jodatime_format
- last_day
- makedate
- microseconds_add
- microseconds_sub
- minute
- minutes_add
- minutes_diff
- minutes_sub
- month
- monthname
- months_add
- months_diff
- months_sub
- next_day
- now
- previous_day
- quarter
- second
- seconds_add
- seconds_diff
- seconds_sub
- str_to_date
- str_to_jodatime
- str2date
- time_slice
- time_to_sec
- timediff
- timestamp
- timestampadd
- timestampdiff
- to_date
- to_days
- to_iso8601
- to_tera_date
- to_tera_timestamp
- unix_timestamp
- utc_timestamp
- week
- week_iso
- weekofyear
- weeks_add
- weeks_diff
- weeks_sub
- year
- years_add
- years_diff
- years_sub
- Aggregate Functions
- any_value
- approx_count_distinct
- array_agg
- avg
- bitmap
- bitmap_agg
- count
- count_if
- corr
- covar_pop
- covar_samp
- group_concat
- grouping
- grouping_id
- hll_empty
- hll_hash
- hll_raw_agg
- hll_union
- hll_union_agg
- max
- max_by
- min
- min_by
- multi_distinct_sum
- multi_distinct_count
- percentile_approx
- percentile_cont
- percentile_disc
- retention
- stddev
- stddev_samp
- sum
- variance, variance_pop, var_pop
- var_samp
- window_funnel
- Geographic Functions
- String Functions
- append_trailing_char_if_absent
- ascii
- char
- char_length
- character_length
- concat
- concat_ws
- ends_with
- find_in_set
- group_concat
- hex
- hex_decode_binary
- hex_decode_string
- instr
- lcase
- left
- length
- locate
- lower
- lpad
- ltrim
- money_format
- null_or_empty
- parse_url
- repeat
- replace
- reverse
- right
- rpad
- rtrim
- space
- split
- split_part
- substring_index
- starts_with
- strleft
- strright
- str_to_map
- substring
- trim
- ucase
- unhex
- upper
- url_decode
- url_encode
- Pattern Matching Functions
- JSON Functions
- Overview of JSON functions and operators
- JSON operators
- JSON constructor functions
- JSON query and processing functions
- Bit Functions
- Bitmap Functions
- Array Functions
- all_match
- any_match
- array_agg
- array_append
- array_avg
- array_concat
- array_contains
- array_contains_all
- array_cum_sum
- array_difference
- array_distinct
- array_filter
- array_generate
- array_intersect
- array_join
- array_length
- array_map
- array_max
- array_min
- array_position
- array_remove
- array_slice
- array_sort
- array_sortby
- array_sum
- arrays_overlap
- array_to_bitmap
- cardinality
- element_at
- reverse
- unnest
- Map Functions
- Binary Functions
- cast function
- hash function
- Cryptographic Functions
- Math Functions
- Pattern Matching Functions
- Percentile Functions
- Scalar Functions
- Struct Functions
- Table Functions
- Utility Functions
- AUTO_INCREMENT
- Generated columns
- System variables
- System limits
- Information Schema
- Overview
- be_bvars
- be_cloud_native_compactions
- be_compactions
- character_sets
- collations
- column_privileges
- columns
- engines
- events
- global_variables
- key_column_usage
- load_tracking_logs
- loads
- materialized_views
- partitions
- pipe_files
- pipes
- referential_constraints
- routines
- schema_privileges
- schemata
- session_variables
- statistics
- table_constraints
- table_privileges
- tables
- tables_config
- task_runs
- tasks
- triggers
- user_privileges
- views
- System Metadatabase
- API
- Overview
- Actions
- Clusters
- Create and Manage Clusters
- Query Clusters
- Identity and Access Management
- Organization and Account
- Usage and Billing
- Clusters
- Terraform Provider
- Run scripts
Manage privileges for policies
Privilege items
Policy creation and application are controlled by privileges such as CREATE, APPLY, ALTER, and DROP. Administrators can determine whether to delegate these privileges to some departments or roles based on business scenarios.
Privilege item | Description |
---|---|
CREATE MASKING POLICY | Creates a masking policy in a database. |
CREATE ROW ACCESS POLICY | Creates a row access policy in a data base |
APPLY | Applies a policy to a table. |
ALTER | Modifies a policy. |
DROP | Drops a policy. |
CREATE MASKING POLICY,CREATE ROW ACCESS POLICY
Controls whether users or roles have the permission to create a policy in a database.
GRANT CREATE MASKING POLICY ON DATABASE <db_name> TO ROLE <role_name>
GRANT CREATE ROW ACCESS POLICY ON DATABASE <db_name> TO ROLE <role_name>
REVOKE CREATE MASKING POLICY ON DATABASE <db_name> FROM ROLE <role_name>
REVOKE CREATE ROW ACCESS POLICY ON DATABASE <db_name> FROM ROLE <role_name>
APPLY
Controls whether users or roles have the permission to apply a policy or apply all policies.
GRANT APPLY ON MASKING POLICY <policy_name> TO ROLE <role_name>
GRANT APPLY ON ROW ACCESS POLICY <policy_name> TO ROLE <role_name>
REVOKE APPLY ON MASKING POLICY <policy_name> FROM ROLE <role_name>
REVOKE APPLY ON ROW ACCESS POLICY <policy_name> FROM ROLE <role_name>
GRANT APPLY ON ALL MASKING POLICIES TO ROLE <role_name>
GRANT APPLY ON ALL MASKING POLICIES IN ALL DATABASES TO ROLE <role_name>
ALTER
Controls whether users or roles have the permission to modify a policy.
GRANT ALTER ON MASKING POLICY <policy_name> TO ROLE <role_name>
GRANT ALTER ON ROW ACCESS POLICY <policy_name> TO ROLE <role_name>
DROP
Controls whether users or roles have the permission to drop a policy.
GRANT DROP ON MASKING POLICY <policy_name> TO ROLE <role_name>
GRANT DROP ON ROW ACCESS POLICY <policy_name> TO ROLE <role_name>
Privileges required for SQL commands
The SQL commands used to create and manage policies require privileges. You can refer to Masking policies and Row access policies for the syntax and examples of these commands.
Masking policy
SQL | Required privileges | GRANT syntax |
---|---|---|
CREATE MASKING POLICY | CREATE MASKING POLICY | GRANT CREATE MASKING POLICY ON DATABASE <db_name> TO ROLE <role_name> |
ALTER TABLE...SET MASKING POLICY | ALTER and APPLY |
|
ALTER TABLE...UNSET MASKING POLICY | ALTER | GRANT ALTER ON TABLE <table_name> TO ROLE <role_name> |
ALTER MASKING POLICY | ALTER | GRANT ALTER ON MASKING POLICY <policy_name> to ROLE <role_name> |
SHOW MASKING POLICIES | None | None |
SHOW CREATE MASKING POLICY | Any of APPLY, ALTER, or DROP | |
DROP MASKING POLICY | DROP | GRANT DROP ON MASKING POLICY <policy_name> to ROLE <role_name> |
Row access policy
SQL | Required privileges | GRANT syntax |
---|---|---|
CREATE ROW ACCESS POLICY POLICY | CREATE ROW ACCESS POLICY | GRANT CREATE ROW ACCESS POLICY ON DATABASE <db_name> TO ROLE <role_name> |
ALTER TABLE...ADD ROW ACCESS POLICY | ALTER and APPLY |
|
ALTER TABLE...DROP ROW ACCESS POLICY | ALTER | GRANT ALTER ON TABLE <table_name> TO ROLE <role_name> |
ALTER ROW ACCESS POLICY | ALTER | GRANT ALTER ON ROW ACCESS POLICY <policy_name> to ROLE <role_name> |
SHOW ROW ACCESS POLICIES | None | None |
SHOW CREATE ROW ACCESS POLICY | Any of APPLY, ALTER, or DROP | |
DROP ROW ACCESS POLICY | DROP | GRANT DROP ON ROW ACCESS POLICY <policy_name> to ROLE <role_name> |
Manage privileges
Three data administration models are supported to realize segregation of duties: centralized, decentralized, and hybrid administration. You can decide how to delegate policy-related privileges to suit your business requirements.
Centralized | Hybrid | Decentralized | |
---|---|---|---|
CREATE | Security manager | Security manager | Individual teams |
APPLY | Security manager | Individual teams | Individual teams |
Centralized: Only the administrator is allowed to manage policies.
CREATE ROLE security_manager; GRANT CREATE MASKING POLICY ON DATABASE d1 TO ROLE security_manager; GRANT APPLY ON ALL MASKING POLICIES ON DATABASE d1 TO ROLE security_manager;
Hybrid: Both the administrator and other roles can manage policies.
CREATE ROLE security_manager; GRANT CREATE MASKING POLICY ON DATABASE d1 TO ROLE security_manager; GRANT APPLY ON ALL MASKING POLICIES ON DATABASE d1 TO ROLE db_owner;
Decentralized: Policies are managed by other roles.
CREATE ROLE db_owner; GRANT CREATE MASKING POLICY ON DATABASE d1 TO ROLE db_owner; GRANT APPLY ON ALL MASKING POLICIES ON DATABASE d1 TO ROLE db_owner;