- Release Notes
- Introduction to CelerData Cloud Serverless
- Quick Start
- Sign up for CelerData Cloud Serverless
- A quick tour of the console
- Connect to CelerData Cloud Serverless
- Create an IAM integration
- Create and assign a warehouse
- Create an external catalog
- Load data from cloud storage
- Load data from Apache Kafka/Confluent Cloud
- Try your first query
- Invite new users
- Design data access control policy
- Warehouses
- Catalog, database, table, view, and MV
- Overview of database objects
- Catalog
- Table types
- Asynchronous materialized views
- Data Loading
- Data access control
- Networking and private connectivity
- Usage and Billing
- Organization and Account
- Integration
- Query Acceleration
- Reference
- AWS IAM policies
- Information Schema
- Overview
- be_bvars
- be_cloud_native_compactions
- be_compactions
- character_sets
- collations
- column_privileges
- columns
- engines
- events
- global_variables
- key_column_usage
- load_tracking_logs
- loads
- materialized_views
- partitions
- pipe_files
- pipes
- referential_constraints
- routines
- schema_privileges
- schemata
- session_variables
- statistics
- table_constraints
- table_privileges
- tables
- tables_config
- task_runs
- tasks
- triggers
- user_privileges
- views
- Data Types
- System Metadatabase
- Keywords
- SQL Statements
- Account Management
- Data Definition
- CREATE TABLE
- ALTER TABLE
- DROP CATALOG
- CREATE TABLE LIKE
- REFRESH EXTERNAL TABLE
- RESTORE
- SET CATALOG
- DROP TABLE
- RECOVER
- USE
- CREATE MATERIALIZED VIEW
- DROP DATABASE
- ALTER MATERIALIZED VIEW
- DROP REPOSITORY
- CANCEL RESTORE
- DROP INDEX
- DROP MATERIALIZED VIEW
- CREATE DATABASE
- CREATE TABLE AS SELECT
- BACKUP
- CANCEL BACKUP
- CREATE REPOSITORY
- CREATE INDEX
- Data Manipulation
- INSERT
- SHOW CREATE DATABASE
- SHOW BACKUP
- SHOW ALTER MATERIALIZED VIEW
- SHOW CATALOGS
- SHOW CREATE MATERIALIZED VIEW
- SELECT
- SHOW ALTER
- SHOW MATERIALIZED VIEW
- RESUME ROUTINE LOAD
- ALTER ROUTINE LOAD
- SHOW TABLES
- STREAM LOAD
- SHOW PARTITIONS
- CANCEL REFRESH MATERIALIZED VIEW
- SHOW CREATE CATALOG
- SHOW ROUTINE LOAD TASK
- SHOW RESTORE
- CREATE ROUTINE LOAD
- STOP ROUTINE LOAD
- SHOW DATABASES
- BROKER LOAD
- SHOW ROUTINE LOAD
- PAUSE ROUTINE LOAD
- SHOW SNAPSHOT
- SHOW CREATE TABLE
- CANCEL LOAD
- REFRESH MATERIALIZED VIEW
- SHOW REPOSITORIES
- SHOW LOAD
- Administration
- DESCRIBE
- SQL Functions
- Function List
- String Functions
- CONCAT
- HEX
- LOWER
- SPLIT
- LPAD
- SUBSTRING
- PARSE_URL
- INSTR
- REPEAT
- LCASE
- REPLACE
- HEX_DECODE_BINARY
- RPAD
- SPLIT_PART
- STRCMP
- SPACE
- CHARACTER_LENGTH
- URL_ENCODE
- APPEND_TAILING_CHAR_IF_ABSENT
- LTRIM
- HEX_DECODE_STRING
- URL_DECODE
- LEFT
- STARTS_WITH
- CONCAT
- GROUP_CONCAT
- STR_TO_MAP
- STRLEFT
- STRRIGHT
- MONEY_FORMAT
- RIGHT
- SUBSTRING_INDEX
- UCASE
- TRIM
- FIND_IN_SET
- RTRIM
- ASCII
- UPPER
- REVERSE
- LENGTH
- UNHEX
- ENDS_WITH
- CHAR_LENGTH
- NULL_OR_EMPTY
- LOCATE
- CHAR
- Predicate Functions
- Map Functions
- Binary Functions
- Geospatial Functions
- Lambda Expression
- Utility Functions
- Bitmap Functions
- BITMAP_SUBSET_LIMIT
- TO_BITMAP
- BITMAP_AGG
- BITMAP_FROM_STRING
- BITMAP_OR
- BITMAP_REMOVE
- BITMAP_AND
- BITMAP_TO_BASE64
- BITMAP_MIN
- BITMAP_CONTAINS
- SUB_BITMAP
- BITMAP_UNION
- BITMAP_COUNT
- BITMAP_UNION_INT
- BITMAP_XOR
- BITMAP_UNION_COUNT
- BITMAP_HAS_ANY
- BITMAP_INTERSECT
- BITMAP_AND_NOT
- BITMAP_TO_STRING
- BITMAP_HASH
- INTERSECT_COUNT
- BITMAP_EMPTY
- BITMAP_MAX
- BASE64_TO_ARRAY
- BITMAP_TO_ARRAY
- Struct Functions
- Aggregate Functions
- RETENTION
- MI
- MULTI_DISTINCT_SUM
- WINDOW_FUNNEL
- STDDEV_SAMP
- GROUPING_ID
- HLL_HASH
- AVG
- HLL_UNION_AGG
- COUNT
- BITMAP
- HLL_EMPTY
- SUM
- MAX_BY
- PERCENTILE_CONT
- COVAR_POP
- PERCENTILE_APPROX
- HLL_RAW_AGG
- STDDEV
- CORR
- COVAR_SAMP
- MIN_BY
- MAX
- VAR_SAMP
- STD
- HLL_UNION
- APPROX_COUNT_DISTINCT
- MULTI_DISTINCT_COUNT
- VARIANCE
- ANY_VALUE
- COUNT_IF
- GROUPING
- PERCENTILE_DISC
- Array Functions
- ARRAY_CUM_SUM
- ARRAY_MAX
- ARRAY_LENGTH
- ARRAY_REMOVE
- UNNEST
- ARRAY_SLICE
- ALL_MATCH
- ARRAY_CONCAT
- ARRAY_SORT
- ARRAY_POSITION
- ARRAY_DIFFERENCE
- ARRAY_CONTAINS
- ARRAY_JOIN
- ARRAY_INTERSECT
- CARDINALITY
- ARRAY_CONTAINS_ALL
- ARRAYS_OVERLAP
- ARRAY_MIN
- ARRAY_MAP
- ELEMENT_AT
- ARRAY_APPEND
- ARRAY_SORTBY
- ARRAY_TO_BITMAP
- ARRAY_GENERATE
- ARRAY_AVG
- ARRAY_FILTER
- ANY_MATCH
- REVERSE
- ARRAY_AGG
- ARRAY_DISTINCT
- ARRAY_SUM
- Condition Functions
- Math Functions
- Date and Time Functions
- DAYNAME
- MINUTE
- FROM_UNIXTIME
- HOUR
- MONTHNAME
- MONTHS_ADD
- ADD_MONTHS
- DATE_SUB
- PREVIOUS_DAY
- TO_TERA_DATA
- MINUTES_SUB
- WEEKS_ADD
- HOURS_DIFF
- UNIX_TIMESTAMP
- DAY
- DATE_SLICE
- DATE
- CURTIME
- SECONDS_SUB
- MONTH
- WEEK
- TO_DATE
- TIMEDIFF
- MONTHS_DIFF
- STR_TO_JODATIME
- WEEK_ISO
- MICROSECONDS_SUB
- TIME_SLICE
- MAKEDATE
- DATE_TRUNC
- JODATIME
- DAYOFWEEK
- YEARS_SUB
- TIMESTAMP_ADD
- HOURS_SUB
- STR2DATE
- TIMESTAMP
- FROM_DAYS
- WEEK_OF_YEAR
- YEAR
- TIMESTAMP_DIFF
- TO_TERA_TIMESTAMP
- DAYOFMONTH
- DAYOFYEAR
- DATE_FORMAT
- MONTHS_SUB
- NEXT_DAY
- MINUTES_DIFF
- DATA_ADD
- MINUTES_ADD
- CURDATE
- DAY_OF_WEEK_ISO
- CURRENt_TIMESTAMP
- STR_TO_DATE
- LAST_DAY
- WEEKS_SUB
- TO_DAYS
- DATEDIFF
- NOW
- TO_ISO8601
- TIME_TO_SEC
- QUARTER
- SECONDS_DIFF
- UTC_TIMESTAMP
- DATA_DIFF
- SECONDS_ADD
- ADDDATE
- WEEKSDIFF
- CONVERT_TZ
- MICROSECONDS_ADD
- SECOND
- YEARS_DIFF
- YEARS_ADD
- HOURS_ADD
- DAYS_SUB
- DAYS_DIFF
- Cryptographic Functions
- Percentile Functions
- Bit Functions
- JSON Functions
- Hash Functions
- Scalar Functions
- Table Functions
Manage privileges for policies
Privilege items
Policy creation and application are controlled by privileges such as CREATE, APPLY, ALTER, and DROP. Administrators can determine whether to delegate these privileges to some departments or roles based on business scenarios.
| Privilege item | Description |
|---|---|
| CREATE MASKING POLICY | Creates a masking policy in a database. |
| CREATE ROW ACCESS POLICY | Creates a row access policy in a data base |
| APPLY | Applies a policy to a table. |
| ALTER | Modifies a policy. |
| DROP | Drops a policy. |
CREATE MASKING POLICY,CREATE ROW ACCESS POLICY
Controls whether users or roles have the permission to create a policy in a database.
GRANT CREATE MASKING POLICY ON DATABASE <db_name> TO ROLE <role_name>
GRANT CREATE ROW ACCESS POLICY ON DATABASE <db_name> TO ROLE <role_name>
REVOKE CREATE MASKING POLICY ON DATABASE <db_name> FROM ROLE <role_name>
REVOKE CREATE ROW ACCESS POLICY ON DATABASE <db_name> FROM ROLE <role_name>APPLY
Controls whether users or roles have the permission to apply a policy or apply all policies.
GRANT APPLY ON MASKING POLICY <policy_name> TO ROLE <role_name>
GRANT APPLY ON ROW ACCESS POLICY <policy_name> TO ROLE <role_name>
REVOKE APPLY ON MASKING POLICY <policy_name> FROM ROLE <role_name>
REVOKE APPLY ON ROW ACCESS POLICY <policy_name> FROM ROLE <role_name>GRANT APPLY ON ALL MASKING POLICIES TO ROLE <role_name>
GRANT APPLY ON ALL MASKING POLICIES IN ALL DATABASES TO ROLE <role_name>ALTER
Controls whether users or roles have the permission to modify a policy.
GRANT ALTER ON MASKING POLICY <policy_name> TO ROLE <role_name>
GRANT ALTER ON ROW ACCESS POLICY <policy_name> TO ROLE <role_name>DROP
Controls whether users or roles have the permission to drop a policy.
GRANT DROP ON MASKING POLICY <policy_name> TO ROLE <role_name>
GRANT DROP ON ROW ACCESS POLICY <policy_name> TO ROLE <role_name>Privileges required for SQL commands
The SQL commands used to create and manage policies require privileges. You can refer to Masking policies and Row access policies for the syntax and examples of these commands.
Masking policy
| SQL | Required privileges | GRANT syntax |
|---|---|---|
| CREATE MASKING POLICY | CREATE MASKING POLICY | GRANT CREATE MASKING POLICY ON DATABASE <db_name> TO ROLE <role_name> |
| ALTER TABLE...SET MASKING POLICY | ALTER and APPLY |
|
| ALTER TABLE...UNSET MASKING POLICY | ALTER | GRANT ALTER ON TABLE <table_name> TO ROLE <role_name> |
| ALTER MASKING POLICY | ALTER | GRANT ALTER ON MASKING POLICY <policy_name> to ROLE <role_name> |
| SHOW MASKING POLICIES | None | None |
| SHOW CREATE MASKING POLICY | Any of APPLY, ALTER, or DROP | |
| DROP MASKING POLICY | DROP | GRANT DROP ON MASKING POLICY <policy_name> to ROLE <role_name> |
Row access policy
| SQL | Required privileges | GRANT syntax |
|---|---|---|
| CREATE ROW ACCESS POLICY POLICY | CREATE ROW ACCESS POLICY | GRANT CREATE ROW ACCESS POLICY ON DATABASE <db_name> TO ROLE <role_name> |
| ALTER TABLE...ADD ROW ACCESS POLICY | ALTER and APPLY |
|
| ALTER TABLE...DROP ROW ACCESS POLICY | ALTER | GRANT ALTER ON TABLE <table_name> TO ROLE <role_name> |
| ALTER ROW ACCESS POLICY | ALTER | GRANT ALTER ON ROW ACCESS POLICY <policy_name> to ROLE <role_name> |
| SHOW ROW ACCESS POLICIES | None | None |
| SHOW CREATE ROW ACCESS POLICY | Any of APPLY, ALTER, or DROP | |
| DROP ROW ACCESS POLICY | DROP | GRANT DROP ON ROW ACCESS POLICY <policy_name> to ROLE <role_name> |
Manage privileges
Three data administration models are supported to realize segregation of duties: centralized, decentralized, and hybrid administration. You can decide how to delegate policy-related privileges to suit your business requirements.
| Centralized | Hybrid | Decentralized | |
|---|---|---|---|
| CREATE | Security manager | Security manager | Individual teams |
| APPLY | Security manager | Individual teams | Individual teams |
Centralized: Only the administrator is allowed to manage policies.
CREATE ROLE security_manager; GRANT CREATE MASKING POLICY ON DATABASE d1 TO ROLE security_manager; GRANT APPLY ON ALL MASKING POLICIES ON DATABASE d1 TO ROLE security_manager;Hybrid: Both the administrator and other roles can manage policies.
CREATE ROLE security_manager; GRANT CREATE MASKING POLICY ON DATABASE d1 TO ROLE security_manager; GRANT APPLY ON ALL MASKING POLICIES ON DATABASE d1 TO ROLE db_owner;Decentralized: Policies are managed by other roles.
CREATE ROLE db_owner; GRANT CREATE MASKING POLICY ON DATABASE d1 TO ROLE db_owner; GRANT APPLY ON ALL MASKING POLICIES ON DATABASE d1 TO ROLE db_owner;