- User Management
- Role Management
- Privilege Management
- Impersonation (Execute As…) - enables execution of commands as another user
User Management
The ability to manage user accounts is available through SQL, using the following commands: See Users for details about users within Kinetica.CREATE USER
Users can be added to the system and assigned permissions either directly or via roles. Optionally, the user can be associated with a resource group and/or be assigned a default schema.CREATE USER Syntax
The password needs to be single-quoted and must not contain single quotes.
Examples
Two of the ways to create a new internal user with the user ID of jsmith and a password of secret are:CREATE USER Example
CREATE USER with Resource Group Example
@ symbol; no password is
supplied, as the user will be externally authenticated:
CREATE USER (External) Example
ALTER USER
Any of the following facets of a user can be altered, either individually or as a group:- password
- resource group
- default schema
ALTER USER Syntax
The password needs to be single-quoted and must not contain single quotes.
Examples
To alter a user with the user ID of jsmith, assigning a password of new_secret, and the memory_over_execution resource group:ALTER USER with Resource Group Example
ALTER USER Removing Resource Group Example
DROP USER
Any user, other than the default users, can be removed from the system. Note that any database objects created by a user will remain when the user is removed.DROP USER Syntax
Examples
To drop an internal user jsmith:DROP USER (Internal) Example
DROP USER (External) Example
SHOW SECURITY FOR User
For any one or more (or all) users in the system, the following can be listed: In addition, permissions, roles, & resource groups will be listed recursively for the roles the specified users have and the roles those roles have, etc. This allows the full set of permissions for a given user, both direct & inherited, to be viewed with one command.SHOW SECURITY FOR User Syntax
Examples
To show the permissions, roles, resource group, and default schema for user jsmith:SHOW SECURITY FOR User Example
Role Management
The ability to manage roles is available through SQL, using the following commands: See Roles for details about roles within Kinetica.CREATE ROLE
A new role can be created as a container for permissions or other roles, though both of those must be granted to the role after its creation. Optionally, the role can be associated with a resource group.CREATE ROLE Syntax
Examples
To create an analyst role:CREATE ROLE Example
CREATE ROLE with Resource Group Example
ALTER ROLE
A role can have its associated resource group modified.ALTER ROLE Syntax
Examples
To assign the memory_over_execution resource group to the analyst role:ALTER ROLE Example
ALTER ROLE Removing Resource Group Example
DROP ROLE
Dropping a role will remove the associated permissions & roles granted through the role to all users with the role. Users & roles granted the same permissions either directly or via other roles will retain those permissions. Any role, other than the default roles, can be removed from the system.DROP ROLE Syntax
Examples
To drop the analyst role:DROP ROLE Example
SHOW SECURITY FOR Role
For any one or more (or all) roles in the system, the following can be listed: In addition, these attributes will be listed recursively for the roles the specified roles have and the roles those roles have, etc. This allows the full set of permissions for a given role, both direct & inherited, to be viewed with one command.SHOW SECURITY FOR Role Syntax
Examples
To show the permissions, roles, and resource group for the analyst role:SHOW SECURITY FOR Role Example
Privilege Management
The ability to manage user & role privileges is available through SQL, using the following commands:- Roles (GRANT | REVOKE)
- System Permissions (GRANT | REVOKE)
- Schema Permissions (GRANT | REVOKE)
- Table Permissions (GRANT | REVOKE)
- Credential Permissions (GRANT | REVOKE)
- Data Source Permissions (GRANT | REVOKE)
- Data Sink Permissions (GRANT | REVOKE)
- Directory Permissions (GRANT | REVOKE)
- Function Permissions (GRANT | REVOKE)
- Graph Permissions (GRANT | REVOKE)
- Procedure Permissions (GRANT | REVOKE)
- SQL-GPT Context Permissions (GRANT | REVOKE)
- Stream Permissions (GRANT | REVOKE)
- SHOW SECURITY
- CHECK
GRANT Role
Roles can be granted directly to users or other roles.GRANT Role Syntax
Examples
To grant a role allowing access to analyst tables to the analyst role, and then grant that analyst role to user jsmith:GRANT ROLE Example
GRANT SYSTEM Permission
System permissions can be granted directly to users or roles.System Administration
GRANT System Administrative Permission Syntax
| Permission | Description |
|---|---|
SYSTEM ADMIN | System administrator permission |
System Management
GRANT System Management Permission Syntax
| Permission | Description |
|---|---|
SYSTEM CREATE | System create permission |
SYSTEM MONITOR | System monitor permission |
SYSTEM READ | System read permission |
SYSTEM WRITE | System write permission |
WITH GRANT OPTION | Grant this permission with a grant option to grant it to others. |
User Administration
GRANT User Administrative Permission Syntax
| Permission | Description |
|---|---|
USER ADMIN | User administrator permission |
Create Directory
GRANT KiFS Directory Create Permission Syntax
| Permission | Description |
|---|---|
CREATE DIRECTORY | Create directory permission |
WITH GRANT OPTION | Grant this permission with a grant option to grant it to others. |
Create UDF/UDTF
GRANT UDF Create Permission Syntax
| Permission | Description |
|---|---|
CREATE FUNCTION | Create UDF/UDTF permission |
WITH GRANT OPTION | Grant this permission with a grant option to grant it to others. |
Examples
To grant system administrator permission to jsmith:GRANT SYSTEM ADMIN Example
GRANT SYSTEM READ Example
GRANT USER ADMIN Example
GRANT Schema Permission
Schema permissions, which allow management of schemas and their contained objects can be granted directly to users or roles.GRANT Schema Permission Syntax
Parameters
PRIVILEGES
PRIVILEGES
Optional keyword for SQL-92 compatibility.
SCHEMA
SCHEMA
Optional keyword to avoid ambiguity between a grant to a schema and a grant to a
table/view in the user’s default schema.
<schema reference>
<schema reference>
Either the name of the schema to which access is being granted or a wildcard expression
signifying the schema(s) and table(s)/views(s) to which access is being granted.
| Wildcard Form | Selected Objects |
|---|---|
* | All schemas currently in the database |
. | All schemas, tables, & views currently in the database |
<object type>
<object type>
For granting
CREATE privilege, the object type to give permission to create in the
given schema.Supported object types include:| Target Type | Description |
|---|---|
CONTEXT | SQL-GPT context object |
CREDENTIAL | Credential object |
DATA SINK | External data sink |
DATA SOURCE | External data source |
GRAPH | Graph |
PROCEDURE | SQL stored procedure |
STREAM | Stream |
TABLE | Table (or view) |
WITH GRANT OPTION
WITH GRANT OPTION
Grant this permission with a
grant option to grant it to others.
The
ALL permission corresponds to the native
table_admin permission,
which gives full read/write access as well as the additional permission to
CREATE, ALTER, & DROP any table or view in the specified
schema(s).Examples
To grantSELECT access on all schemas to the auditor role:
GRANT Read on Schemas to Role Example
SELECT access on all current and future tables & views within the
app_schema schema to the app_user role:
GRANT Read on Schema to Role Example
GRANT All Permissions on All Schemas/Tables/Views to Role Example
GRANT Table Permission
Table permissions, which can be applied to tables and views, can be granted directly to users or roles.For granting the ability to create tables, see
GRANT Schema Permission.
SELECT privilege by specifying a WHERE clause expression.
Column-level security can be invoked for
SELECT privilege by specifying a list of accessible columns and/or
column security functions.
GRANT Table Permission Syntax
Parameters
PRIVILEGES
PRIVILEGES
Optional keyword for SQL-92 compatibility.
ON
ON
Optional object specifier for granting permission to a specific object or set of objects.
If not specified, then the grant will be for all tables and views
in all schemas now and in the future
TABLE
TABLE
Optional keyword for SQL-92 compatibility, and to avoid ambiguity between a grant to a
table/view in the user’s default schema (when
<schema name> is omitted) and a grant
to a schema.<object reference>
<object reference>
The name of the table/view and/or schema to which access is being granted.
the following forms are valid:
| Form | Selected Objects |
|---|---|
| <schema>.<object> | Fully-qualified table or view name in the specified schema |
. | All existing tables & views that the granting user can see across all schemas |
* | All existing schemas that the granting user can see, which will grant access to all tables and views in those schemas now and in the future |
| <schema> | All tables and views in the specified schema now and in the future |
| <object> | Table or view in the default schema. If a schema exists with the same name, it will be used. To avoid this, specify the fully-qualified object name. |
<column list>
<column list>
Optional comma-separated list of specific table columns and/or
column security functions applied to columns
on which to grant access; see Column-Level Security for details.
WHERE <expression>
WHERE <expression>
Optional filter expression on the table to which access is being granted, determining to
which rows of the target table the grantee will be given access; see
Row-Level Security for details.
WITH GRANT OPTION
WITH GRANT OPTION
Grant this permission with a
grant option to grant it to others.
WITH GRANT OPTION is not allowed when also granting with row or column
restrictions.The
ALL permission corresponds to the native
table_admin permission, which
gives full read/write access as well as the additional permission either to
ALTER and DROP the specified table.Examples
For example, to grant full access on the network_config table to jsmith:GRANT All Permissions on Table to User Example
SELECT access on the network_config_history table to the
analyst role:
GRANT Read on Table to Role Example
GRANT All Permissions on Current Tables/Views in Schema to Role Example
Row-Level Security Examples
To grantSELECT access on an rx_order table for all orders placed since
the year 2002:
GRANT Row-Level Access by Filter Example
SELECT access on an rx_order table for only orders belonging
to the current user:
GRANT Row-Level Access Tied to Current User Example
Column-Level Security Examples
To grantSELECT access on the following columns of an rx_order table:
- obfuscated version of the orderer’s social security number
- name of the prescription ordered
- order date/time
GRANT Obfuscated Column-Level Access Example
SELECT access on the following columns of an rx_order table:
- masked version of the orderer’s social security number (last 4 digits)
- name of the orderer
- name of the prescription ordered
- order date/time
GRANT Masked Column-Level Access Example
GRANT Credential Permission
Credential permissions, which allow management of credentials, can be granted directly to users or roles.For granting the ability to create credentials, see
GRANT Schema Permission.
GRANT Credential Permission Syntax
| Permission | Description |
|---|---|
ADMIN | Modify or drop the given credential (includes READ access). |
READ | Use or view the configuration of the given credential. |
WITH GRANT OPTION | Grant this permission with a grant option to grant it to others. |
Examples
To grant read access on the credential named auser_azure_active_dir_creds to the auser user:GRANT Credential Use Permission Example
GRANT Credential Administrative Permission Example
GRANT Data Source Permission
Data source permissions, which allow management of data sources, can be granted directly to users or roles.For granting the ability to create data sources, see
GRANT Schema Permission.
GRANT Data Source Permission Syntax
| Permission | Description |
|---|---|
ADMIN | Modify or drop the given data source (includes CONNECT access). |
CONNECT | Connect to, load data into, or view the configuration of the given data source. |
WITH GRANT OPTION | Grant this permission with a grant option to grant it to others. |
Examples
To grant connect access on the data source named kin_ds to the auser user:GRANT Data Source Use Permission Example
GRANT Data Source Administrative Permission Example
GRANT Data Sink Permission
Data sink permissions, which allow management of data sinks, can be granted directly to users or roles.For granting the ability to create data sinks, see
GRANT Schema Permission.
GRANT Data Sink Permission Syntax
| Permission | Description |
|---|---|
ADMIN | Modify or drop the given data sink (includes CONNECT access). |
CONNECT | Connect to, load data into, or view the configuration of the given data sink. |
WITH GRANT OPTION | Grant this permission with a grant option to grant it to others. |
Examples
To grant connect & load access on the data sink named kin_dsink to the auser user:GRANT Data Sink Use Permission Example
GRANT Data Sink Administrative Permission Example
GRANT Directory Permission
KiFS directory permissions, which allow management of files within KiFS directories, can be granted directly to users or roles.For granting the ability to create directories, see
GRANT SYSTEM Permission.
GRANT Directory Permission Syntax
| Permission | Description |
|---|---|
READ | List, download, or load data from files within the given directory. |
WRITE | Upload files to or delete files from the given directory (includes READ access). |
WITH GRANT OPTION | Grant this permission with a grant option to grant it to others. |
Examples
To grant read access on a directory named kdata to the kuser user:GRANT Directory Read Permission Example
GRANT Directory Write Permission Example
GRANT Function (UDF/UDTF) Permission
Function permissions, which allow management of UDFs/UDTFs, can be granted directly to users or roles.For granting the ability to create UDFs/UDTFs, see
GRANT SYSTEM Permission.
GRANT FUNCTION (UDF) Permission Syntax
| Permission | Description |
|---|---|
ADMIN | Drop the given UDF, and display full configuration about it (includes EXECUTE access). When * is used instead of function name, gives permission to manage Python UDF function environments. |
EXECUTE | Run and terminate the given UDF, and display limited configuration about it. |
WITH GRANT OPTION | Grant this permission with a grant option to grant it to others. |
Use
* instead of function name to grant the specified permission
to all existing & future UDFs.Examples
To grant execute on the udf_sos_py_proc UDF to udf_user:GRANT Function Execute Permission Example
GRANT Function Administrative Permission Example
GRANT Graph Permission
Graph permissions, which allow management of graphs, can be granted directly to users or roles.For granting the ability to create graphs, see
GRANT Schema Permission.
GRANT Graph Permission Syntax
| Permission | Description |
|---|---|
ADMIN | Drop the given graph (includes WRITE access). |
READ | Query, match, solve, & show the given graph. |
WRITE | Modify the given graph (includes READ access). |
WITH GRANT OPTION | Grant this permission with a grant option to grant it to others. |
Examples
To grant query, match, solve, & show access on the graph named big_cities_graph to geo_user:GRANT Graph Permission Example
GRANT Procedure Permission
Procedure permissions, which allow execution of SQL procedures, can be granted directly to users or roles.For granting the ability to create SQL procedures, see
GRANT Schema Permission.
GRANT EXECUTE PROCEDURE Permission Syntax
| Permission | Description |
|---|---|
EXECUTE | Run the given SQL procedure. |
WITH GRANT OPTION | Grant this permission with a grant option to grant it to others. |
Examples
To grant execute on the sqlp_weekly procedure to spuser:GRANT EXECUTE PROCEDURE Permission Example
GRANT SQL-GPT Context Permission
SQL-GPT context permissions, which allow management of SQL-GPT contexts, can be granted directly to users or roles.For granting the ability to create SQL-GPT contexts, see
GRANT Schema Permission.
GRANT SQL-GPT Context Permission Syntax
| Permission | Description |
|---|---|
ADMIN | Modify or drop the given context (includes READ access). |
READ | Use the given context to generate SQL using a SQL-GPT query. |
WITH GRANT OPTION | Grant this permission with a grant option to grant it to others. |
Examples
To grant read access on the SQL-GPT context named example.atc_ctx to the ctxuser user:GRANT SQL-GPT Context Permission Example
GRANT Stream Permission
Stream permissions, which allow removal & display of streams, can be granted directly to users or roles.For granting the ability to create streams, see
GRANT Schema Permission.
GRANT Stream Administrative Permission Syntax
| Permission | Description |
|---|---|
ADMIN | Drop the given stream. |
WITH GRANT OPTION | Grant this permission with a grant option to grant it to others. |
Examples
To grant administrative access on the stream named kin_stream to the auser user:GRANT Stream Administrative Permission Example
REVOKE Role
Roles can be revoked from users or other roles.REVOKE Role Syntax
Examples
To revoke a role allowing access to analyst tables from the analyst role:REVOKE Role from Role Example
REVOKE Role from User Example
REVOKE SYSTEM Permission
System permissions can be revoked from users or roles.REVOKE System Administrative Permission Syntax
REVOKE User Administrative Permission Syntax
REVOKE KiFS Directory Create Permission Syntax
REVOKE UDF Create Permission Syntax
Examples
To revoke system administrator permission from jsmith:REVOKE SYSTEM ADMIN Example
REVOKE SYSTEM READ Example
REVOKE USER ADMIN Example
REVOKE Schema Permission
Schema permissions, which allow management of schemas and their contained objects can be revoked from users or roles.REVOKE Schema Permission Syntax
Parameters
PRIVILEGES
PRIVILEGES
Optional keyword for SQL-92 compatibility
SCHEMA
SCHEMA
Optional keyword to avoid ambiguity between revoking a grant to a schema and a grant to a
table/view in the user’s default schema
<schema reference>
<schema reference>
Either the name of the schema to which access is being revoked or a wildcard expression
signifying the schema(s) and table(s)/views(s) to which access is being revoked
| Wildcard Form | Selected Objects |
|---|---|
* | All schemas currently in the database |
. | All schemas, tables, & views currently in the database |
<object type>
<object type>
For revoking
CREATE privilege, the object type to remove permission to create in the
given schema.Supported object types include:| Target Type | Description |
|---|---|
CONTEXT | SQL-GPT context object |
CREDENTIAL | Credential object |
DATA SINK | External data sink |
DATA SOURCE | External data source |
GRAPH | Graph |
PROCEDURE | SQL stored procedure |
STREAM | Stream |
TABLE | Table (or view) |
The
ALL permission corresponds to the native
table_admin permission,
which gives full read/write access as well as the additional permission to
CREATE, ALTER, & DROP any table or view in the specified
schema(s).Examples
To revokeSELECT access on all schemas from the auditor role:
REVOKE Read on Schemas from Role Example
SELECT access on all current and future tables & views within the
app_schema schema from the app_user role:
REVOKE Read on Schema from Role Example
REVOKE All Permissions on All Schemas/Tables/Views from Role Example
REVOKE Table Permission
Table permissions, which can be applied to tables and views, can be revoked from users or roles.For revoking the ability to create tables, see
REVOKE Schema Permission.
SELECT privilege only by revoking SELECT privilege from the entire
table.
Access to individual rows cannot be revoked; instead, full
SELECT
access should be revoked, followed by a grant of access to the appropriate
rows.SELECT privilege by specifying a list of columns for which access will be
revoked, regardless of any security functions that may have been applied to the
column when granting access (HASH, MASK).
REVOKE Table Permission Syntax
Parameters
PRIVILEGES
PRIVILEGES
Optional keyword for SQL-92 compatibility
TABLE
TABLE
Optional keyword for SQL-92 compatibility, and to avoid ambiguity between revoking a
grant to a table/view in the user’s default schema (when
<schema name> is omitted)
and a grant to a schema<schema name>
<schema name>
The name of the schema containing the table/view to which access is being revoked; if
omitted, the table/view will be looked for in the default schema
<table/view name>
<table/view name>
The name of the table to which access is being revoked; the wildcard
* can be used to
revoke access to all tables/views within the given <schema name> schema<column list>
<column list>
Optional comma-separated list of specific table columns to which access is being revoked;
see Column-Level Security for details
The
ALL permission corresponds to the native
table_admin permission, which
gives full read/write access as well as the additional permission either to
ALTER and DROP the specified table or to CREATE, ALTER, &
DROP all tables in the specified schema.Examples
For example, to revoke full access on the network_config table from jsmith:REVOKE All Permissions on Table from User Example
SELECT access on the network_config_history table from the
analyst role:
REVOKE Read on Table from Role Example
REVOKE All Permissions on Current Tables/Views in Schema from Role Example
Row-Level Security Examples
To revokeSELECT access on an rx_order table for all orders placed since
the year 2002 (as was granted in the
row-level grant example), revoke all
SELECT access:
REVOKE Row-Level Access Example
Column-Level Security Examples
To revokeSELECT access on the following columns of an rx_order table:
- orderer’s social security number
REVOKE Obfuscated Column-Level Access Example
SELECT access on the following columns of an rx_order table:
- masked version of the orderer’s social security number (last 4 digits)
- name of the prescription ordered
REVOKE Masked Column-Level Access Example
REVOKE Credential Permission
Permissions on credentials that have been granted directly to users or roles can be revoked.For revoking the ability to create credentials, see
REVOKE Schema Permission.
REVOKE Credential Permission Syntax
Examples
To revoke read access on the credential named auser_azure_active_dir_creds from the auser user:REVOKE Credential Use Permission Example
REVOKE Credential Administrative Permission Example
REVOKE Data Source Permission
Permissions on data sources that have been granted directly to users or roles can be revoked.For revoking the ability to create data sources, see
REVOKE Schema Permission.
REVOKE Data Source Permission Syntax
Examples
To revoke connect access on the data source named kin_ds from the auser user:REVOKE Data Source Use Permission Example
REVOKE Data Source Administrative Permission Example
REVOKE Data Sink Permission
Permissions on data sinks that have been granted directly to users or roles can be revoked.For revoking the ability to create data sinks, see
REVOKE Schema Permission.
REVOKE Data Sink Permission Syntax
Examples
To revoke connect access on the data sink named kin_dsink from the auser user:REVOKE Data Sink Use Permission Example
REVOKE Data Sink Administrative Permission Example
REVOKE Directory Permission
Permissions on KiFS directories that have been granted directly to users or roles can be revoked.For revoking the ability to create directories, see
REVOKE SYSTEM Permission.
REVOKE Directory Permission Syntax
Examples
To revoke read access on a directory named kdata from the kuser user:REVOKE Directory Read Permission Example
REVOKE Directory Write Permission Example
REVOKE Function (UDF/UDTF) Permission
Permissions relating to UDFs/UDTFs and Python UDF function environments that have been granted directly to users or roles can be revoked.For revoking the ability to create UDFs/UDTFs, see
REVOKE SYSTEM Permission.
REVOKE FUNCTION (UDF) Permission Syntax
Examples
To revoke execute on the udf_sos_py_proc UDF from udf_user:REVOKE Function Execute Permission Example
REVOKE Function Administrative Permission Example
REVOKE Graph Permission
Permissions on graphs that have been granted directly to users or roles can be revoked.For revoking the ability to create graphs, see
REVOKE Schema Permission.
REVOKE Graph Permission Syntax
Examples
To revoke query, match, solve, & show access on the graph named big_cities_graph from geo_user:REVOKE Graph Permission Example
REVOKE Procedure Permission
Permissions relating to SQL procedures can be revoked from users or roles.For revoking the ability to create SQL procedures, see
REVOKE Schema Permission.
REVOKE EXECUTE PROCEDURE Permission Syntax
Examples
To revoke execute on the sqlp_weekly procedure from spuser:REVOKE EXECUTE PROCEDURE Permission Example
REVOKE SQL-GPT Context Permission
Permissions on SQL-GPT contexts that have been granted directly to users or roles can be revoked.For revoking the ability to create SQL-GPT contexts, see
REVOKE Schema Permission.
REVOKE SQL-GPT Context Permission Syntax
Examples
To revoke read access on the SQL-GPT context named example.atc_ctx from the ctxuser user:REVOKE SQL-GPT Context Permission Example
REVOKE Stream Permission
Permissions on streams that have been granted directly to users or roles can be revoked.For revoking the ability to create streams, see
REVOKE Schema Permission.
REVOKE Stream Administrative Permission Syntax
Examples
To revoke administrative access on the stream named kin_stream from the auser user:REVOKE Stream Administrative Permission Example
SHOW SECURITY
For any one or more (or all) users and roles in the system, the following can be listed:- permissions
- roles
- resource groups
- default schema (users only)
SHOW SECURITY Syntax
Examples
To show the permissions, roles, resource groups, and default schema for user jsmith:SHOW SECURITY FOR User Example
SHOW SECURITY FOR Role Example
SHOW SECURITY FOR Multiple Users/Roles Example
SHOW SECURITY FOR All Users/Roles Example
CHECK
Users (or the current user) can have their effective permissions checked, including:- Role assignments
- Administrative permissions
- Object-level access
YES or NO will be returned, based on whether the given user
has the specified permissions or not, either directly or through a role or
administrative access.
Row/Column-level permission
information will be returned after the YES, if applicable.
CHECK PERMISSION Syntax
CHECK ROLE Syntax
Parameters
<permission>
<permission>
Permission to verify for the given userSupported permissions include:
| Permission | Description |
|---|---|
ADMIN | ALL | Applicable to credential objects and tables (or views) |
CONNECT | Applicable to external data sources |
DELETE | Applicable to tables |
EXECUTE | Applicable to User-Defined Functions (UDFs) and SQL stored procedures |
INSERT | Applicable to tables |
READ | Applicable to credential objects |
SELECT | Applicable to tables (or views) |
SYSTEM ADMIN | System admin permission |
SYSTEM CREATE | System create permission |
SYSTEM MONITOR | System monitor permission |
SYSTEM READ | System read permission |
SYSTEM WRITE | System write permission |
UPDATE | Applicable to tables |
USER ADMIN | User admin permission |
PERMISSION
PERMISSION
Optional keyword for clarity
ON
ON
Keyword for specifying the optional ON clause, which checks for the specified
permission
on the following target (and optional target type) given in this clause<target type>
<target type>
Optional keyword for specifying the object type of the target; may be necessary to disambiguate
same-named objects of differing typesSupported target types include:
| Target Type | Description |
|---|---|
CONTEXT | SQL-GPT context object |
CREDENTIAL | Credential object |
DATA SINK | External data source |
DATA SOURCE | External data source |
DIRECTORY | KiFS directory |
FUNCTION | User-Defined Function (UDF) |
GRAPH | Graph |
PROCEDURE | SQL stored procedure |
SCHEMA | Schema |
STREAM | Stream |
TABLE | Table (or view) |
<target>
<target>
Name of the object to which the given user’s specified permission will be checked
<role>
<role>
Name of the role of which the given user’s membership will be checked
FOR <user>
FOR <user>
Optional FOR clause, which checks whether the specified permission/role exists for the
user
given in this clause; if omitted, the current user will be checkedIF EXISTS
IF EXISTS
Optional error suppression clause, which causes the check to return
No if any of the entities
specified do not exist; without this clause, non-existent entities will return an errorImpersonation (Execute As…)
When logged into the database as one user, SQL commands can be run as a second user (that user can be impersonated). To do this, first log in to the database as an administrator, then switch to the second user, and finally, run the command. Afterwards, the original user can be reverted back to in order to execute commands as that administrator again; alternatively, an option can be specified to prevent switching back to the original user. The ability to impersonate other users is available through SQL, using the following commands:Only a user with administrator privilege can impersonate
another user, and only an administrator with a Kinetica database account.
Any users who are mapped to Kinetica as administrators via external
authentication will need to ensure that a corresponding Kinetica
administrator account has been created for impersonation to succeed.Additionally, impersonation is only supported via ODBC/JDBC.
EXECUTE AS
During a SQL session, a user can execute subsequent commands as another user.This command is only available through
KiSQL or database clients configured with
the Kinetica ODBC/JDBC driver.
EXECUTE AS Syntax
WITH NO REVERT option prevents the impersonated user from switching back
to the original user. This is useful in several cases, including:
- An administrator needs to run a script as a user with specific permissions, but doesn’t want the script to be able to revert back to administrator privileges during its execution.
- An application server connects to the database with its own credentials, but issues commands to the database on behalf of an application user. Again, there is a need to prevent the application user from reverting back to the application server’s database account and using those privileges to execute commands.
Example
To demonstrate the uses ofEXECUTE AS USER, the following commands can be
issued upon logging into the database as an administrator.
First, verify the current user is admin:
Show Current User Example
Current User Output
Switch User Example
Show Switched User
Switched User Output
Query Accessible Table as Switched User Example
Output
Query Inaccessible Table as Switched User Example
Output
Switch Back to Original User Example
Show Switched Back User
Switched Back User Output
WITH NO REVERT option:
Switch User without Reversion Example
Show Switched User
Switched User Output
Attempt to Switch Back Example
Output
Show Current User
Current User Output
REVERT
After using EXECUTE AS or SET USER to switch to another user, the original user can be switched back to using the following command:This command is only available through
KiSQL or database clients configured with
the Kinetica ODBC/JDBC driver.
REVERT Syntax
EXECUTE AS
example for an example usage
of REVERT.
SET USER
TheSET USER (or SETUSER) command is simply an alias for the
EXECUTE AS and
REVERT commands.
This command is only available through
KiSQL or database clients configured with
the Kinetica ODBC/JDBC driver.
SET USER Syntax
There is no ability to prevent reversion to the original user
when using the
SET USER command. To prevent reversion, see
EXECUTE AS.Revert User Syntax