Kinetica provides basic table-level role-based access control for users. It also allows global read/write and administrative access to be granted. Limited permission management and reporting capability is available through SQL.
Important
For details about Kinetica security, including managing users & roles, see Security Concepts.
Tip
A limited set of user/role information can be extracted via function calls. See User/Security Functions for details.
Security features accessible via SQL include:
- User Security Detail
- Role Security Detail
- Privilege Management
- Impersonation (Execute As...) - enables execution of commands as another user
User Security Detail
The ability to view user security details is available through SQL, using the following command:
See Users for details about users within Kinetica.
SHOW SECURITY FOR User
For any one or more (or all) users in the system, the following can be listed:
In addition, permissions, roles, & resource groups will be listed recursively for the roles the specified users have and the roles those roles have, etc. This allows the full set of permissions for a given user, both direct & inherited, to be viewed with one command.
|
|
For example, to show the permissions, roles, resource group, and default schema for user jsmith:
|
|
Role Security Detail
The ability to view role security detail is available through SQL, using the following command:
See Roles for details about roles within Kinetica.
SHOW SECURITY FOR Role
For any one or more (or all) roles in the system, the following can be listed:
In addition, these attributes will be listed recursively for the roles the specified roles have and the roles those roles have, etc. This allows the full set of permissions for a given role, both direct & inherited, to be viewed with one command.
|
|
To show the permissions, roles, and resource group for the analyst role:
|
|
Privilege Management
The ability to manage user & role privileges is available through SQL, using the following commands:
- System Permissions (GRANT | REVOKE)
- Schema Permissions (GRANT | REVOKE)
- Table Permissions (GRANT | REVOKE)
- Credential Permissions (GRANT | REVOKE)
- Data Source Permissions (GRANT | REVOKE)
- Data Sink Permissions (GRANT | REVOKE)
- Directory Permissions (GRANT | REVOKE)
- Function Permissions (GRANT | REVOKE)
- Graph Permissions (GRANT | REVOKE)
- Procedure Permissions (GRANT | REVOKE)
- SQL-GPT Context Permissions (GRANT | REVOKE)
- Stream Permissions (GRANT | REVOKE)
- SHOW SECURITY
- CHECK
See Users for details about user accounts within Kinetica.
GRANT SYSTEM Permission
System permissions can be granted directly to users or roles.
System Administration
|
|
Permission | Description |
---|---|
SYSTEM ADMIN | System administrator permission |
System Management
|
|
Permission | Description |
---|---|
SYSTEM CREATE | System create permission |
SYSTEM READ | System read permission |
SYSTEM WRITE | System write permission |
WITH GRANT OPTION | Grant this permission with a grant option to grant it to others. |
User Administration
|
|
Permission | Description |
---|---|
USER ADMIN | User administrator permission |
Create Directory
|
|
Permission | Description |
---|---|
CREATE DIRECTORY | Create directory permission |
WITH GRANT OPTION | Grant this permission with a grant option to grant it to others. |
Create UDF/UDTF
|
|
Permission | Description |
---|---|
CREATE FUNCTION | Create UDF/UDTF permission |
WITH GRANT OPTION | Grant this permission with a grant option to grant it to others. |
Examples
To grant system administrator permission to jsmith:
|
|
To grant read access to all tables to the auditor role:
|
|
To grant user administrator permission to jsmith:
|
|
GRANT Schema Permission
Schema permissions, which allow management of schemas and their contained objects can be granted directly to users or roles.
|
|
Parameters | Description | ||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
PRIVILEGES | Optional keyword for SQL-92 compatibility. | ||||||||||||||||||
SCHEMA | Optional keyword to avoid ambiguity between a grant to a schema and a grant to a table/view in the user's default schema. | ||||||||||||||||||
<schema reference> | Either the name of the schema to which access is being granted or a wildcard expression signifying the schema(s) and table(s)/views(s) to which access is being granted.
| ||||||||||||||||||
<object type> | For granting CREATE privilege, the object type to give permission to create in the given schema. Supported object types include:
| ||||||||||||||||||
WITH GRANT OPTION | Grant this permission with a grant option to grant it to others. |
Note
The ALL permission corresponds to the native table_admin permission, which gives full read/write access as well as the additional permission to CREATE, ALTER, & DROP any table or view in the specified schema(s).
Examples
To grant SELECT access on all schemas to the auditor role:
|
|
To grant SELECT access on all current and future tables & views within the app_schema schema to the app_user role:
|
|
To grant full access on each of the schemas, tables, & views in the database individually to the dbadmin role:
|
|
GRANT Table Permission
Table permissions, which can be applied to tables and views, can be granted directly to users or roles.
Important
For granting the ability to create tables, see GRANT Schema Permission.
Row-level security can be invoked for SELECT privilege by specifying a WHERE clause expression.
Column-level security can be invoked for SELECT privilege by specifying a list of accessible columns and/or column security functions.
|
|
Parameters | Description |
---|---|
PRIVILEGES | Optional keyword for SQL-92 compatibility. |
TABLE | Optional keyword for SQL-92 compatibility, and to avoid ambiguity between a grant to a table/view in the user's default schema (when <schema name> is omitted) and a grant to a schema. |
<schema name> | The name of the schema containing the table to which access is being granted; if omitted, the table/view will be looked for in the default schema. |
<table/view name> | The name of the table/view to which access is being granted; the wildcard * can be used to grant access to all tables/views within the given <schema name> schema. |
<column list> | Optional comma-separated list of specific table columns and/or column security functions applied to columns on which to grant access; see Column-Level Security for details. |
WHERE <expression> | Optional filter expression on the table to which access is being granted, determining to which rows of the target table the grantee will be given access; see Row-Level Security for details. |
WITH GRANT OPTION | Grant this permission with a grant option to grant it to others. Note WITH GRANT OPTION is not allowed when also granting with row or column restrictions. |
Note
The ALL permission corresponds to the native table_admin permission, which gives full read/write access as well as the additional permission either to ALTER and DROP the specified table.
Examples
For example, to grant full access on the network_config table to jsmith:
|
|
To grant SELECT access on the network_config_history table to the analyst role:
|
|
To grant full access on each of the tables & views within the example schema to the developer role:
|
|
Row-Level Security Examples
To grant SELECT access on an rx_order table for all orders placed since the year 2002:
|
|
To grant SELECT access on an rx_order table for only orders belonging to the current user:
|
|
Column-Level Security Examples
To grant SELECT access on the following columns of an rx_order table:
- obfuscated version of the orderer's social security number
- name of the prescription ordered
- order date/time
|
|
To grant SELECT access on the following columns of an rx_order table:
- masked version of the orderer's social security number (last 4 digits)
- name of the orderer
- name of the prescription ordered
- order date/time
|
|
GRANT Credential Permission
Credential permissions, which allow management of credentials, can be granted directly to users or roles.
Important
For granting the ability to create credentials, see GRANT Schema Permission.
|
|
Permission | Description |
---|---|
ADMIN | Modify or drop the given credential (includes READ access). |
READ | Use or view the configuration of the given credential. |
WITH GRANT OPTION | Grant this permission with a grant option to grant it to others. |
For example, to grant read access on the credential named auser_azure_active_dir_creds to the auser user:
|
|
To grant administrative access on the credential to the auser user:
|
|
GRANT Data Source Permission
Data source permissions, which allow management of data sources, can be granted directly to users or roles.
Important
For granting the ability to create data sources, see GRANT Schema Permission.
|
|
Permission | Description |
---|---|
ADMIN | Modify or drop the given data source (includes CONNECT access). |
CONNECT | Connect to, load data into, or view the configuration of the given data source. |
WITH GRANT OPTION | Grant this permission with a grant option to grant it to others. |
For example, to grant connect access on the data source named kin_ds to the auser user:
|
|
To grant administrative access on the data source named kin_ds_anon to the auser user:
|
|
GRANT Data Sink Permission
Data sink permissions, which allow management of data sinks, can be granted directly to users or roles.
Important
For granting the ability to create data sinks, see GRANT Schema Permission.
|
|
Permission | Description |
---|---|
ADMIN | Modify or drop the given data sink (includes CONNECT access). |
CONNECT | Connect to, load data into, or view the configuration of the given data sink. |
WITH GRANT OPTION | Grant this permission with a grant option to grant it to others. |
For example, to grant connect & load access on the data sink named kin_dsink to the auser user:
|
|
To grant administrative access on the data sink named kin_dsink_http to the auser user:
|
|
GRANT Directory Permission
KiFS directory permissions, which allow management of files within KiFS directories, can be granted directly to users or roles.
Important
For granting the ability to create directories, see GRANT SYSTEM Permission.
|
|
Permission | Description |
---|---|
READ | List, download, or load data from files within the given directory. |
WRITE | Upload files to or delete files from the given directory (includes READ access). |
WITH GRANT OPTION | Grant this permission with a grant option to grant it to others. |
For example, to grant read access on a directory named kdata to the kuser user:
|
|
To grant write access on a directory named kdata to the kuser user:
|
|
GRANT Function (UDF/UDTF) Permission
Function permissions, which allow management of UDFs/UDTFs, can be granted directly to users or roles.
Important
For granting the ability to create UDFs/UDTFs, see GRANT SYSTEM Permission.
|
|
Permission | Description |
---|---|
ADMIN | Drop the given UDF, and display full configuration about it (includes EXECUTE access). When * is used instead of function name, gives permission to manage Python UDF function environments. |
EXECUTE | Run and terminate the given UDF, and display limited configuration about it. |
WITH GRANT OPTION | Grant this permission with a grant option to grant it to others. |
Note
Use * instead of function name to grant the specified permission to all existing & future UDFs.
For example, to grant execute on the udf_sos_py_proc UDF to udf_user:
|
|
To grant administrative access on every existing & future UDF, as well as the ability to manage Python UDF environments, to udf_user:
|
|
GRANT Graph Permission
Graph permissions, which allow management of graphs, can be granted directly to users or roles.
Important
For granting the ability to create graphs, see GRANT Schema Permission.
|
|
Permission | Description |
---|---|
ADMIN | Drop the given graph (includes WRITE access). |
READ | Query, match, solve, & show the given graph. |
WRITE | Modify the given graph (includes READ access). |
WITH GRANT OPTION | Grant this permission with a grant option to grant it to others. |
For example, to grant query, match, solve, & show access on the graph named big_cities_graph to geo_user:
|
|
GRANT Procedure Permission
Procedure permissions, which allow execution of SQL procedures, can be granted directly to users or roles.
Important
For granting the ability to create SQL procedures, see GRANT Schema Permission.
|
|
Permission | Description |
---|---|
EXECUTE | Run the given SQL procedure. |
WITH GRANT OPTION | Grant this permission with a grant option to grant it to others. |
For example, to grant execute on the sqlp_weekly procedure to spuser:
|
|
GRANT SQL-GPT Context Permission
SQL-GPT context permissions, which allow management of SQL-GPT contexts, can be granted directly to users or roles.
Important
For granting the ability to create SQL-GPT contexts, see GRANT Schema Permission.
|
|
Permission | Description |
---|---|
ADMIN | Modify or drop the given context (includes READ access). |
READ | Use the given context to generate SQL using a SQL-GPT query. |
WITH GRANT OPTION | Grant this permission with a grant option to grant it to others. |
For example, to grant read access on the SQL-GPT context named example.atc_ctx to the ctxuser user:
|
|
GRANT Stream Permission
Stream permissions, which allow removal & display of streams, can be granted directly to users or roles.
Important
For granting the ability to create streams, see GRANT Schema Permission.
|
|
Permission | Description |
---|---|
ADMIN | Drop the given stream. |
WITH GRANT OPTION | Grant this permission with a grant option to grant it to others. |
For example, to grant administrative access on the stream named kin_stream to the auser user:
|
|
REVOKE SYSTEM Permission
System permissions can be revoked from users or roles.
|
|
|
|
|
|
|
|
For example, to revoke system administrator permission from jsmith:
|
|
To revoke read access to all tables from the auditor role:
|
|
To revoke user administrator permission from jsmith:
|
|
REVOKE Schema Permission
Schema permissions, which allow management of schemas and their contained objects can be revoked from users or roles.
|
|
Parameters | Description | ||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
PRIVILEGES | Optional keyword for SQL-92 compatibility | ||||||||||||||||||
SCHEMA | Optional keyword to avoid ambiguity between revoking a grant to a schema and a grant to a table/view in the user's default schema | ||||||||||||||||||
<schema reference> | Either the name of the schema to which access is being revoked or a wildcard expression signifying the schema(s) and table(s)/views(s) to which access is being revoked
| ||||||||||||||||||
<object type> | For revoking CREATE privilege, the object type to remove permission to create in the given schema. Supported object types include:
|
Note
The ALL permission corresponds to the native table_admin permission, which gives full read/write access as well as the additional permission to CREATE, ALTER, & DROP any table or view in the specified schema(s).
Examples
To revoke SELECT access on all schemas from the auditor role:
|
|
To revoke SELECT access on all current and future tables & views within the app_schema schema from the app_user role:
|
|
To revoke full access on each of the schemas, tables, & views in the database individually from the dbadmin role:
|
|
REVOKE Table Permission
Table permissions, which can be applied to tables and views, can be revoked from users or roles.
Important
For revoking the ability to create tables, see REVOKE Schema Permission.
Row-level security can be revoked for SELECT privilege only by revoking SELECT privilege from the entire table.
Note
Access to individual rows cannot be revoked; instead, full SELECT access should be revoked, followed by a grant of access to the appropriate rows.
Column-level security can be revoked for SELECT privilege by specifying a list of columns for which access will be revoked, regardless of any security functions that may have been applied to the column when granting access (HASH, MASK).
|
|
Parameters | Description |
---|---|
PRIVILEGES | Optional keyword for SQL-92 compatibility |
TABLE | Optional keyword for SQL-92 compatibility, and to avoid ambiguity between revoking a grant to a table/view in the user's default schema (when <schema name> is omitted) and a grant to a schema |
<schema name> | The name of the schema containing the table/view to which access is being revoked; if omitted, the table/view will be looked for in the default schema |
<table/view name> | The name of the table to which access is being revoked; the wildcard * can be used to revoke access to all tables/views within the given <schema name> schema |
<column list> | Optional comma-separated list of specific table columns to which access is being revoked; see Column-Level Security for details |
Note
The ALL permission corresponds to the native table_admin permission, which gives full read/write access as well as the additional permission either to ALTER and DROP the specified table or to CREATE, ALTER, & DROP all tables in the specified schema.
Examples
For example, to revoke full access on the network_config table from jsmith:
|
|
To revoke SELECT access on the network_config_history table from the analyst role:
|
|
To revoke full access on each of the tables & views within the example schema from the developer role:
|
|
Row-Level Security Examples
To revoke SELECT access on an rx_order table for all orders placed since the year 2002 (as was granted in the row-level grant example), revoke all SELECT access:
|
|
Column-Level Security Examples
To revoke SELECT access on the following columns of an rx_order table:
- orderer's social security number
|
|
To revoke SELECT access on the following columns of an rx_order table:
- masked version of the orderer's social security number (last 4 digits)
- name of the prescription ordered
|
|
REVOKE Credential Permission
Permissions on credentials that have been granted directly to users or roles can be revoked.
Important
For revoking the ability to create credentials, see REVOKE Schema Permission.
|
|
For example, to revoke read access on the credential named auser_azure_active_dir_creds from the auser user:
|
|
To revoke administrative access on the credential from the auser user:
|
|
REVOKE Data Source Permission
Permissions on data sources that have been granted directly to users or roles can be revoked.
Important
For revoking the ability to create data sources, see REVOKE Schema Permission.
|
|
For example, to revoke connect access on the data source named kin_ds from the auser user:
|
|
To revoke administrative access on the data source named kin_ds_anon from the auser user:
|
|
REVOKE Data Sink Permission
Permissions on data sinks that have been granted directly to users or roles can be revoked.
Important
For revoking the ability to create data sinks, see REVOKE Schema Permission.
|
|
For example, to revoke connect access on the data sink named kin_dsink from the auser user:
|
|
To revoke administrative access on the data sink named kin_dsink_http from the auser user:
|
|
REVOKE Directory Permission
Permissions on KiFS directories that have been granted directly to users or roles can be revoked.
Important
For revoking the ability to create directories, see REVOKE SYSTEM Permission.
|
|
For example, to revoke read access on a directory named kdata from the kuser user:
|
|
To revoke write access on a directory named kdata from the kuser user:
|
|
REVOKE Function (UDF/UDTF) Permission
Permissions relating to UDFs/UDTFs and Python UDF function environments that have been granted directly to users or roles can be revoked.
Important
For revoking the ability to create UDFs/UDTFs, see REVOKE SYSTEM Permission.
|
|
For example, to revoke execute on the udf_sos_py_proc UDF from udf_user:
|
|
To revoke administrative access on every existing & future UDF, as well as the ability to manage function environments, from udf_user:
|
|
REVOKE Graph Permission
Permissions on graphs that have been granted directly to users or roles can be revoked.
Important
For revoking the ability to create graphs, see REVOKE Schema Permission.
|
|
For example, to revoke query, match, solve, & show access on the graph named big_cities_graph from geo_user:
|
|
REVOKE Procedure Permission
Permissions relating to SQL procedures can be revoked from users or roles.
Important
For revoking the ability to create SQL procedures, see REVOKE Schema Permission.
|
|
For example, to revoke execute on the sqlp_weekly procedure from spuser:
|
|
REVOKE SQL-GPT Context Permission
Permissions on SQL-GPT contexts that have been granted directly to users or roles can be revoked.
Important
For revoking the ability to create SQL-GPT contexts, see REVOKE Schema Permission.
|
|
For example, to revoke read access on the SQL-GPT context named example.atc_ctx from the ctxuser user:
|
|
REVOKE Stream Permission
Permissions on streams that have been granted directly to users or roles can be revoked.
Important
For revoking the ability to create streams, see REVOKE Schema Permission.
|
|
For example, to revoke administrative access on the stream named kin_stream from the auser user:
|
|
SHOW SECURITY
For any one or more (or all) users and roles in the system, the following can be listed:
- permissions
- roles
- resource groups
- default schema (users only)
In addition, permissions, roles, & resource groups will be listed recursively for the roles the specified users/roles have and the roles those roles have, etc. This allows the full set of permissions for a given user or role, both direct & inherited, to be viewed with one command.
|
|
For example, to show the permissions, roles, resource groups, and default schema for user jsmith:
|
|
To show the permissions, roles, and resource groups for the analyst role:
|
|
To show the permissions, roles, resource groups, and default schema for the anonymous user and the public role:
|
|
To show all users & roles:
|
|
CHECK
Users (or the current user) can have their effective permissions checked, including:
- Role assignments
- Administrative permissions
- Object-level access
A result of YES or NO will be returned, based on whether the given user has the specified permissions or not, either directly or through a role or administrative access. Row/Column-level permission information will be returned after the YES, if applicable.
|
|
|
|
Parameters | Description | ||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
<permission> | Permission to verify for the given user Supported permissions include:
| ||||||||||||||||||||||||||||
PERMISSION | Optional keyword for clarity | ||||||||||||||||||||||||||||
ON | Keyword for specifying the optional ON clause, which checks for the specified permission on the following target (and optional target type) given in this clause | ||||||||||||||||||||||||||||
<target type> | Optional keyword for specifying the object type of the target; may be necessary to disambiguate same-named objects of differing types Supported target types include:
| ||||||||||||||||||||||||||||
<target> | Name of the object to which the given user's specified permission will be checked | ||||||||||||||||||||||||||||
<role> | Name of the role of which the given user's membership will be checked | ||||||||||||||||||||||||||||
FOR <user> | Optional FOR clause, which checks whether the specified permission/role exists for the user given in this clause; if omitted, the current user will be checked | ||||||||||||||||||||||||||||
IF EXISTS | Optional error suppression clause, which causes the check to return No if any of the entities specified do not exist; without this clause, non-existent entities will return an error |
Impersonation (Execute As...)
When logged into the database as one user, SQL commands can be run as a second user (that user can be impersonated). To do this, first log in to the database as an administrator, then switch to the second user, and finally, run the command. Afterwards, the original user can be reverted back to in order to execute commands as that administrator again; alternatively, an option can be specified to prevent switching back to the original user.
The ability to impersonate other users is available through SQL, using the following commands:
Important
Only a user with administrator privilege can impersonate another user, and only an administrator with a Kinetica database account. Any users who are mapped to Kinetica as administrators via external authentication will need to ensure that a corresponding Kinetica administrator account has been created for impersonation to succeed.
Additionally, impersonation is only supported via ODBC/JDBC.
EXECUTE AS
During a SQL session, a user can execute subsequent commands as another user.
Note
This command is only available through KiSQL or database clients configured with the Kinetica ODBC/JDBC driver.
|
|
The WITH NO REVERT option prevents the impersonated user from switching back to the original user. This is useful in several cases, including:
- An administrator needs to run a script as a user with specific permissions, but doesn't want the script to be able to revert back to administrator privileges during its execution.
- An application server connects to the database with its own credentials, but issues commands to the database on behalf of an application user. Again, there is a need to prevent the application user from reverting back to the application server's database account and using those privileges to execute commands.
Example
To demonstrate the uses of EXECUTE AS USER, the following commands can be issued upon logging into the database as an administrator.
First, verify the current user is admin:
|
|
|
|
Then, switch to a user auser and verify the session is now executing commands as that user:
|
|
|
|
|
|
Accessing a database object that auser has permission for results in a successful outcome:
|
|
|
|
Accessing an object that auser doesn't have permission for results in an error:
|
|
|
|
To switch back to the original user and verify the current identity, use the REVERT command:
|
|
|
|
|
|
Now, switch to auser using the WITH NO REVERT option:
|
|
|
|
|
|
Attempts to switch back to the administrator user will fail:
|
|
|
|
Verify the session is still executing commands as the auser user:
|
|
|
|
REVERT
After using EXECUTE AS or SET USER to switch to another user, the original user can be switched back to using the following command:
Note
This command is only available through KiSQL or database clients configured with the Kinetica ODBC/JDBC driver.
|
|
See the EXECUTE AS example for an example usage of REVERT.
SET USER
The SET USER (or SETUSER) command is simply an alias for the EXECUTE AS and REVERT commands.
Note
This command is only available through KiSQL or database clients configured with the Kinetica ODBC/JDBC driver.
The following commands are equivalent for switching to another user:
|
|
Important
There is no ability to prevent reversion to the original user when using the SET USER command. To prevent reversion, see EXECUTE AS.
The following commands are equivalent for switching back to the original user:
|
|