Role Based Access Control


ByteHouse enforces permission control at a role level. Every ByteHouse user can have one or more assigned role.

Go to User Management—> Roles to view all roles that are available under your account.

Active role

When using ByteHouse, choose an ‘Active role’, and the permissions assigned will restrict all your activity to this Active Role.

By choosing a different active role from your avatar dropdown, you will switch to a different permission space for that role. Your view of the web console may vary according to that permission space as well.

By default, a Public role, represented by an asterisk mark "*" is assigned to all users under an account. This is also the default role after a new user is created.

Web Console
The panel to switch active role on the ByteHouse console is shown below:


You can change your Default Role to any role that you are assigned on your Account Details page. The default role is the active role in the web console every time you log into ByteHouse.

CLI access

When accessing ByteHouse using CLI:

  • Switch active role:
SET ROLE "Role Name A";

-- or --

  • Change default role:

-- or --


Assign roles

You can assign a role to users on the role management page. Search for a username in the role details page as shown below, and then click the “+” sign beside the username for assignment.

-- Assign and revoke roles

GRANT ROLE somerole TO USER someuser
REVOKE ROLE somerole FROM USER someuser

Role hierarchy

Roles are managed hierarchically in ByteHouse. ParentRole will "inherit" all permissions coming from its direct child or indirect child (grandchild) roles.
In the example below, GrandchildRole1 is granted the "Create Database" permission, and ChildRoleB is granted the "Query TableOne" permission. Because of the role hierarchy:

  • ParentRole, ChildRoleA, and GrandchildRole can "Create Database"
  • ParentRole and ChildRoleB can "Query TableOne"

Predefined roles

There are 6 predefined roles in ByteHouse, with corresponding permissions:

  • AccountAdmin is the root role of a ByteHouse account. Users assigned with this role have all privileges/permissions.

  • SecurityAdmin is a direct child role under AccountAdmin. Users with this role will be in charge of all permission or privileges related actions, such as creating new custom roles, deleting a custom role, assigning users to some roles. One exception is that SecurityAdmin can’t grant AccountAdmin role to other users.

  • UserAdmin is a direct child role under the Account Admin. UserAdmin can do everything related to users, namely, CRUD for users.

  • SystemAdmin is a direct child role under the Account Admin. Users with this role will have permissions with regard to all platform resources, such as databases, tables, virtual warehouses, online worksheets, etc.

  • OperationAdmin is a direct child role under AccountAdmin. This role does not have any predefined privileges or permissions. This role is assigned to ByteHouse customer engineers for customer support.

  • PublicRole, as described above, is represented by a asterisk mark "*" in ByteHouse. It is the least privileged role in a ByteHouse account.

Here is what you can see on User Management --> Roles page when you first log into ByteHouse as an "AccountAdmin".


Custom roles

Custom roles can be created on the role management page. All custom roles are either direct child or indirect child (grandchild) of SystemAdmin, and are the direct or indirect parent (grandparent) of PublicRole. An example of a complete role hierarchy is shown below: