All actions that can be performed in ByteHouse have related permission defined. For example: viewing account resource usage, creating new users, querying data from some table, or loading large data set into ByteHouse.

Permissions that are resource specific, such as creating tables (related to a database), inserting new data (related to a table), and running virtual warehouses (related to a warehouse), are bound to the particular resource instance or object.

Permissions that are not resource specific, such as creating databases (*note that databases are account level resources), viewing billing status, or creating a new service user, are not bound to any particular object.

Granting Permissions

Permission can be granted at role level as explained above.

Object-Level permissions

For object-level permissions, you need to locate the target resource and manage its permission from its own permission management panel.
Take a database as an example:
Find the permission management entry point from the detailed view of the database:

You can either:

  1. Grant permission to a role that previously has no permission on it, as shown in label 1. 

  2. Edit permissions on roles that have already some permissions granted, as shown in label 2. 

Label 3 is a special option when granting permissions, with the option checked, the role that is granted with permissions is able to regrant the same permissions to other roles.


One thing to note is permissions that are default to system predefined roles, and permissions that are inherited from child roles are not modifiable.

Non Object-Level permissions

Non object-level permissions can be granted or revoked from the role management page. Currently, only 4 such permissions are open to be granted as shown below.