SQL Reference

Data Control Language (DCL) Statement Reference

In order to assign privileges to users, administrators can use Data Control Language (DCL) statements. You can write and execute DCL statements like any other SQL statements against the  System and databases. DCL statements allow you to quickly and easily grant or revoke privileges from users. DCL statements work off two main concepts: Grants and Revokes. Statements that begin with GRANT give the associated privileges to a user or group. Statements that begin with REVOKE remove those privileges from a user or group.
A full list of privileges can be found in the Ocient Privileges Reference﻿.
Supported DCL SQL statements are:
GRANT PRIVILEGE
REVOKE PRIVILEGE
GRANT ROLE
REVOKE ROLE
Grant Privileges
The GRANT statement grants privileges to a user or group. The privileges that you can grant in the GRANT  statement map to the tables and differ per object. The WITH GRANT OPTION keyword specifies that the grantee can also grant privileges on that object. 
To grant privileges, you must have:
VIEW privileges for the specified user or group being granted new privileges.
SYSAUTH privileges over the system or database object that the specified user or group is being granted privileges on.
Syntax
SQL
GRANT { 
    { CREATE { <systemObjects> } | VIEW { TABLE | VIEW } 
        | ALTER { TABLE | VIEW } 
        | DROP { TABLE | VIEW } 
        | SELECT | SYSAUTH | USE | ALL }  
        ON SYSTEM
    | { CREATE { <databaseObjects> } | VIEW { TABLE | VIEW } 
        | ALTER { TABLE | VIEW } 
        | DROP { TABLE | VIEW } 
        | SELECT | ALTER | DROP | SYSAUTH | USE | ALL } 
        ON DATABASE database_name
    | { VIEW | ALTER | DROP | SYSAUTH | ALL }                               
        ON { GROUP | USER } object_name
    | { SELECT | DROP | SYSAUTH | ALL }                                     
        ON MLMODEL object_name
    | { VIEW | EXECUTE | ALTER | DROP | SYSAUTH | ALL }                                     
        ON PIPELINE object_name
    | { VIEW | DROP | SYSAUTH | ALL }                                     
        ON PIPELINE FUNCTION object_name
    | { VIEW | SELECT | ALTER | DROP | SYSAUTH | ALL }                      
        ON VIEW object_name
    | { VIEW | SELECT | ALTER | LOAD | DROP | DELETE | SYSAUTH | INSERT | ALL }  
        ON TABLE object_name
    | { VIEW | SELECT | ALL }                                               
        ON TABLE sys.system_catalog_table
 }
    TO { { GROUP | USER } object_name | PUBLIC } [ WITH GRANT OPTION ]

<systemObjects> ::=
    DATABASE | TABLE | VIEW | USER | GROUP
<databaseObjects> ::=
    TABLE | VIEW | MLMODEL | PIPELINE | PIPELINE FUNCTION | USER | GROUP
GRANT { 
    { CREATE { <systemObjects> } | VIEW { TABLE | VIEW } 
        | ALTER { TABLE | VIEW } 
        | DROP { TABLE | VIEW } 
        | SELECT | SYSAUTH | USE | ALL }  
        ON SYSTEM
    | { CREATE { <databaseObjects> } | VIEW { TABLE | VIEW } 
        | ALTER { TABLE | VIEW } 
        | DROP { TABLE | VIEW } 
        | SELECT | ALTER | DROP | SYSAUTH | USE | ALL } 
        ON DATABASE database_name
    | { VIEW | ALTER | DROP | SYSAUTH | ALL }                               
        ON { GROUP | USER } object_name
    | { SELECT | DROP | SYSAUTH | ALL }                                     
        ON MLMODEL object_name
    | { VIEW | EXECUTE | ALTER | DROP | SYSAUTH | ALL }                                     
        ON PIPELINE object_name
    | { VIEW | DROP | SYSAUTH | ALL }                                     
        ON PIPELINE FUNCTION object_name
    | { VIEW | SELECT | ALTER | DROP | SYSAUTH | ALL }                      
        ON VIEW object_name
    | { VIEW | SELECT | ALTER | LOAD | DROP | DELETE | SYSAUTH | INSERT | ALL }  
        ON TABLE object_name
    | { VIEW | SELECT | ALL }                                               
        ON TABLE sys.system_catalog_table
 }
    TO { { GROUP | USER } object_name | PUBLIC } [ WITH GRANT OPTION ]

<systemObjects> ::=
    DATABASE | TABLE | VIEW | USER | GROUP
<databaseObjects> ::=
    TABLE | VIEW | MLMODEL | PIPELINE | PIPELINE FUNCTION | USER | GROUP
﻿
When you grant any privilege to a user on a system or database object other than the VIEW privilege, the database implicitly grants the VIEW privilege on the specified object to the user, as well as associated object types (e.g., DROP VIEW ON DATABASE also grants VIEW VIEW ON DATABASE and VIEW ON DATABASE).
Examples
Grant Privilege on a Table
This example grants privileges for the SELECT SQL statement on a table to a trusted group.
SQL
GRANT SELECT ON TABLE company_data TO GROUP trusted_employees;
GRANT SELECT ON TABLE company_data TO GROUP trusted_employees;
﻿
Grant Privilege on a Database
This example grants the SELECT privilege for all tables and views on the database_name database to a trusted group.
SQL
GRANT SELECT ON DATABASE database_name TO GROUP trusted_employees;
GRANT SELECT ON DATABASE database_name TO GROUP trusted_employees;
﻿
Grant Privilege on the System
This example grants the SELECT privilege for all tables and views on all databases in the system to a trusted group.
SQL
GRANT SELECT ON SYSTEM TO GROUP trusted_employees;
GRANT SELECT ON SYSTEM TO GROUP trusted_employees;
﻿
For examples of granting privileges for individual users, see Grant Role Membership﻿.
Revoke Privileges
The REVOKE statement revokes privileges from a user or group. 
To revoke privileges, you must have:
VIEW privileges for the specified user or group having their privileges revoked.
SYSAUTH privileges over the system or database object that the specified user or group is having their privileges revoked from.
SQL
REVOKE [ GRANT OPTION FOR ] {  
    { CREATE { <systemObjects> } | VIEW { TABLE | VIEW } 
        | ALTER { TABLE | VIEW } 
        | DROP { TABLE | VIEW } 
        | SELECT | SYSAUTH | USE | ALL }  
        ON SYSTEM
    | { CREATE { <databaseObjects> } | VIEW { TABLE | VIEW } 
        | ALTER { TABLE | VIEW } 
        | DROP { TABLE | VIEW } 
        | SELECT | ALTER | DROP | SYSAUTH | USE | ALL } 
        ON DATABASE database_name
    | { VIEW | ALTER | DROP | SYSAUTH | ALL }                               
        ON { GROUP | USER } object_name
    | { SELECT | DROP | SYSAUTH | ALL }                                     
        ON MLMODEL object_name
    | { VIEW | EXECUTE | ALTER | DROP | SYSAUTH | ALL }                                     
        ON PIPELINE object_name
    | { VIEW | DROP | SYSAUTH | ALL }                                     
        ON PIPELINE FUNCTION object_name
    | { VIEW | SELECT | ALTER | DROP | SYSAUTH | ALL }                      
        ON VIEW object_name
    | { VIEW | SELECT | ALTER | LOAD | DROP | DELETE 
        | SYSAUTH | INSERT | ALL }    
        ON TABLE object_name
    | { VIEW | SELECT | ALL }                                               
        ON TABLE sys.system_catalog_table
  }
    FROM { [ USER | GROUP ] object_name | PUBLIC }

<systemObjects> ::=
    DATABASE | TABLE | VIEW | USER | GROUP 
<databaseObjects> ::=
    TABLE | VIEW | MLMODEL | PIPELINE | PIPELINE FUNCTION | USER | GROUP
REVOKE [ GRANT OPTION FOR ] {  
    { CREATE { <systemObjects> } | VIEW { TABLE | VIEW } 
        | ALTER { TABLE | VIEW } 
        | DROP { TABLE | VIEW } 
        | SELECT | SYSAUTH | USE | ALL }  
        ON SYSTEM
    | { CREATE { <databaseObjects> } | VIEW { TABLE | VIEW } 
        | ALTER { TABLE | VIEW } 
        | DROP { TABLE | VIEW } 
        | SELECT | ALTER | DROP | SYSAUTH | USE | ALL } 
        ON DATABASE database_name
    | { VIEW | ALTER | DROP | SYSAUTH | ALL }                               
        ON { GROUP | USER } object_name
    | { SELECT | DROP | SYSAUTH | ALL }                                     
        ON MLMODEL object_name
    | { VIEW | EXECUTE | ALTER | DROP | SYSAUTH | ALL }                                     
        ON PIPELINE object_name
    | { VIEW | DROP | SYSAUTH | ALL }                                     
        ON PIPELINE FUNCTION object_name
    | { VIEW | SELECT | ALTER | DROP | SYSAUTH | ALL }                      
        ON VIEW object_name
    | { VIEW | SELECT | ALTER | LOAD | DROP | DELETE 
        | SYSAUTH | INSERT | ALL }    
        ON TABLE object_name
    | { VIEW | SELECT | ALL }                                               
        ON TABLE sys.system_catalog_table
  }
    FROM { [ USER | GROUP ] object_name | PUBLIC }

<systemObjects> ::=
    DATABASE | TABLE | VIEW | USER | GROUP 
<databaseObjects> ::=
    TABLE | VIEW | MLMODEL | PIPELINE | PIPELINE FUNCTION | USER | GROUP
﻿
When you revoke the VIEW privilege on a system or database object, the database implicitly revokes all privileges on the specified object from the user.
If you revoke the VIEW privilege on an associated object type, the system revokes the privileges for that object type. For example, grant the DROP TABLE privilege to the user by using the GRANT DROP TABLE ON DATABASE SQL statement. Due to implicit granting by the system, this action causes the user to have DROP TABLE, VIEW TABLE, and VIEW privileges. If you revoke the VIEW TABLE privilege using the REVOKE VIEW TABLE ON DATABASE SQL statement, then the system revokes the privileges for the associated type. In this case, the user only retains the VIEW privilege on the database.
Example
This example revokes the SELECT privilege on a table from an untrusted group.
SQL
REVOKE SELECT ON TABLE company_data FROM GROUP untrusted;
REVOKE SELECT ON TABLE company_data FROM GROUP untrusted;
﻿
For examples of revoking privileges for individual users, see Revoking Role Membership﻿.
Ocient Privileges Reference
These tables describe the privilege options on each object in Ocient and the allowed privileges.
As of version 23.0, Ocient DCL has replaced the TRUNCATE privilege with the DELETE privilege. 
Any TRUNCATE privileges, whether manually granted or assigned as part of a user role, should automatically convert to DELETE privileges following a system upgrade to version 23.0 or later. 
Ocient System Privileges
Privilege
Description
CREATE [ DATABASE, USER, GROUP]
The privilege to create the specified object type. On creation, the creating user inherits all privileges on the object. In the case of the DATABASE object, this is enforced by granting the creating user the newly created database administrator role as described in the Roles section.
CREATE [TABLE, VIEW]
The privilege to create the specified object type on any database where the user can connect. On creation, the creating user inherits all privileges on the object. In order to apply the privilege, the user has to be connected to a user-defined database.
DROP [TABLE, VIEW]
The privilege to drop the specified object type on any database where the user can connect. In order to apply the privilege, the user has to be connected to a user-defined database.
ALTER [TABLE, VIEW]
The privilege to modify the specified object type on any database where the user can connect. In order to apply the privilege, the user has to be connected to a user-defined database.
VIEW [TABLE, VIEW]
The privilege to see and read schema information of the specified object type on any database where the user can connect.
SELECT
The privilege to read data on any table or view where the user has the VIEW privilege.
SYSAUTH
The privilege to grant and revoke all privileges on the system.
USE
The ability to connect to the system.
Database Privileges
Privilege
Description
CREATE [TABLE, VIEW, MLMODEL, PIPELINE, PIPELINE FUNCTION, USER, GROUP]
The privilege to create the specified object type. The user that creates the object inherits all privileges on the object.
DROP [TABLE, VIEW]
The privilege to drop the specified object type on this database. 
ALTER [TABLE, VIEW]
The privilege to modify the specified object type on this database.
VIEW [TABLE, VIEW]
The privilege to see and read schema information of the specified object type on this database.
SELECT
The privilege to read data on any table or view, where the user has the VIEW privilege, in the database.
USE
Ability to connect to the database. Users created in this database are implicitly granted this privilege.
ALTER
The ability to issue ALTER DATABASE statements on this database.
DROP
The ability to drop this database.
SYSAUTH
The ability to grant and revoke all privileges on the database.
View Privileges
Privilege
Description
VIEW
Ability to see and read schema information about the view.
SELECT
Ability to read data from the view.
ALTER
Ability to modify the view.
DROP
Ability to drop the view.
SYSAUTH
Ability to grant privileges on the view.
Table Privileges
Privilege
Description
VIEW
Ability to see and read schema information about the table.
SELECT
Ability to read data from the table.
ALTER
Ability to modify the table.
LOAD
Ability to load data into the table.
DROP
Ability to drop the table.
DELETE
Ability to delete and truncate the table.
SYSAUTH
Ability to grant and revoke privileges on the table.
INSERT
Ability to insert data into the table.
Machine Learning Model Privileges
Privilege
Description
ALTER
Ability to rename the model.
SELECT
Ability to read data and descriptive data from the model.
DROP
Ability to drop the model.
SYSAUTH
Ability to grant and revoke privileges on the model.
Data Pipeline Privileges
Privilege
Description
VIEW
See and read information schema about a pipeline.
EXECUTE
Start and stop the execution of a pipeline.
ALTER
Rename and replace a pipeline.
DROP
Drop a pipeline.
SYSAUTH
Grant and revoke privileges on a pipeline.
Data Pipeline Function Privileges
Privilege
Description
VIEW
See and read information schema about a data pipeline function in system catalog tables.
DROP
Drop a data pipeline function.
SYSAUTH
Grant and revoke privileges on a data pipeline function.
User Privileges
Privilege
Description
VIEW
Ability to read information about the user.
ALTER
Ability to modify the user.
DROP
Ability to drop the user.
SYSAUTH
Ability to grant rights and revoke privileges on the user.
Group Privileges
Privilege
Description
VIEW
Ability to read information about the group.
ALTER
Ability to alter the group.
DROP
Ability to drop the group.
SYSAUTH
Ability to grant privileges on the group.
The System Catalog and Object or View Visibility
The sys.privileges table in the system catalog exposes the privileges in the system. This table displays this information:
Timestamp of the grant
Grantor
Grantee
Privilege granted
Object type
Object id
Grantable
You can grant and revoke System Catalog VIEW and SELECT privileges just like ordinary tables. By default, everyone has VIEW and SELECT privileges on all system catalog tables.
You can see the objects within the system catalog tables only if you have sufficient privileges on those objects. These objects require a VIEW or SELECT privilege or membership in a group or role to provide visibility. When you execute queries against a system catalog table, you do not see nor know the existence of the objects to which you do not have access.
Views offer a similar functionality because the database does not check privileges to the underlying tables and views after you create a view. You can create a table with sensitive information and restrict visibility by creating a view on top of the table with only certain rows or columns. Someone else with the SELECT privilege to the view can query the view, even without any privileges to the underlying table.
Roles
Similar to groups, users can inherit privileges by being granted one of the predefined roles in Ocient. The names of and privileges assigned to roles in Ocient are predefined by the system. Roles can be applicable to the Ocient System or one of the user-defined databases. The roles in Ocient are as follows:
System Roles
Security Administrator — Can read, create, and modify all users and groups.
System Administrator — Can read, create, and modify system objects such as tables, clusters, databases, etc. Can see and delete any queries system-wide.
System Analyst — Read-only access to the entire system. Can see all queries in the system.
Database Roles
Database Administrator — Can read, create, and modify database objects such as tables, clusters, databases, etc. This role can also create users for the database. Can see and delete all queries in the database.
Database Analyst — Read-only rights to database objects and data within the database. Can see all queries in the database.
For specifics on each Ocient role, see Default Role Privileges﻿. 
Grant Role Membership
Grants a role to a user or group.
Syntax
SQL
GRANT ROLE role_name TO { USER | GROUP } user_or_group_name
GRANT ROLE role_name TO { USER | GROUP } user_or_group_name
﻿
Parameter
Data Type
Description
role_name
string
The name of a role to be granted to the specified user or group. 
Enclose this string in quotes. 
user_or_group_name
string
The name of a user or group to be granted the specified role. 
Example
This example grants user1 the system administrator role.
SQL
GRANT ROLE "System Administrator" TO USER user1;
GRANT ROLE "System Administrator" TO USER user1;
﻿
Revoke Role Membership
Revokes a role from a user or group. 
Syntax
SQL
REVOKE ROLE role_name FROM { USER | GROUP } user_or_group_name
REVOKE ROLE role_name FROM { USER | GROUP } user_or_group_name
﻿
Parameter
Data Type
Description
role_name
string
The name of a role to be revoked for the specified user or group. 
Enclose this string in quotes. 
user_or_group_name
string
The name of a user or group to have the specified role revoked. 
Example
This example revokes the system administrator role from user1.
SQL
REVOKE ROLE "System Administrator" FROM USER user1;
REVOKE ROLE "System Administrator" FROM USER user1;
﻿
Default Role Privileges
Security Administrator Privileges 
Target 
Privileges 
System 
SYSAUTH, CREATE [ USER ] 
Database 
SYSAUTH, CREATE [ USER, GROUP ] 
View 
SYSAUTH 
Table 
SYSAUTH 
Machine Learning Model 
SYSAUTH 
Data Pipeline
SYSAUTH
Data Pipeline Function 
SYSAUTH 
User 
VIEW, ALTER, DROP, SYSAUTH 
Group 
VIEW, ALTER, DROP, SYSAUTH 
System Administrator Privileges 
Target 
Privileges 
System 
USE, CREATE [ DATABASE, USER ] 
Database 
USE
ALTER
DROP
CREATE [ TABLE, VIEW, MLMODEL, USER, GROUP, PIPELINE, PIPELINE FUNCTION ] 
View 
VIEW, SELECT, ALTER, DROP 
Table 
VIEW, SELECT, ALTER, LOAD, DROP, DELETE, INSERT 
Machine Learning Model 
SELECT, DROP 
Data Pipeline
VIEW, EXECUTE, ALTER, DROP
Data Pipeline Function 
VIEW, DROP
User 
VIEW, ALTER, DROP 
Group 
VIEW, ALTER, DROP 
System Analyst Privileges 
Target 
Privileges 
System 
USE 
Database 
USE 
View 
VIEW, SELECT 
Table 
VIEW, SELECT 
Machine Learning Model 
SELECT 
Data Pipeline
VIEW
Data Pipeline Function 
VIEW 
User 
VIEW 
Group 
VIEW 
Database Administrator Privileges 
Target 
Privileges 
Database 
USE
ALTER
DROP
CREATE [ TABLE, VIEW, MLMODEL, USER, GROUP, PIPELINE, PIPELINE FUNCTION ]
SYSAUTH 
View 
VIEW, SELECT, ALTER, DROP, SYSAUTH 
Table 
VIEW, SELECT, ALTER, LOAD, DROP, DELETE, INSERT, SYSAUTH 
Machine Learning Model 
SELECT, DROP, SYSAUTH 
Data Pipeline
VIEW, EXECUTE, ALTER, DROP, SYSAUTH
Data Pipeline Function 
VIEW, DROP, SYSAUTH
User 
VIEW, ALTER, DROP, SYSAUTH 
Group 
VIEW, ALTER, DROP, SYSAUTH 
Database Analyst Privileges 
Target 
Privileges 
Database 
USE 
View 
VIEW, SELECT 
Table 
VIEW, SELECT, LOAD, DELETE, INSERT 
Machine Learning Model 
SELECT 
Data Pipeline
VIEW
Data Pipeline Function
VIEW
User 
VIEW 
Group 
VIEW 
Query Visibility
The visibility of queries depends on which database you are logged into and your system role.
Visibility by Role
Users with no additional role privileges can view only queries that they submit themselves. 
Users with granted roles have extra visibility to see queries from any user, either for the entire system or individual databases. This table summarizes the roles that have query privileges. 
Role
Query Visibility
System Administrator
Can see and delete any queries system-wide.
System Analyst
Can see all queries in the system.
Database Administrator
Can see and delete all queries in the database.
Database Analyst
Can see all queries in the database.
For an overview of other privileges by role, see Roles﻿.
Login Impacts on Query Visibility
Along with having role privileges, users also must be logged into the appropriate database to view queries:
If the user logs in to the SYSTEM database, the user can see all queries from all databases. 
If the user logs in to a database other than SYSTEM, the user can see queries in only that database.
Related Links
﻿Database Administration﻿﻿
﻿Manage Users, Groups, and Roles﻿﻿
﻿Object-Type Level Privileges Management﻿ 
﻿
﻿

Privilege	Description
CREATE [ DATABASE, USER, GROUP]	The privilege to create the specified object type. On creation, the creating user inherits all privileges on the object. In the case of the DATABASE object, this is enforced by granting the creating user the newly created database administrator role as described in the Roles section.
CREATE [TABLE, VIEW]	The privilege to create the specified object type on any database where the user can connect. On creation, the creating user inherits all privileges on the object. In order to apply the privilege, the user has to be connected to a user-defined database.
DROP [TABLE, VIEW]	The privilege to drop the specified object type on any database where the user can connect. In order to apply the privilege, the user has to be connected to a user-defined database.
ALTER [TABLE, VIEW]	The privilege to modify the specified object type on any database where the user can connect. In order to apply the privilege, the user has to be connected to a user-defined database.
VIEW [TABLE, VIEW]	The privilege to see and read schema information of the specified object type on any database where the user can connect.
SELECT	The privilege to read data on any table or view where the user has the VIEW privilege.
SYSAUTH	The privilege to grant and revoke all privileges on the system.
USE	The ability to connect to the system.

Privilege	Description
CREATE [TABLE, VIEW, MLMODEL, PIPELINE, PIPELINE FUNCTION, USER, GROUP]	The privilege to create the specified object type. The user that creates the object inherits all privileges on the object.
DROP [TABLE, VIEW]	The privilege to drop the specified object type on this database.
ALTER [TABLE, VIEW]	The privilege to modify the specified object type on this database.
VIEW [TABLE, VIEW]	The privilege to see and read schema information of the specified object type on this database.
SELECT	The privilege to read data on any table or view, where the user has the VIEW privilege, in the database.
USE	Ability to connect to the database. Users created in this database are implicitly granted this privilege.
ALTER	The ability to issue ALTER DATABASE statements on this database.
DROP	The ability to drop this database.
SYSAUTH	The ability to grant and revoke all privileges on the database.

Privilege	Description
VIEW	Ability to see and read schema information about the view.
SELECT	Ability to read data from the view.
ALTER	Ability to modify the view.
DROP	Ability to drop the view.
SYSAUTH	Ability to grant privileges on the view.

Privilege	Description
VIEW	Ability to see and read schema information about the table.
SELECT	Ability to read data from the table.
ALTER	Ability to modify the table.
LOAD	Ability to load data into the table.
DROP	Ability to drop the table.
DELETE	Ability to delete and truncate the table.
SYSAUTH	Ability to grant and revoke privileges on the table.
INSERT	Ability to insert data into the table.

Privilege	Description
ALTER	Ability to rename the model.
SELECT	Ability to read data and descriptive data from the model.
DROP	Ability to drop the model.
SYSAUTH	Ability to grant and revoke privileges on the model.

Privilege	Description
VIEW	See and read information schema about a pipeline.
EXECUTE	Start and stop the execution of a pipeline.
ALTER	Rename and replace a pipeline.
DROP	Drop a pipeline.
SYSAUTH	Grant and revoke privileges on a pipeline.

Privilege	Description
VIEW	See and read information schema about a data pipeline function in system catalog tables.
DROP	Drop a data pipeline function.
SYSAUTH	Grant and revoke privileges on a data pipeline function.

Privilege	Description
VIEW	Ability to read information about the user.
ALTER	Ability to modify the user.
DROP	Ability to drop the user.
SYSAUTH	Ability to grant rights and revoke privileges on the user.

Privilege	Description
VIEW	Ability to read information about the group.
ALTER	Ability to alter the group.
DROP	Ability to drop the group.
SYSAUTH	Ability to grant privileges on the group.

Parameter	Data Type	Description
role_name	string	The name of a role to be granted to the specified user or group. Enclose this string in quotes.
user_or_group_name	string	The name of a user or group to be granted the specified role.

Parameter	Data Type	Description
role_name	string	The name of a role to be revoked for the specified user or group. Enclose this string in quotes.
user_or_group_name	string	The name of a user or group to have the specified role revoked.

Target	Privileges
System	SYSAUTH, CREATE [ USER ]
Database	SYSAUTH, CREATE [ USER, GROUP ]
View	SYSAUTH
Table	SYSAUTH
Machine Learning Model	SYSAUTH
Data Pipeline	SYSAUTH
Data Pipeline Function	SYSAUTH
User	VIEW, ALTER, DROP, SYSAUTH
Group	VIEW, ALTER, DROP, SYSAUTH

Target	Privileges
System	USE, CREATE [ DATABASE, USER ]
Database	USE ALTER DROP CREATE [ TABLE, VIEW, MLMODEL, USER, GROUP, PIPELINE, PIPELINE FUNCTION ]
View	VIEW, SELECT, ALTER, DROP
Table	VIEW, SELECT, ALTER, LOAD, DROP, DELETE, INSERT
Machine Learning Model	SELECT, DROP
Data Pipeline	VIEW, EXECUTE, ALTER, DROP
Data Pipeline Function	VIEW, DROP
User	VIEW, ALTER, DROP
Group	VIEW, ALTER, DROP

Target	Privileges
System	USE
Database	USE
View	VIEW, SELECT
Table	VIEW, SELECT
Machine Learning Model	SELECT
Data Pipeline	VIEW
Data Pipeline Function	VIEW
User	VIEW
Group	VIEW

Target	Privileges
Database	USE ALTER DROP CREATE [ TABLE, VIEW, MLMODEL, USER, GROUP, PIPELINE, PIPELINE FUNCTION ] SYSAUTH
View	VIEW, SELECT, ALTER, DROP, SYSAUTH
Table	VIEW, SELECT, ALTER, LOAD, DROP, DELETE, INSERT, SYSAUTH
Machine Learning Model	SELECT, DROP, SYSAUTH
Data Pipeline	VIEW, EXECUTE, ALTER, DROP, SYSAUTH
Data Pipeline Function	VIEW, DROP, SYSAUTH
User	VIEW, ALTER, DROP, SYSAUTH
Group	VIEW, ALTER, DROP, SYSAUTH

Target	Privileges
Database	USE
View	VIEW, SELECT
Table	VIEW, SELECT, LOAD, DELETE, INSERT
Machine Learning Model	SELECT
Data Pipeline	VIEW
Data Pipeline Function	VIEW
User	VIEW
Group	VIEW

Role	Query Visibility
System Administrator	Can see and delete any queries system-wide.
System Analyst	Can see all queries in the system.
Database Administrator	Can see and delete all queries in the database.
Database Analyst	Can see all queries in the database.

Statistics Cache Management

Errors and Warnings