Permissions
Permissions are used to manage role based access and control privileges on entities in the target database. Available grantees (roles) and permissions are managed in CONFIG_ENTITY_PERMISSIONS.
See also:
Usage
Select a ROLE and one or several PERMISSIONS to grant to the role.
Set WITH GRANT OPTION: true if the grantee should be allowed to grant the given permission to others (default: false).
Notes
Check Export SQL/Entity SQL after defining permissions to see generated DDL.
Google BigQuery pre-mapped permissions
For Google BigQuery permissions are mapped to the predefined IAM roles defined in Google BigQuery predefined roles and permissions.
SELECT permission is mapped to roles/bigquery.dataViewer
INSERT permission is mapped to roles/bigquery.dataEditor
ALL permission is mapped to roles/bigquery.dataOwner
Examples
Precondition
Grantees and permissions have to be defined in CONFIG_ENTITY_PERMISSIONS before they can be used here.
Grant SELECT to READER role in Snowflake
Permission definition:
GRANTEE NAME: READER
PERMISSION 1: SELECT
WITH GRANT OPTION: false
DDL generated by Agile Data Engine:
GRANT SELECT ON pub.F_TRIP TO ROLE READER;
Grant SELECT to READER group in Amazon Redshift
Permission definition:
GRANTEE NAME: READER
PERMISSION 1: SELECT
WITH GRANT OPTION: false
DDL generated by Agile Data Engine:
GRANT SELECT ON pub.F_TRIP TO GROUP READER;
Grant SELECT to READER role in Azure SQL Database and Azure Synapse SQL
Permission definition:
GRANTEE NAME: READER
PERMISSION 1: SELECT
WITH GRANT OPTION: false
DDL generated by Agile Data Engine:
GRANT SELECT ON [pub].[F_TRIP] TO [READER];
Grant SELECT to reader@my_organization.com group in Google BigQuery
Permission definition:
GRANTEE NAME: READER
PERMISSION 1: SELECT
WITH GRANT OPTION: false (this option is not supported in Google BigQuery)
DDL generated by Agile Data Engine:
GRANT `roles/bigquery.dataViewer` ON pub.F_TRIP TO "group:reader@my_organization.com";