Skip to main content
Version: Latest-3.5

Built-in Roles supported by StarRocks

In a StarRocks cluster, there are FIVE built-in roles:

  • db_admin
  • cluster_admin
  • user_admin
  • security_admin
  • public

Each of the admin roles is granted with different privileges to allow them to perform administrative operations on their specific domain. By default, the public role has no privileges and is granted to every user that can access the cluster.

For details of the privileges described below, see Privilege Item.

db_admin​

db_admin is the built-in database administrator. It has all data-related privileges and some basic privileges on operations and maintenance.

  • Focused on management of databases and data
  • Unavailable for user or cluster management
  • Immutable role

Privilege scope:

Privilege LevelPrivilege Item
SYSTEM
  • CREATE RESOURCE
  • PLUGIN
  • FILE
  • BLACKLIST
  • OPERATE
  • CREATE EXTERNAL CATALOG
  • REPOSITORY
  • CREATE RESOURCE GROUP
  • CREATE GLOBAL FUNCTION
  • CREATE STORAGE VOLUME
  • SECURITY
CATALOG
  • USAGE
  • DROP
  • ALTER
  • CREATE DATABASE
DATABASE
  • DROP
  • ALTER
  • CREATE TABLE
  • CREATE VIEW
  • CREATE MATERIALIZED VIEW
  • CREATE FUNCTION
  • CREATE PIPE
  • CREATE MASKING POLICY
  • CREATE ROW ACCESS POLICY
TABLE
  • DROP
  • ALTER
  • INSERT
  • UPDATE
  • DELETE
  • SELECT
  • EXPORT
VIEW
  • DROP
  • ALTER
  • SELECT
MATERIALIZED VIEW
  • DROP
  • ALTER
  • SELECT
  • REFRESH
RESOURCE
  • USAGE
  • DROP
  • ALTER
RESOURCE GROUP
  • DROP
  • ALTER
FUNCTION
  • USAGE
  • DROP
GLOBAL FUNCTION
  • USAGE
  • DROP
STORAGE VOLUME
  • USAGE
  • DROP
  • ALTER
PIPE
  • USAGE
  • DROP
  • ALTER

cluster_admin​

cluster_admin is the built-in cluster administrator.

  • Focused on management of cluster infrastructure
  • Granted with privileges on node management
  • Immutable role

Privilege scope:

Privilege LevelPrivilege Item
SYSTEMNODE

user_admin​

user_admin is the built-in user administrator. It can be used to manage users, roles, and authorization.

  • Focused on management of users and privileges
  • Able to create, alter, and drop users
  • Able to grant or revoke privileges or roles
  • Immutable role

Privilege scope:

Privilege LevelPrivilege Item
SYSTEMGRANT

security_admin​

security_admin is the built-in security administrator. It can be used to manage security integrations and group providers.

  • Focused on management of system security
  • Able to manage security-related configurations and strategies
  • Immutable role

Privilege scope:

Privilege LevelPrivilege Item
SYSTEM
  • SECURITY
  • OPERATE

public​

public is the built-in role that is granted to every user that can access the cluster. By default, it has no privilege.

  • Automatically granted and activated to all cluster users
  • Mutable role. You can grant privileges or roles to this role if you want to grant them to all cluster users.