diff --git a/docs/en/guides/56-security/access-control/01-privileges.md b/docs/en/guides/56-security/access-control/01-privileges.md index 8a6dee0243..651af930a1 100644 --- a/docs/en/guides/56-security/access-control/01-privileges.md +++ b/docs/en/guides/56-security/access-control/01-privileges.md @@ -104,46 +104,49 @@ Databend offers a range of privileges that allow you to exercise fine-grained co ### All Privileges -| Privilege | Object Type | Description | -|:-----------------|:------------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------| -| ALL | All | Grants all the privileges for the specified object type. | -| ALTER | Global, Database, Table, View | Alters a database, table, user or UDF. | -| CREATE | Global, Table | Creates a table or UDF. | -| CREATE DATABASE | Global | Creates a database or UDF. | -| CREATE WAREHOUSE | Global | Creates a warehouse. | -| DELETE | Table | Deletes or truncates rows in a table. | -| DROP | Global, Database, Table, View | Drops a database, table, view or UDF. Undrops a table. | -| INSERT | Table | Inserts rows into a table. | -| SELECT | Database, Table | Selects rows from a table. Shows or uses a database. | -| UPDATE | Table | Updates rows in a table. | -| GRANT | Global | Grants / revokes privileges to / from a user or role. | -| SUPER | Global, Table | Kills a query. Sets global configs. Optimizes a table. Analyzes a table. Operates a stage(Lists stages. Creates, Drops a stage), catalog or share. | -| USAGE | Global | Synonym for “no privileges”. | -| CREATE ROLE | Global | Creates a role. | -| DROP ROLE | Global | Drops a role. | -| CREATE USER | Global | Creates a SQL user. | -| DROP USER | Global | Drops a SQL user. | -| WRITE | Stage | Write into a stage. | -| READ | Stage | Read a stage. | -| USAGE | UDF | Use udf. | +| Privilege | Object Type | Description | +|:------------------|:------------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------| +| ALL | All | Grants all the privileges for the specified object type. | +| ALTER | Global, Database, Table, View | Alters a database, table, user or UDF. | +| CREATE | Global, Table | Creates a table or UDF. | +| CREATE DATABASE | Global | Creates a database or UDF. | +| CREATE WAREHOUSE | Global | Creates a warehouse. | +| CREATE CONNECTION | Global | Creates a connection. | +| DELETE | Table | Deletes or truncates rows in a table. | +| DROP | Global, Database, Table, View | Drops a database, table, view or UDF. Undrops a table. | +| INSERT | Table | Inserts rows into a table. | +| SELECT | Database, Table | Selects rows from a table. Shows or uses a database. | +| UPDATE | Table | Updates rows in a table. | +| GRANT | Global | Grants / revokes privileges to / from a user or role. | +| SUPER | Global, Table | Kills a query. Sets global configs. Optimizes a table. Analyzes a table. Operates a stage(Lists stages. Creates, Drops a stage), catalog or share. | +| USAGE | Global | Synonym for “no privileges”. | +| CREATE ROLE | Global | Creates a role. | +| DROP ROLE | Global | Drops a role. | +| CREATE USER | Global | Creates a SQL user. | +| DROP USER | Global | Drops a SQL user. | +| WRITE | Stage | Write into a stage. | +| READ | Stage | Read a stage. | +| USAGE | UDF | Use udf. | +| ACCESS CONNECTION | CONNECTION | Access connection. | ### Global Privileges -| Privilege | Description | -|:-----------------|:------------------------------------------------------------------------------------------------------------------| -| ALL | Grants all the privileges for the specified object type. | -| ALTER | Adds or drops a table column. Alters a cluster key. Re-clusters a table. | -| CREATEROLE | Creates a role. | -| CREAT DATABASE | Creates a DATABASE. | -| CREATE WAREHOUSE | Creates a WAREHOUSE. | -| DROPUSER | Drops a user. | -| CREATEUSER | Creates a user. | -| DROPROLE | Drops a role. | -| SUPER | Kills a query. Sets or unsets a setting. Operates a stage, catalog or share. Calls a function. COPY INTO a stage. | -| USAGE | Connects to a databend query only. | -| CREATE | Creates a UDF. | -| DROP | Drops a UDF. | -| ALTER | Alters a UDF. Alters a SQL user. | +| Privilege | Description | +|:------------------|:------------------------------------------------------------------------------------------------------------------| +| ALL | Grants all the privileges for the specified object type. | +| ALTER | Adds or drops a table column. Alters a cluster key. Re-clusters a table. | +| CREATEROLE | Creates a role. | +| CREAT DATABASE | Creates a DATABASE. | +| CREATE WAREHOUSE | Creates a WAREHOUSE. | +| CREATE CONNECTION | Creates a CONNECTION. | +| DROPUSER | Drops a user. | +| CREATEUSER | Creates a user. | +| DROPROLE | Drops a role. | +| SUPER | Kills a query. Sets or unsets a setting. Operates a stage, catalog or share. Calls a function. COPY INTO a stage. | +| USAGE | Connects to a databend query only. | +| CREATE | Creates a UDF. | +| DROP | Drops a UDF. | +| ALTER | Alters a UDF. Alters a SQL user. | ### Table Privileges @@ -224,3 +227,11 @@ Please note that you can use the [USE DATABASE](/sql/sql-commands/ddl/database/d |:----------|:---------------------------------------------------------| | SUPER | SHOW CREATE catalog. Creates or drops a catalog. | | ALL | Grants all the privileges for the specified object type. | + +### Connection Privileges + +| Privilege | Description | +|:------------------|:-------------------------------------------------------------------------------------------------------------------| +| Access Connection | Can access Connection. | +| ALL | Grants Access Connection privileges for the specified object type. | +| OWNERSHIP | Grants full control over a Connection. Only a single role can hold this privilege on a specific object at a time. | diff --git a/docs/en/sql-reference/10-sql-commands/00-ddl/05-view/ddl-create-view.md b/docs/en/sql-reference/10-sql-commands/00-ddl/05-view/ddl-create-view.md index 159804387d..b717e296ce 100644 --- a/docs/en/sql-reference/10-sql-commands/00-ddl/05-view/ddl-create-view.md +++ b/docs/en/sql-reference/10-sql-commands/00-ddl/05-view/ddl-create-view.md @@ -31,6 +31,12 @@ So, if you delete the table which the view depends on, it occurs an error that t CREATE [ OR REPLACE ] VIEW [ IF NOT EXISTS ] [ db. ]view_name [ (, ...) ] AS SELECT query ``` +## Access control requirements + +To access a view, users only require the SELECT privilege on the view itself. + +Separate permissions are not required on the view’s underlying tables. This mechanism simplifies access control and enhances data security. + ## Examples ```sql diff --git a/docs/en/sql-reference/10-sql-commands/00-ddl/13-connection/create-connection.md b/docs/en/sql-reference/10-sql-commands/00-ddl/13-connection/create-connection.md index 81f147c53c..5539629e89 100644 --- a/docs/en/sql-reference/10-sql-commands/00-ddl/13-connection/create-connection.md +++ b/docs/en/sql-reference/10-sql-commands/00-ddl/13-connection/create-connection.md @@ -4,7 +4,7 @@ sidebar_position: 1 --- import FunctionDescription from '@site/src/components/FunctionDescription'; - + Creates a connection to external storage. @@ -62,6 +62,25 @@ CREATE CONNECTION | ROLE_ARN | The Amazon Resource Name (ARN) of the IAM role that Databend will assume to access your S3 resources. | +## Access control requirements + +| Privilege | Object Type | Description | +|:------------------|:------------|:----------------------| +| CREATE CONNECTION | Global | Creates a connection. | + + +To create a connection, the user performing the operation or the [current_role](/guides/security/access-control/roles) must have the CREATE CONNECTION [privilege](/guides/security/access-control/privileges). + +:::note + +The enable_experimental_connection_rbac_check settings governs connection-level access control. It is disabled by default. +Connection creation solely requires the user to possess superuser privileges, bypassing detailed RBAC checks. +When enabled, granular permission verification is enforced during connection establishment. + +This is an experimental feature and may be enabled by default in the future. + +::: + ## Examples ### Using Access Keys