getUserAccess
Syntax
getUserAccess([userIds], [finalAccess=false])
Details
This function returns privileges for specific users.
When userId is not specified, it returns the privileges for the current user.
When userId is specified (only by administrators):
-
If finalAccess = false, the obtained access is the explicit privileges applied to the user.
-
If finalAccess = true, the obtained access is the privileges that ultimately take effect.
Parameters
userId (optional) is a STRING scalar/vector indicating one or multiple user names.
finalAccess (optional) is a Boolean value that specifies whether the obtained result is the privileges that ultimately take effect, i.e., the privileges for both the user and the groups the user belongs to are taken into account. The default value is false.
Returns
A table with the following columns:
| Column | Description |
|---|---|
| userId | The user name |
| groups | The group to which the user belongs |
| isAdmin | Whether the user is an administrator |
| MAX_JOB_PRIORITY | An integer between 0 and 8
indicating the highest priority of the jobs submitted by the user.
It is specified by the command
setMaxJobPriority. |
| MAX_PARALLELISM | An integer indicating the maximum
number of tasks that can be executed in parallel for a job submitted
by the user. It is specified by the command
setMaxJobParallelism. |
| QUERY_RESULT_MEM_LIMIT | The memory limit for a query result.
It is a floating-point number indicating memory usage (in GB). You
can use grant to set the limit and
revoke to remove. |
| TASK_GROUP_MEM_LIMIT | The memory limit of a task group. It
is a floating-point number indicating memory usage in GB. You can
use grant to set the limit and
revoke to remove. |
| MAX_PARTITION_NUM_PER_QUERY | The maximum number of partitions that can be queried
at one time. It is an integer and a value of -1 indicates that this
privilege is not configured. You can use grant to
set the limit and revoke to remove. |
The following privileges are listed with permission state "allow" / "none" / "deny":
ACCESS_READ, ACCESS_INSERT, ACCESS_UPDATE, ACCESS_DELETE, VIEW_EXEC, SCRIPT_EXEC,
TEST_EXEC, DBOBJ_CREATE, DBOBJ_DELETE, DB_MANAGE, DB_OWNER, VIEW_OWNER,
COMPUTE_GROUP_EXEC, TABLE_SENSITIVE_VIEW, DB_SENSITIVE_VIEW, CREATE_SHARED_VARS, MCP_MANAGE, MCP_DEVELOP, MCP_EXEC, ORCA_MANAGE,
ORCA_GRAPH_CONTROL, ORCA_GRAPH_CREATE, ORCA_GRAPH_DROP, ORCA_TABLE_READ,
ORCA_TABLE_WRITE, ORCA_TABLE_CREATE, ORCA_TABLE_DROP,
ORCA_ENGINE_MANAGE.
Note:
- Since version 3.00.5, privileges for Orca graphs and stream tables returned.
- Since version 3.00.2, compute group privileges are returned.
- Since version 3.00.0, catalog privileges are returned.
- Version 1.30.21/2.00.9 onwards extends privileges at the table level. The original TABLE_WRITE field is now replaced with fields TABLE_INSERT, TABLE_UPDATE, and TABLE_DELETE.
- As the DB_READ, DB_WRITE, DB_INSERT, DB_UPDATE, and DB_DELETE privileges apply to tables in databases, only table-level privileges are returned.
The remaining columns in the table display the specific objects (tables, views or
databases) that the user is granted/denied access to:
| objs |
|---|
| TABLE_READ_allowed |
| TABLE_READ_denied |
| TABLE_INSERT_allowed |
| TABLE_INSERT_denied |
| TABLE_UPDATE_allowed |
| TABLE_UPDATE_denied |
| TABLE_DELETE_allowed |
| TABLE_DELETE_denied |
| DB_READ_allowed |
| DB_READ_denied |
| DB_INSERT_allowed |
| DB_INSERT_denied |
| DB_UPDATE_allowed |
| DB_UPDATE_denied |
| DB_DELETE_allowed |
| DB_DELETE_denied |
| VIEW_EXEC_allowed |
| VIEW_EXEC_denied |
| DBOBJ_CREATE_allowed |
| DBOBJ_CREATE_denied |
| DBOBJ_DELETE_allowed |
| DBOBJ_DELETE_denied |
| DB_OWNER_allowed |
| DB_MANAGE_allowed |
| DB_MANAGE_denied |
| CATALOG_READ_allowed |
| CATALOG_READ_denied |
| CATALOG_INSERT_allowed |
| CATALOG_INSERT_denied |
| CATALOG_UPDATE_allowed |
| CATALOG_UPDATE_denied |
| CATALOG_DELETE_allowed |
| CATALOG_DELETE_denied |
| COMPUTE_GROUP_EXEC_allowed |
| COMPUTE_GROUP_EXEC_denied |
| TABLE_SENSITIVE_VIEW_allowed |
| TABLE_SENSITIVE_VIEW_denied |
| DB_SENSITIVE_VIEW_allowed |
| DB_SENSITIVE_VIEW_denied |
| MCP_EXEC_allowed |
| MCP_EXEC_denied |
| ORCA_MANAGE_allowed |
| ORCA_MANAGE_denied |
| ORCA_CATALOG_GRAPH_CONTROL_allowed |
| ORCA_CATALOG_GRAPH_CONTROL_denied |
| ORCA_GRAPH_CONTROL_allowed |
| ORCA_GRAPH_CONTROL_denied |
| ORCA_CATALOG_GRAPH_CREATE_allowed |
| ORCA_CATALOG_GRAPH_CREATE_denied |
| ORCA_CATALOG_GRAPH_DROP_allowed |
| ORCA_CATALOG_GRAPH_DROP_denied |
| ORCA_CATALOG_TABLE_READ_allowed |
| ORCA_CATALOG_TABLE_READ_denied |
| ORCA_TABLE_READ_allowed |
| ORCA_TABLE_READ_denied |
| ORCA_CATALOG_TABLE_WRITE_allowed |
| ORCA_CATALOG_TABLE_WRITE_denied |
| ORCA_TABLE_WRITE_allowed |
| ORCA_TABLE_WRITE_denied |
| ORCA_CATALOG_TABLE_CREATE_allowed |
| ORCA_CATALOG_TABLE_CREATE_denied |
| ORCA_CATALOG_TABLE_DROP_allowed |
| ORCA_CATALOG_TABLE_DROP_denied |
| ORCA_CATALOG_ENGINE_MANAGE_allowed |
| ORCA_CATALOG_ENGINE_MANAGE_denied |
| ORCA_ENGINE_MANAGE_allowed |
| ORCA_ENGINE_MANAGE_denied |