Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add example to redshift grants section #5156

Closed
wants to merge 14 commits into from
Closed
34 changes: 33 additions & 1 deletion website/docs/reference/resource-configs/grants.md
Original file line number Diff line number Diff line change
Expand Up @@ -249,7 +249,39 @@ models:

<div warehouse="Redshift">

* Granting to / revoking from is only fully supported for Redshift users (not groups or roles).
For Redshift, you need to distinguish between users, roles, and groups. It is important to explicitly grant roles and groups access to your models. You can revoke access as well.

**For users:**
When granting access to individual users, use the `+grants` syntax in your configuration to add or modify permissions for these users without replacing existing configurations. In the following example, you only need to list the users:

```yaml
models:
my_schema:
schema: my_schema
description: "My schema"
+grants:
select: ["gspider"] # example of user access
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👻 🕷️ 🕸️

```

**For roles and groups:**
Inheritance of grants are not supported for groups and roles in Redshift. Accordingly, for every model, you need to provide the complete list of roles or groups that require access each time you make a change to a model.

Additionally, you must prefix each role or group with 'role' or 'group':

```yaml
models:
my_schema:
schema: my_schema
description: "Schema for reporting"
grants:
select: ["role my_role", "group my_group"]
```

Some things to note:

- Ensure that any roles or groups mentioned must already exist in Redshift.
- The merge strategy of grants (via the `+` prefix in front of `+grants`) is not supported for roles and groups.
- Always use the appropriate prefix (role or group) when specifying roles and groups in the grants configuration.

</div>

Expand Down
Loading