Grant RudderStack the required permissions on your data warehouse.
4 minute read
RudderStack supports Snowflake, Redshift, and Databricks for creating unified user profiles.
To read and write data to the warehouse, RudderStack requires specific warehouse permissions as explained in the following sections.
Keeping separate schemas for projects running via CLI and web is recommended. This way projects run from the CLI will never risk overwriting your production data.
Snowflake
Snowflake uses a combination of DAC and RBAC models for access control. However, RudderStack chooses an RBAC-based access control mechanism as multiple users can launch the Profile Builder CLI.
Also, it is not ideal to tie the result of an individual user run with
that user. Hence, it is recommended to create a generic role (for example, PROFILES_ROLE) with the following privileges:
Read access to all the inputs to the model (can be shared in case of multiple schemas/tables).
Write access to the schemas and common tables as the PB project creates material (output) tables.
If you want to access any material created from the project run, the role (PROFILES_ROLE) must also have read access to all of those schemas.
Below are some sample commands which grant the required privileges to the role (PROFILES_ROLE) in a Snowflake warehouse:
-- Create role
CREATEROLEPROFILES_ROLE;SHOWROLES;-- To validate
-- Create user
CREATEUSERPROFILES_TEST_USERPASSWORD='<StrongPassword>'DEFAULT_ROLE='PROFILES_ROLE';SHOWUSERS;-- To validate
-- Grant role to user and database
GRANTROLEPROFILES_ROLETOUSERPROFILES_TEST_USER;GRANTUSAGEONDATABASEYOUR_RUDDERSTACK_DBTOROLEPROFILES_ROLE;
-- Create separate schema for Profiles and grant privileges to role
CREATESCHEMAYOUR_RUDDERSTACK_DB.RS_PROFILES;GRANTALLPRIVILEGESONSCHEMAYOUR_RUDDERSTACK_DB.RS_PROFILESTOROLEPROFILES_ROLE;GRANTUSAGEONWAREHOUSERUDDER_WAREHOUSETOROLEPROFILES_ROLE;GRANTUSAGEONSCHEMAYOUR_RUDDERSTACK_DB.EVENTSSCHEMATOROLEPROFILES_ROLE;GRANTSELECTONALLTABLESINSCHEMAYOUR_RUDDERSTACK_DB.RS_PROFILESTOPROFILES_ROLE;GRANTSELECTONFUTURETABLESINSCHEMAYOUR_RUDDERSTACK_DB.RS_PROFILESTOPROFILES_ROLE;GRANTSELECTONALLVIEWSINSCHEMAYOUR_RUDDERSTACK_DB.RS_PROFILESTOPROFILES_ROLE;GRANTSELECTONFUTUREVIEWSINSCHEMAYOUR_RUDDERSTACK_DB.RS_PROFILESTOPROFILES_ROLE;
For accessing input sources, you can individually grant select on tables/views, or give blanket grant to all in a schema.
-- Assuming we want read access to tables/views in schema EVENTSSCHEMA
GRANTSELECTONALLTABLESINSCHEMAYOUR_RUDDERSTACK_DB.EVENTSSCHEMATOPROFILES_ROLE;GRANTSELECTONFUTURETABLESINSCHEMAYOUR_RUDDERSTACK_DB.EVENTSSCHEMATOPROFILES_ROLE;GRANTSELECTONALLVIEWSINSCHEMAYOUR_RUDDERSTACK_DB.EVENTSSCHEMATOPROFILES_ROLE;GRANTSELECTONFUTUREVIEWSINSCHEMAYOUR_RUDDERSTACK_DB.EVENTSSCHEMATOPROFILES_ROLE;
-- Assuming we want read access to tracks and identifies tables in schema EVENTSSCHEMA
GRANTSELECTONTABLEYOUR_RUDDERSTACK_DB.EVENTSSCHEMA.TRACKSTOPROFILES_ROLE;GRANTSELECTONTABLEYOUR_RUDDERSTACK_DB.EVENTSSCHEMA.IDENTIFIESTOPROFILES_ROLE;
Redshift
When working with Redshift, the required privileges are different compared to Snowflake.
Suppose the inputs/edge sources are in a single schema website_eventstream and the name of the newly created PB user is rudderstack_admin. In this case, the requirements are as follows:
A separate schema rs_profiles (to store all the common and output tables).
The rudderstack_admin user should have all the privileges on the above schema and the associated tables.
The rudderstack_admin user should have USAGE privilege on schemas that have the edge sources and input tables (website_eventstream) and read (SELECT) privileges on specific tables as well. This privilege can extend to the migration schema and other schemas from where data from warehouses comes in.
The rudderstack_admin user should have privileges to use plpythonu to create some UDFs.
Reuse an existing catalog or create a new one by clicking Create Catalog.
Grant USE SCHEMA privilege on the catalog.
Create a separate schema to write objects created by RudderStack Profiles.
Grant all privileges on this schema.
Grant privileges to access relevant schemas for the input tables. For example, if an input schema is in a schema named website_eventstream, then you can run the following commands to assign a blanket grant to all schemas or only specific tables/views referred in your Profiles project:
This site uses cookies to improve your experience while you navigate through the website. Out of
these
cookies, the cookies that are categorized as necessary are stored on your browser as they are as
essential
for the working of basic functionalities of the website. We also use third-party cookies that
help
us
analyze and understand how you use this website. These cookies will be stored in your browser
only
with
your
consent. You also have the option to opt-out of these cookies. But opting out of some of these
cookies
may
have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This
category only includes cookies that ensures basic functionalities and security
features of the website. These cookies do not store any personal information.
This site uses cookies to improve your experience. If you want to
learn more about cookies and why we use them, visit our cookie
policy. We'll assume you're ok with this, but you can opt-out if you wish Cookie Settings.