Data source-specific permissions

Data source	Structural Metadata ingestion permissions	Data Quality Pushdown permissions
Amazon Athena	N/A	Read access on your Glue catalog and S3 buckets Write access on your S3 output location See the IAM policy Copy { "Version": "YYYY-MM-DD", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "athena:StartQueryExecution", "s3:ListBucketMultipartUploads", "athena:GetQueryResultsStream", "glue:GetTables", "glue:GetPartitions", "athena:GetQueryResults", "glue:BatchGetPartition", "s3:ListBucket", "glue:GetDatabases", "athena:ListQueryExecutions", "s3:ListMultipartUploadParts", "glue:GetTable", "glue:GetDatabase", "athena:GetWorkGroup", "s3:PutObject", "s3:GetObject", "glue:GetPartition", "glue:GetCatalogImportStatus", "athena:StopQueryExecution", "athena:GetQueryExecution", "s3:GetBucketLocation", "athena:BatchGetQueryExecution", "athena:DeletePreparedStatement", "athena:CreatePreparedStatement" ], "Resource": [ "arn:aws:athena::<AWSAccountID>:workgroup/primary", "arn:aws:s3:::<S3 bucket name>/", "arn:aws:s3:::<S3 bucket name>", "arn:aws:glue::<AWSAccountID>:catalog", "arn:aws:glue::<AWSAccountID>:database/<database name>", "arn:aws:glue::<AWSAccountID>:table/<database name>/" ] } ] }
Amazon Redshift	`USAGE`	`GRANT USAGE ON SCHEMA` `GRANT SELECT ON ALL TABLES`
Databricks	`CAN ATTACH TO`	`CAN ATTACH TO`
Google BigQuery	`bigquery.datasets.get` `bigquery.jobs.create` `bigquery.tables.get` `bigquery.tables.getData` `bigquery.tables.list` `resourcemanager.projects.get`	`roles/bigquery.dataViewer` `roles/bigquery.jobUser` `roles/bigquery.readSessionUser` `roles/bigquery.dataOwner` permissions on the temporary dataset
Microsoft SQL Server	`CONNECT SQL` on the system `VIEW DEFINITION` on the database	`GRANT` on the login and database `GRANT SELECT` on schemas, tables, and views
Oracle OCI	N/A	`GRANT SELECT` on schemas, tables, and views
SAP HANA	MONITORING role PUBLIC role	`SELECT` on each schema that you want to profile
Snowflake	`USAGE` on the database and schema `REFERENCES` on each table that you want to ingest	`USAGE` on the warehouse, database, and schema `GRANT SELECT` on tables and views
Starburst	N/A	`read-only` role on the catalog, schemas, tables, views, and columns

Amazon Athena

N/A

Read access on your Glue catalog and S3 buckets
Write access on your S3 output location

See the IAM policy

Copy

{
                                            "Version": "YYYY-MM-DD",
                                            "Statement": [
                                            {
                                            "Sid": "VisualEditor0",
                                            "Effect": "Allow",
                                            "Action": [
                                            "athena:StartQueryExecution",
                                            "s3:ListBucketMultipartUploads",
                                            "athena:GetQueryResultsStream",
                                            "glue:GetTables",
                                            "glue:GetPartitions",
                                            "athena:GetQueryResults",
                                            "glue:BatchGetPartition",
                                            "s3:ListBucket",
                                            "glue:GetDatabases",
                                            "athena:ListQueryExecutions",
                                            "s3:ListMultipartUploadParts",
                                            "glue:GetTable",
                                            "glue:GetDatabase",
                                            "athena:GetWorkGroup",
                                            "s3:PutObject",
                                            "s3:GetObject",
                                            "glue:GetPartition",
                                            "glue:GetCatalogImportStatus",
                                            "athena:StopQueryExecution",
                                            "athena:GetQueryExecution",
                                            "s3:GetBucketLocation",
                                            "athena:BatchGetQueryExecution",
                                            "athena:DeletePreparedStatement",
                                            "athena:CreatePreparedStatement"
                                            ],
                                            "Resource": [
                                            "arn:aws:athena:*:<AWSAccountID>:workgroup/primary",
                                            "arn:aws:s3:::<S3 bucket name>/*",
                                            "arn:aws:s3:::<S3 bucket name>",
                                            "arn:aws:glue:*:<AWSAccountID>:catalog",
                                            "arn:aws:glue:*:<AWSAccountID>:database/<database name>",
                                            "arn:aws:glue:*:<AWSAccountID>:table/<database name>/*"
                                            ]
                                            }
                                            ]
                                        }

Amazon Redshift

USAGE

GRANT USAGE ON SCHEMA
GRANT SELECT ON ALL TABLES

Databricks

CAN ATTACH TO

Google BigQuery

bigquery.datasets.get
bigquery.jobs.create
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.list
resourcemanager.projects.get

roles/bigquery.dataViewer
roles/bigquery.jobUser
roles/bigquery.readSessionUser
roles/bigquery.dataOwner permissions on the temporary dataset

Microsoft SQL Server

CONNECT SQL on the system
VIEW DEFINITION on the database

GRANT on the login and database
GRANT SELECT on schemas, tables, and views

Oracle OCI

N/A

GRANT SELECT on schemas, tables, and views

SAP HANA

MONITORING role
PUBLIC role

SELECT on each schema that you want to profile

Snowflake

USAGE on the database and schema
REFERENCES on each table that you want to ingest

USAGE on the warehouse, database, and schema
GRANT SELECT on tables and views

Starburst

N/A

read-only role on the catalog, schemas, tables, views, and columns