Data source-specific permissions
- The Edge connection may be shared with other capabilities, such as Structural Metadata Ingestion, or may be specific to Data Quality & Observability, such as Data Quality Pullup Processing or Data Quality Pushdown Processing.
- Archive break records permissions currently apply to Data Quality Pushdown Processing only.
Permissions by data source
The following sections list the minimum required permissions for each supported data source, organized by capability. Permissions are listed separately for Structural Metadata Ingestion, Data Quality Pullup Processing and Data Quality Pushdown Processing, and archive break records.
Note Archive break records permissions currently apply to Data Quality Pushdown Processing connections only.
Amazon Athena
Structural Metadata Ingestion
No additional permissions required.
Data Quality Pullup Processing and Data Quality Pushdown Processing
The service account user must have:
- Read access on the Glue catalog and S3 buckets
- Write access on the S3 output location
{
"Version": "YYYY-MM-DD",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"athena:StartQueryExecution",
"s3:ListBucketMultipartUploads",
"athena:GetQueryResultsStream",
"glue:GetTables",
"glue:GetPartitions",
"athena:GetQueryResults",
"glue:BatchGetPartition",
"s3:ListBucket",
"glue:GetDatabases",
"athena:ListQueryExecutions",
"s3:ListMultipartUploadParts",
"glue:GetTable",
"glue:GetDatabase",
"athena:GetWorkGroup",
"s3:PutObject",
"s3:GetObject",
"glue:GetPartition",
"glue:GetCatalogImportStatus",
"athena:StopQueryExecution",
"athena:GetQueryExecution",
"s3:GetBucketLocation",
"athena:BatchGetQueryExecution",
"athena:DeletePreparedStatement",
"athena:CreatePreparedStatement"
],
"Resource": [
"arn:aws:athena:*:<AWSAccountID>:workgroup/primary",
"arn:aws:s3:::<S3 bucket name>/*",
"arn:aws:s3:::<S3 bucket name>",
"arn:aws:glue:*:<AWSAccountID>:catalog",
"arn:aws:glue:*:<AWSAccountID>:database/<database name>",
"arn:aws:glue:*:<AWSAccountID>:table/<database name>/*"
]
}
]
}
Archive break records
When using archive break records, the service account user must have:
- Read access on the source data.
- Create, write, and modify table permissions on the destination database and schema where break records are stored. This is separate from the read access used to run the job, and the exact privilege names vary by data source.
Amazon Redshift
Structural Metadata Ingestion
The service account user must have:
USAGE
Data Quality Pullup Processing and Data Quality Pushdown Processing
The service account user must have:
USAGEon schemasSELECTon all tables
Archive break records
When using archive break records, the service account user must have:
- Read access on the source data.
- Create, write, and modify table permissions on the destination database and schema where break records are stored. This is separate from the read access used to run the job, and the exact privilege names vary by data source.
Azure Synapse
Structural Metadata Ingestion
SELECT on each table to ingest.
Data Quality Pullup Processing
The service account user must have:
GRANTon the login and databaseSELECTon schemas, tables, and views for processingCONNECT SQLon the systemVIEW DEFINITIONon the database
Databricks
Structural Metadata Ingestion
The service account user must have:
CAN USEon the SQL warehouseUSAGE on CATALOGUSAGE on SCHEMASELECTon the schema or tables that you want to process
Data Quality Pullup Processing and Data Quality Pushdown Processing
The service account user must have:
CAN ATTACH TOon the cluster
Archive break records
When using archive break records, the service account user must have:
- Read access on the source data.
- Create, write, and modify table permissions on the destination database and schema where break records are stored. This is separate from the read access used to run the job, and the exact privilege names vary by data source.
Db2
Structural Metadata Ingestion
The service account user must have:
CONNECTon the database
Data Quality Pullup Processing and Data Quality Pushdown Processing
The service account user must have:
SELECTon each table that you want to profile
Denodo
Structural Metadata Ingestion
No additional permissions required.
Data Quality Pullup Processing and Data Quality Pushdown Processing
The service account user must have:
CONNECTandEXECUTEon the database
Google BigQuery
Structural Metadata Ingestion
The service account user must have:
bigquery.datasets.getbigquery.jobs.createbigquery.tables.getbigquery.tables.getDatabigquery.tables.listresourcemanager.projects.get
Data Quality Pullup Processing and Data Quality Pushdown Processing
The service account user must have:
roles/bigquery.dataViewerroles/bigquery.jobUserroles/bigquery.readSessionUseron the projectroles/bigquery.dataOwneron the temporary dataset
Archive break records
When using archive break records, the service account user must have:
- Read access on the source data.
- Create, write, and modify table permissions on the destination database and schema where break records are stored. This is separate from the read access used to run the job, and the exact privilege names vary by data source.
Microsoft SQL Server
Structural Metadata Ingestion
The service account user must have:
CONNECT SQLon the systemVIEW DEFINITIONon the database
Data Quality Pullup Processing and Data Quality Pushdown Processing
The service account user must have:
GRANTon the login and databaseSELECTon schemas, tables, and views
Archive break records
When using archive break records, the service account user must have:
- Read access on the source data.
- Create, write, and modify table permissions on the destination database and schema where break records are stored. This is separate from the read access used to run the job, and the exact privilege names vary by data source.
MySQL
Structural Metadata Ingestion
The service account user must have:
SELECTon each database and table that you want to ingest
Data Quality Pullup Processing and Data Quality Pushdown Processing
The service account user must have:
SELECTon each schema that you want to profile
Oracle OCI
Structural Metadata Ingestion
No additional permissions required.
Data Quality Pullup Processing and Data Quality Pushdown Processing
The service account user must have:
SELECTon schemas, tables, and views
Archive break records
When using archive break records, the service account user must have:
- Read access on the source data.
- Create, write, and modify table permissions on the destination database and schema where break records are stored. This is separate from the read access used to run the job, and the exact privilege names vary by data source.
Oracle (Thin client-side)
Structural Metadata Ingestion
No additional permissions required.
Data Quality Pullup Processing and Data Quality Pushdown Processing
The service account user must have:
SELECTon schemas, tables, and views
Archive break records
When using archive break records, the service account user must have:
- Read access on the source data.
- Create, write, and modify table permissions on the destination database and schema where break records are stored. This is separate from the read access used to run the job, and the exact privilege names vary by data source.
PostgreSQL
Structural Metadata Ingestion
No additional permissions required.
Data Quality Pullup Processing and Data Quality Pushdown Processing
The service account user must have:
USAGEon schemasSELECTon all tables
Presto
Structural Metadata Ingestion
No additional permissions required.
Data Quality Pullup Processing and Data Quality Pushdown Processing
The service account user must have:
read-onlyrole on the catalog, schemas, tables, views, and columns
Archive break records
When using archive break records, the service account user must have:
- Read access on the source data.
- Create, write, and modify table permissions on the destination database and schema where break records are stored. This is separate from the read access used to run the job, and the exact privilege names vary by data source.
SAP HANA
Structural Metadata Ingestion
The service account user must have:
MONITORINGrolePUBLICrole
Data Quality Pullup Processing and Data Quality Pushdown Processing
The service account user must have:
SELECTon each schema that you want to profile
Archive break records
When using archive break records, the service account user must have:
- Read access on the source data.
- Create, write, and modify table permissions on the destination database and schema where break records are stored. This is separate from the read access used to run the job, and the exact privilege names vary by data source.
Snowflake
Structural Metadata Ingestion
The service account user must have:
USAGEon the database and schemaREFERENCESon each table that you want to ingest
Data Quality Pullup Processing and Data Quality Pushdown Processing
The service account user must have:
USAGEon the warehouse, database, and schemaSELECTon tables and views
Archive break records
When using archive break records, the service account user must have:
- Read access on the source data.
- Create, write, and modify table permissions on the destination database and schema where break records are stored. This is separate from the read access used to run the job, and the exact privilege names vary by data source.
Starburst
Structural Metadata Ingestion
No additional permissions required.
Data Quality Pullup Processing and Data Quality Pushdown Processing
The service account user must have:
read-onlyrole on the catalog, schemas, tables, views, and columns
Archive break records
When using archive break records, the service account user must have:
- Read access on the source data.
- Create, write, and modify table permissions on the destination database and schema where break records are stored. This is separate from the read access used to run the job, and the exact privilege names vary by data source.
Sybase
Structural Metadata Ingestion
No additional permissions required.
Data Quality Pullup Processing
The service account user must have:
SELECTon each table and view that you want to profile
Teradata
Structural Metadata Ingestion
No additional permissions required.
Data Quality Pullup Processing
The service account user must have:
SELECTon each table and view that you want to profile
Trino
Structural Metadata Ingestion
No additional permissions required.
Data Quality Pullup Processing and Data Quality Pushdown Processing
The service account user must have:
read-onlyrole on the catalog, schemas, tables, views, and columns
Archive break records
When using archive break records, the service account user must have:
- Read access on the source data.
- Create, write, and modify table permissions on the destination database and schema where break records are stored. This is separate from the read access used to run the job, and the exact privilege names vary by data source.