getUserAccess

Syntax

getUserAccess([userIds], [finalAccess=false])

Arguments

userId (optional) is a STRING scalar/vector indicating one or multiple user names.

finalAccess (optional) is a Boolean value that specifies whether the obtained result is the privileges that ultimately take effect, i.e., the privileges for both the user and the groups the user belongs to are taken into account. The default value is false.

Details

This function returns privileges for specific users.

When userId is not specified, it returns the privileges for the current user.

When userId is specified (only by administrators):

  • If finalAccess = false, the obtained access is the explicit privileges applied to the user.

  • If finalAccess = true, the obtained access is the privileges that ultimately take effect.

Return value: A table with the following columns

Column Description
userId The user name
groups The group to which the user belongs
isAdmin Whether the user is an administrator
MAX_JOB_PRIORITY An integer between 0 and 8 indicating the highest priority of the jobs submitted by the user. It is specified by the command setMaxJobPriority.
MAX_PARALLELISM An integer indicating the maximum number of tasks that can be executed in parallel for a job submitted by the user. It is specified by the command setMaxJobParallelism.
QUERY_RESULT_MEM_LIMIT The memory limit for a query result. It is a floating-point number indicating memory usage (in GB). You can use grant to set the limit and revoke to remove.
TASK_GROUP_MEM_LIMIT The memory limit of a task group. It is a floating-point number indicating memory usage in GB. You can use grant to set the limit and revoke to remove.
The following privileges are listed with permission state "allow" / "none" / "deny": ACCESS_READ, ACCESS_INSERT, ACCESS_UPDATE, ACCESS_DELETE, VIEW_EXEC, SCRIPT_EXEC, TEST_EXEC, DBOBJ_CREATE, DBOBJ_DELETE, DB_MANAGE, DB_OWNER, and VIEW_OWNER, COMPUTE_GROUP_EXEC.
Note:
  • Since version 3.00.2, compute group privileges are returned.
  • Since version 3.00.0, catalog privileges are returned.
  • Version 1.30.21/2.00.9 onwards extends privileges at the table level. The original TABLE_WRITE field is now replaced with fields TABLE_INSERT, TABLE_UPDATE, and TABLE_DELETE.
  • As the DB_READ, DB_WRITE, DB_INSERT, DB_UPDATE, and DB_DELETE privileges apply to tables in databases, only table-level privileges are returned.
The remaining columns in the table display the specific objects (tables, views or databases) that the user is granted/denied access to:
objs
TABLE_READ_allowed
TABLE_READ_denied
TABLE_INSERT_allowed
TABLE_INSERT_denied
TABLE_UPDATE_allowed
TABLE_UPDATE_denied
TABLE_DELETE_allowed
TABLE_DELETE_denied
DB_READ_allowed
DB_READ_denied
DB_INSERT_allowed
DB_INSERT_denied
DB_UPDATE_allowed
DB_UPDATE_denied
DB_DELETE_allowed
DB_DELETE_denied
VIEW_EXEC_allowed
VIEW_EXEC_denied
DBOBJ_CREATE_allowed
DBOBJ_CREATE_denied
DBOBJ_DELETE_allowed
DBOBJ_DELETE_denied
DB_OWNER_allowed
DB_MANAGE_allowed
DB_MANAGE_denied
CATALOG_READ_allowed
CATALOG_READ_denied
CATALOG_INSERT_allowed
CATALOG_INSERT_denied
CATALOG_UPDATE_allowed
CATALOG_UPDATE_denied
CATALOG_DELETE_allowed
CATALOG_DELETE_denied
COMPUTE_GROUP_EXEC_allowed
COMPUTE_GROUP_EXEC_denied