Before You Start
Cirro has several built-in roles which enable permissions to cirro objects and target systems.
|Public||All users belong to the Public Role which enables login. No permission to cirro objects and target systems. Default privileges associated with PUBLIC role are CONNECT, SET DESCRIBE and SELECT (on metadata tables). These can be changed by a system administrator, but it is not recommended. The PUBLIC role cannot be dropped.|
|secure_connect||Execute only Passthrough SQL|
|federated_read_only||Execute Federated Queries|
|federated_read_write||Execute Federated Queries, DDL, and DML|
|data_migrator||Manage and Execute Data Projects|
Connect to Cirro
- Connect to Cirro with a sql client.
CREATE ROLE Cirro_rolename
Cirro_rolename: The name for the new role. Optionally, enclose in single quotes. Cirro_rolename is a case-sensitive VARCHAR(128).
WITH EXTERNAL ‘CN=Active_directory_group,CN=Users,DC=home,DC=network’: These keywords associate Cirro_rolename to an pre-existing Active Directory group. CN and DC values are specific to your Active Directory installation.
CREATE ROLE 'myRole1';
Active Directory Role
CREATE ROLE 'engineering' WITH EXTERNAL 'CN=Engineering,CN=Users,DC=engineering,DC=myCompany,DC=com;
GRANT Cirro_rolename TO user/other_rolename;
Cirro_role: the existing role
user: the user who is being granted Cirro_role (not applicable for LDAP/Active Directory)
other_rolename: an existing role being granted Cirro_role
GRANT myRole1 TO myUser1; GRANT AccountingTeam TO HRUsers;
REVOKE roleName FROM userOrRoleName
roleName: the existing Cirro role that will be removed from userOrRoleName.
userOrRoleName: the existing Cirro user or role who is a member of roleName.
REVOKE myRole1 FROM myUser1; REVOKE AccountingTeam FROM HRUsers;