Federated Data Access (FDA) Rights matrix fda-rights
The following table outlines the required database permissions for each system, letting you perform operations on external databases through federated data access (FDA).
Snowflake
Redshift
Google BigQuery
Databricks
Connecting to remote database
USAGE ON WAREHOUSE, USAGE ON DATABASE, and USAGE ON SCHEMA privilegesCreate a user linked to the AWS account
Create a service account and grant principal access to project
USE CATALOG permission on Catalog and CAN_USE permission on SQL WarehouseCreating tables
CREATE TABLE ON SCHEMA privilegeCREATE permissionRole assigned to service account has to contain:
bigquery.jobs.create and bigquery.tables.create permissionsUSE SCHEMA and CREATE TABLE permissionsCreating indexes
N/A
CREATE permissionBigQuery only supports search indexes. The role assigned to the service account has to contain:
bigquery.jobs.create, bigquery.tables.getData, and bigquery.tables.createIndex permissionsN/A
Creating functions
CREATE FUNCTION ON SCHEMA privilegeUSAGE ON LANGUAGE plpythonu permission to be able to call external Python scriptsThe role assigned to service account has to contain:
bigquery.jobs.create and bigquery.routines.create permissionsCREATE FUNCTION permissionCreating procedures
N/A
USAGE ON LANGUAGE plpythonu permission to be able to call external Python scriptsThe role assigned to the service account has to contain:
bigquery.jobs.create and bigquery.routines.create permissionsN/A
Removing objects (tables, indexes, functions, procedures)
Owning the object
Owning the object or being a superuser
The role assigned to the service account has to contain:
bigquery.jobs.create, bigquery.routines.delete, bigquery.tables.delete, and bigquery.tables.deleteIndex permissionsN/A
Monitoring executions
MONITOR privilege on the required objectNo permissions required to use the
EXPLAIN commandmonitoring.viewer roleCAN_VIEW permissionWriting data
INSERT and/or UPDATE privileges (depending on the write operation)INSERT and UPDATE permissionsThe role assigned to the service account has to contain:
bigquery.jobs.create and bigquery.tables.updateDataMODIFY permissionLoading data into tables
CREATE STAGE ON SCHEMA, Create file FORMATGRANT CREATE FILE FORMAT ON SCHEMA <SCHEMA> to ROLE <ROLE> SELECT, and INSERT on the target table privilegesSELECT and INSERT permissionsThe role assigned to the service account has to contain:
bigquery.jobs.create, bigquery.tables.getData, and bigquery.tables.updateDataSELECT and MODIFY permissionsAccessing client data
SELECT on (FUTURE) TABLE(S) or VIEW(S) privilege(s)SELECT permissionThe role assigned to the service account has to contain:
bigquery.jobs.create, bigquery.readsessions.create, and bigquery.tables.getData for tables or the bigquery.dataViewer roleSELECT permissionAccessing metadata
SELECT on INFORMATION_SCHEMA SCHEMA privilegeSELECT permissionbigquery.metadataViewer roleSELECT on INFORMATION_SCHEMA SCHEMA permissionMicrosoft Fabric
Azure Synapse Analytics
Vertica
Teradata
Connecting to remote database
Read (default) permission
CONNECT permissionNo privilege required
CONNECT privilegeCreating tables
CREATE TABLE ON DATABASE (warehouse) and ALTER ON SCHEMACREATE TABLE permissionCREATE ON SCHEMA privilegeCREATE TABLE or TABLE keywordCreating indexes
N/A
ALTER permissionN/A
CREATE INDEX or INDEX keywordCreating functions
N/A
CREATE FUNCTION permissionCREATE ON SCHEMA privilegeCREATE FUNCTION or FUNCTION keywordCreating procedures
CREATE PROCEDURE ON DATABASE (warehouse) and ALTER ON SCHEMACREATE PROCEDURE permissionCREATE ON SCHEMA privilegeCREATE PROCEDURE or PROCEDURE keywordRemoving objects (tables, indexes, functions, procedures)
ALTER ON SCHEMAALTER permissionOwning the object or the
DROP privilege on objectDROP on object type or related keywordMonitoring executions
Workspace Contributor or above permissions (
queryinsights.exec_requests_history)CONTROL permissionNo privilege required to use
EXPLAIN statementNo extra privilege required to use
EXPLAINWriting data
INSERT and/or UPDATE ON OBJECTINSERT and UPDATE permissionsINSERT and UPDATE privilegesINSERT and UPDATE privilegesLoading data into tables
SELECT ON OBJECT and INSERT ON OBJECTCREATE TABLE, EXECUTE, SELECT, INSERT, UPDATE, and ALTER permissionsINSERT privilege on table, USAGE privilege on schemaSELECT and INSERT (for example COPY TO/COPY FROM)Accessing to client data
SELECT ON OBJECTSELECT permissionSELECT privilegeSELECT privilegeAccessing to metadata
SELECT ON INFORMATION_SCHEMANo permission required to describe table
USAGE ON SCHEMA, SELECT on TABLE, and also privileges on tables v_catalog.columns and v_catalog.view_columnsSHOW privilegerecommendation-more-help
federated-audience-composition-help