Overview
Engine routing is a great way to automatically route queries to specific engines. However, users can still manually override which engine is being used by using the Engine drop-down:
To prevent this, engine USAGE privileges can be revoked for specific users.
This describes the procedure to revoke access to a specific Engine via the USAGE privileges. This procedure can be used for Projects, Identity and token providers, and Engines.
Applies To
Dremio Cloud
Details
Privileges are given if either the user or the user's role has privileges. Therefore, it is important to consider both the User and their Roles when revoking privileges.
1. Revoke access for a User:
REVOKE { objectPrivilege | ALL } ON { <object_type> <object_name> }
FROM USER <username>
Here's an example of revoking access to the 'preview' engine for 'user@example.com':
REVOKE USAGE ON ENGINE preview FROM USER "user@example.com"
At this point, the User may still have access to the object if their Role also has privileges.
2. Revoke access for a Role:
REVOKE { objectPrivilege | ALL } ON { <object_type> <object_name> }
FROM ROLE <role_name>
Here's an example of revoking access to the 'preview' engine for the PUBLIC role:
REVOKE USAGE ON ENGINE preview FROM ROLE PUBLIC
At this point, if a user attempts a query on this engine, they will get an error:
"Access denied. You do not have USAGE privilege on the engine."
Further Reading
See all privileges that can be granted or revoked:
https://docs.dremio.com/cloud/security/access-management/privileges/