Details on rights management

Learn about the details of all system privileges, object privileges, and system tables in Exasol.

System and object privileges

System privileges

Users

System privilege	Permissions
`ALTER USER`	Alter the password of any user This is a powerful privilege and should be granted restrictively.
`CREATE USER`	Create user
`DROP USER`	Delete user
`IMPERSONATE ANY USER`	Impersonate other users

Roles

System privilege Permissions

System privilege	Permissions
`CREATE ROLE`	Create roles
`DROP ANY ROLE`	Delete roles
`GRANT ANY ROLE`	Grant any role This is a powerful privilege and should be granted restrictively.

CREATE ROLE

Create roles

DROP ANY ROLE

Delete roles

GRANT ANY ROLE

Grant any role

This is a powerful privilege and should be granted restrictively.

Connections

System privilege	Permissions
`ACCESS ANY CONNECTION`	Access any connection details from scripts
`ALTER ANY CONNECTION`	Change connection data of a connection
`CREATE CONNECTION`	Create external connections
`DROP ANY CONNECTION`	Delete connections
`GRANT ANY CONNECTION`	Grant any connection to users/roles
`USE ANY CONNECTION`	Use any connection in statements `IMPORT` and `EXPORT`

Schema

System privilege	Permissions
`ALTER ANY SCHEMA`	Allocate a schema to another user or role
`ALTER ANY VIRTUAL SCHEMA`	Update parameters of any virtual schema
`ALTER ANY VIRTUAL SCHEMA REFRESH`	Update the metadata of any virtual schema
`CREATE SCHEMA`	Create a schema
`CREATE VIRTUAL SCHEMA`	Create of a virtual schema
`DROP ANY SCHEMA`	Delete any schema
`DROP ANY VIRTUAL SCHEMA`	Delete any virtual schema
`USE ANY SCHEMA`	See and use any schema. This privilege is granted to PUBLIC by default in a new database.

Tables

System privilege	Permissions
`ALTER ANY TABLE`	Alter a table in any schema
`CREATE ANY TABLE`	Create a table in any schema
`CREATE TABLE`	Create a table in the user’s own schema or the schema of an allocated role `DROP` is implicit because the owner of an object can always delete it.
`DELETE ANY TABLE`	Delete rows in a table in any schema
`DROP ANY TABLE`	Delete tables in any schema
`INSERT ANY TABLE`	Insert data into a table in any schema
`SELECT ANY DICTIONARY`	Access the contents of any system table
`SELECT ANY TABLE`	Access the contents of a table or view in any schema (does not include system tables)
`UPDATE ANY TABLE`	Alter rows in a table in any schema

Views

System privilege Permissions

System privilege	Permissions
`CREATE VIEW`	Create a view in the user’s own schema or in the schema of an allocated role `DROP` is implicit because the owner of an object can always delete it.
`CREATE ANY VIEW`	Create a view in any schema
`DROP ANY VIEW`	Delete views in any schema

CREATE VIEW

Create a view in the user’s own schema or in the schema of an allocated role

DROP is implicit because the owner of an object can always delete it.

CREATE ANY VIEW

Create a view in any schema

DROP ANY VIEW

Delete views in any schema

Functions

System privilege	Permissions
`CREATE FUNCTION`	Create a function in the user’s own schema or in the schema of an allocated role `DROP` is implicit because the owner of an object can always delete it.
`CREATE ANY FUNCTION`	Create a function in any schema
`DROP ANY FUNCTION`	Delete functions in any schema
`EXECUTE ANY FUNCTION`	Execute functions in any schema

Scripts

System privilege	Permissions
`CREATE SCRIPT`	Create a script in the user’s own schema or in the schema of an allocated role `DROP` is implicit because the owner of an object can always delete it.
`CREATE ANY SCRIPT`	Create a script in any schema
`DROP ANY SCRIPT`	Delete scripts in any schema
`EXECUTE ANY SCRIPT`	Execute scripts in any schema

Miscellaneous

System privilege	Permissions
`ALTER SYSTEM`	Alter system-wide settings (for example, `NLS_DATE_FORMAT`)
`CREATE SESSION`	Connect to the database
`EXPORT`	Export data from tables using the `EXPORT` command
`GRANT ANY OBJECT PRIVILEGE`	Grant or withdraw any object rights
`GRANT ANY PRIVILEGE`	Grant or withdraw any system rights This is a powerful privilege and should be granted restrictively.
`IMPORT`	Import data into tables using the `IMPORT` command
`KILL ANY SESSION`	Kill session or query
`MANAGE CONSUMER GROUPS`	Create, alter and drop consumer groups
`SET ANY CONSUMER GROUP`	Set consumer group for users or roles

Object privileges

Object privilege	Schema objects	Permissions
`ACCESS`	Connection	Access details of a connection from scripts
`ALTER`	Schema, table, virtual schema	Run the `ALTER TABLE` statement and `ALTER VIRTUAL SCHEMA` (except `CHANGE OWNER`)
`DELETE`	Schema, table	Delete rows
`EXECUTE`	Schema, function, script	Run functions or scripts
`IMPERSONATION`	User	Impersonate another user identity
`INSERT`	Schema, table	Insert rows in a table
`REFERENCES`	Table	Create foreign keys referencing this table
`REFRESH`	Virtual schema	Update the metadata of a virtual schema
`SELECT`	Schema, table, view, virtual schema, virtual table	Access the table contents
`UPDATE`	Schema, table	Change the contents of a row in a table
`USAGE`	Schema	View and use a schema

In order to allow users to use connections in an IMPORT or EXPORT statement, you must grant the connection object to the user or role using the syntax GRANT CONNECTION <CONNECTION NAME> TO <USER/ROLE>.

Required privileges for SQL statements

The following sections list all SQL statements supported in Exasol and the necessary privileges.

By default, all users get the USE ANY SCHEMA system privilege because it is granted to the PUBLIC role. For more information about USAGE, see USAGE privilege.

Users

SQL statement	Required privileges
`CREATE USER u ...`	System privilege `CREATE USER`
`ALTER USER u ...`	Your own password can always be changed. The `ALTER USER` system privilege is needed to change the passwords of other users.
`RENAME USER u ...`	System privilege `CREATE USER`
`DROP USER u;`	System privilege `DROP USER`
`IMPERSONATE u;`	System privilege `IMPERSONATE ANY USER` or object privilege `IMPERSONATION` on specific user or role

Roles

SQL statement	Required privileges
`CREATE ROLE r ...`	System privilege `CREATE ROLE`
`RENAME ROLE r ...`	System privilege `CREATE ROLE`
`DROP ROLE r;`	System privilege `DROP ROLE` or one has to receive this role with the `ADMIN OPTION`

Connections

SQL statement	Required privileges
`CREATE CONNECTION c ...`	System privilege `CREATE CONNECTION`
`ALTER CONNECTION c ...`	System privilege `ALTER ANY CONNECTION` or the connection has to be granted to you with the `ADMIN OPTION`
`RENAME CONNECTION c ...`	System privilege `ALTER ANY CONNECTION` or the connection has to be granted to you with the `ADMIN OPTION`
`DROP CONNECTION c;`	System privilege `DROP ANY CONNECTION` or the connection has to be granted to you with the `ADMIN OPTION`

Schemas

SQL statement	Required privileges
`CREATE SCHEMA s;`	System privilege `CREATE SCHEMA`
`OPEN SCHEMA s;`	System privilege `USE ANY SCHEMA`, `USAGE` on the schema, or the schema is owned by the current user or one of that user's roles. Note:The schema objects within the schema are not automatically readable!
`DROP SCHEMA s;`	System privilege `DROP ANY SCHEMA` or the schema is owned by the current user or one of that user's roles. If `CASCADE` is specified, all of the schema objects contained in the schema will also be deleted!
`ALTER SCHEMA s...`	System privilege `ALTER ANY SCHEMA`. AND System privilege `USE ANY SCHEMA`, object privilege `USAGE` on the schema, or the schema is owned by the current user or one of that user's roles.
`RENAME SCHEMA s...`	Schema s must be owned by the current user or one of that user's roles.
`CREATE VIRTUAL SCHEMA s`	System privilege `CREATE VIRTUAL SCHEMA`. AND System privilege `EXECUTE ANY SCRIPT`, object privilege `EXECUTE` on the adapter script, or the schema containing the adapter script is owned by the current user or one of that user's roles. AND System privilege `USE ANY SCHEMA`, object privilege `USAGE` on the schema containing the adapter script, or the schema containing the adapter script is owned by the current user or one of that user's roles.
`DROP VIRTUAL SCHEMA s`	System privilege `DROP ANY VIRTUAL SCHEMA` or s is owned by the current user. AND The owner of the virtual schema must possess system privilege `EXECUTE ANY SCRIPT`, object privilege `EXECUTE` on the adapter script, or the schema containing the adapter script is owned by the current user or one of that user's roles. AND The owner of the virtual schema must possess system privilege `USE ANY SCHEMA`, object privilege `USAGE` on the schema containing the adapter script, or the schema containing the adapter script is owned by the owner or one of that user's roles.
`ALTER VIRTUAL SCHEMA s SET ...`	System privilege `ALTER ANY VIRTUAL SCHEMA`, object privilege `ALTER` on s or the schema is owned by the current user or one of that user's roles. AND System privilege `USE ANY SCHEMA`, object privilege `USAGE` on s, or s is owned by the current user or one of that user's roles. AND The owner of the virtual schema must possess system privilege `EXECUTE ANY SCRIPT`, object privilege `EXECUTE` on the adapter script, or the schema containing the adapter script is owned by the same user or role. AND The owner of the virtual schema must possess system privilege `USE ANY SCHEMA`, object privilege `USAGE` on the schema containing the adapter script, or the schema containing the adapter script is owned by the same user or role.
`ALTER VIRTUAL SCHEMA s REFRESH`	System privilege `ALTER ANY VIRTUAL SCHEMA`, system privilege `ALTER ANY VIRTUAL SCHEMA REFRESH`, object privilege `ALTER` on s, object privilege `REFRESH` on s, or s is owned by the current user or one of that user's roles. AND System privilege `USE ANY SCHEMA`, object privilege `USAGE` on s, or s is owned by the current user or one of that user's roles. AND The owner of the virtual schema must possess system privilege `EXECUTE ANY SCRIPT`, object privilege `EXECUTE` on the adapter script, or the schema containing the adapter script is owned by the same user or role. AND The owner of the virtual schema must possess system privilege `USE ANY SCHEMA`, object privilege `USAGE` on the schema containing the adapter script, or the schema containing the adapter script is owned by the same user or role.
`ALTER VIRTUAL SCHEMA s CHANGE OWNER u`	System privilege `ALTER ANY VIRTUAL SCHEMA`. AND System privilege `USE ANY SCHEMA`, object privilege `USAGE` on s, or s is owned by the current user or one of that user's roles.

Tables

SQL statement	Required privileges
`CREATE TABLE t (<col_defs>)`	System privilege `CREATE TABLE` if the table is created in a schema owned by the current user or one of that user's roles. Otherwise, system privilege `CREATE ANY TABLE`. AND System privilege `USE ANY SCHEMA`, object privilege `USAGE` on the target schema, or the schema is owned by the current user or one of that user's roles.
`CREATE TABLE AS <subquery>`	Similar to `CREATE TABLE t (<col_defs>)`, but the user must also possess the privileges required to run the underlying query in <subquery>.
`CREATE OR REPLACE TABLE t ...`	Similar to `CREATE TABLE t (<col_defs>)`, but if the table is replaced, the user must also possess the necessary privileges to drop the table.
`ALTER TABLE t ...`	System privilege `ALTER ANY TABLE`, object privilege `ALTER` on t or the schema containing t, or the schema containing t is owned by the current user or one of that user's roles. AND System privilege `USE ANY SCHEMA`, object privilege `USAGE` on the schema containing t, or the schema containing t is owned by the current user or one of that user's roles.
`ALTER TABLE t1 ADD FOREIGN KEY ... REFERENCES t2 ...`	The corresponding privileges required to perform an `ALTER TABLE` statement on t1. AND Object privilege `REFERENCES` on t2 or the schema containing t2 is owned by the current user or one of that user's roles. AND System privilege `USE ANY SCHEMA`, object privilege `USAGE` on the schema containing t2, or the schema containing t2 is owned by the current user or one of that user's roles.
`RENAME TABLE t...`	The schema containing t is owned by the current user or one of that user's roles.
`SELECT * FROM t;`	System privilege `SELECT ANY TABLE`, object privilege `SELECT` on t or the schema containing t, or the schema containing t is owned by the current user or one of that user's roles. AND System privilege `USE ANY SCHEMA`, object privilege `USAGE` on the schema containing t, or the schema containing t is owned by the current user or one of that user's roles. AND If t is part of a virtual schema, the owner of the virtual schema must possess appropriate access rights on the corresponding adapter script and the indirectly used connections.
`INSERT INTO t ...`	System privilege `INSERT ANY TABLE`, object privilege `INSERT` on t or the schema containing t, or the schema containing t is owned by the current user or one of that user's roles. AND System privilege `USE ANY SCHEMA`, object privilege `USAGE` on the schema containing t, or the schema containing t is owned by the current user or one of that user's roles.
`UPDATE t SET ...;`	System privilege `UPDATE ANY TABLE`, object privilege `UPDATE` on t or the schema containing t, or the schema containing t is owned by the current user or one of that user's roles. AND System privilege `USE ANY SCHEMA`, object privilege `USAGE` on the schema containing t, or the schema containing t is owned by the current user or one of that user's roles.
`MERGE INTO t USING u ...`	Corresponding privileges required to perform an `INSERT`, `UPDATE`, and `DELETE` statement on t if the `MERGE` statement contains the corresponding clause. AND Corresponding privileges required to perform a `SELECT` statement on u.
`DELETE FROM t;`	System privilege `DELETE ANY TABLE`, object privilege `DELETE` on t or the schema containing t, or the schema containing t is owned by the current user or one of that user's roles. AND System privilege `USE ANY SCHEMA`, object privilege `USAGE` on the schema containing t, or the schema containing t is owned by the current user or one of that user's roles.
`TRUNCATE TABLE t;`	System privilege `DELETE ANY TABLE`, object privilege `DELETE` on t or the schema containing t, or the schema containing t is owned by the current user or one of that user's roles. AND System privilege `USE ANY SCHEMA`, object privilege `USAGE` on the schema containing t, or the schema containing t is owned by the current user or one of that user's roles.
`DROP TABLE t;`	System privilege `DROP ANY TABLE` or the schema containing t is owned by the current user or one of that user's roles. AND System privilege `USE ANY SCHEMA`, object privilege `USAGE` on the schema containing t, or the schema containing t is owned by the current user or one of that user's roles.
`RECOMPRESS TABLE t;`	Any system privilege which allows the user to modify t (such as `INSERT ANY TABLE` or `DELETE ANY TABLE`), any object privilege which allows user to modify t (such as `ALTER` or `UPDATE`), or the schema containing t is owned by the current user or one of that user's roles. AND System privilege `USE ANY SCHEMA`, object privilege `USAGE` on the schema containing t, or the schema containing t is owned by the current user or one of that user's roles.
`REORGANIZE TABLE t;`	Any system privilege which allows the user to modify t (such as `INSERT ANY TABLE` or `DELETE ANY TABLE`), any object privilege which allows user to modify t (such as `ALTER` or `UPDATE`), or the schema containing t is owned by the current user or one of that user's roles. AND System privilege `USE ANY SCHEMA`, object privilege `USAGE` on the schema containing t, or the schema containing t is owned by the current user or one of that user's roles.
`PRELOAD TABLE t;`	Any system privilege which allows the user to read or modify t (such as `SELECT ANY TABLE` or `DELETE ANY TABLE`), any object privilege which allows user to read or modify t (such as `SELECT` or `UPDATE`), or the schema containing t is owned by the current user or one of that user's roles. AND System privilege `USE ANY SCHEMA`, object privilege `USAGE` on the schema containing t, or the schema containing t is owned by the current user or one of that user's roles.

Views

SQL statement	Required privileges
`CREATE VIEW v AS ...`	System privilege `CREATE VIEW` if the view is created in a schema owned by the current user or one of that user's roles. Otherwise, system privilege `CREATE ANY VIEW`. AND System privilege `USE ANY SCHEMA`, object privilege `USAGE` on the schema containing v, or the schema containing v is owned by the current user or one of that user's roles. AND The owner of the view (who is not automatically the CREATOR) must possess the privileges required to run the underlying query in v.
`CREATE OR REPLACE VIEW v ...`	Similar to `CREATE VIEW`, but if the view is replaced, the user must also possess the necessary privileges to drop the view.
`RENAME VIEW v...`	The schema containing v is owned by the current user or one of that user's roles.
`SELECT * FROM v;`	System privilege `SELECT ANY TABLE`, object privilege `SELECT` on v or the schema containing v, or the schema containing v is owned by the current user or one that user's roles. AND System privilege `USE ANY SCHEMA`, object privilege `USAGE` on the schema containing v, or the schema containing v is owned by the current user or one that user's roles. AND The owner of v must possess the privileges required to run the underlying query in v.
`DROP VIEW v;`	System privilege `DROP ANY VIEW` or the schema containing v is owned by the current user or one of that user's roles. AND System privilege `USE ANY SCHEMA`, object privilege `USAGE` on the schema containing v, or the schema containing v is owned by the current user or one of that user's roles.

Functions

SQL statement	Required privileges
`CREATE FUNCTION f ...`	System privilege `CREATE FUNCTION` if the function is created in a schema owned by the current user or one of that user's roles. Otherwise, system privilege `CREATE ANY FUNCTION`. AND System privilege `USE ANY SCHEMA`, object privilege `USAGE` on the schema containing f, or the schema containing f is owned by the current user or one of that user's roles.
`CREATE OR REPLACE FUNCTION f ...`	Similar to `CREATE FUNCTION`, but if the function is replaced, the user must also possess the necessary privileges to drop the function.
`RENAME FUNCTION f...`	The schema containing f is owned by the current user or one of that user's roles.
`SELECT f(...) FROM ...;`	System privilege `EXECUTE ANY FUNCTION`, object privilege `EXECUTE` on f or the schema containing f, or the schema containing f is owned by the current user or one of that user's roles. AND System privilege `USE ANY SCHEMA`, object privilege `USAGE` on the schema containing f, or the schema containing f is owned by the current user or one of that user's roles.
`DROP FUNCTION f;`	System privilege `DROP ANY FUNCTION` or the schema containing f is owned by the current user or one of that user's roles. AND System privilege `USE ANY SCHEMA`, object privilege `USAGE` on the schema containing f, or the schema containing f is owned by the current user or one of that user's roles.

Scripts

SQL statement	Required privileges
`CREATE SCRIPT s ...`	System privilege `CREATE SCRIPT` if the script is created in a schema owned by the current user or one of that user's roles. Otherwise, system privilege `CREATE ANY SCRIPT`. System privilege `USE ANY SCHEMA`, object privilege `USAGE` on the schema containing s, or the schema containing s is owned by the current user or one of that user's roles.
`CREATE OR REPLACE SCRIPT s ...`	Similar to `CREATE SCRIPT` but if the script is replaced, the user must also possess the necessary privileges to drop the script.
`RENAME SCRIPT s...`	The schema containing s is owned by the current user or one of that user's roles.
`EXECUTE SCRIPT s;`	System privilege `EXECUTE ANY SCRIPT`, object privilege `EXECUTE` on s or the schema containing s, or the schema containing s is owned by the current user or one of that user's roles. AND System privilege `USE ANY SCHEMA`, object privilege `USAGE` on the schema containing s, or the schema containing s is owned by the current user or one of that user's roles.
`DROP SCRIPT s;`	System privilege `DROP ANY SCRIPT` or the schema containing s is owned by the current user or one of that user's roles. AND System privilege `USE ANY SCHEMA`, object privilege `USAGE` on the schema containing s, or the schema containing s is owned by the current user or one of that user's roles.

Consumer Groups

SQL statement	Required privileges
`CREATE CONSUMER GROUP c ...`	System privilege `MANAGE CONSUMER GROUPS`
`ALTER CONSUMER GROUP c ...`	System privilege `MANAGE CONSUMER GROUPS`
`RENAME CONSUMER GROUP c ...`	System privilege `MANAGE CONSUMER GROUPS`
`DROP CONSUMER GROUP c;`	System privilege `MANAGE CONSUMER GROUPS`
`ALTER USER u SET CONSUMER_GROUP ...`	System privilege `SET ANY CONSUMER GROUP`
`ALTER ROLE r SET CONSUMER_GROUP ...`	System privilege `SET ANY CONSUMER GROUP`

Grant

SQL statement	Required privileges
`GRANT <system_privilege> TO <user>`	System privilege `GRANT ANY PRIVILEGE`, OR the current user has been granted `<system_privilege>` with `WITH ADMIN OPTION`.
`GRANT <object_privilege> ON <object> TO <user>`	System privilege `GRANT ANY OBJECT PRIVILEGE`, OR `<object>` is owned by the current user or one of their roles. AND System privilege `USE ANY SCHEMA`, OR object privilege `USAGE` on the schema containing object, OR the schema containing `<object>` is owned by the current user or one of their roles. If `<object>` is a view and the current user does not have the system privilege `GRANT ANY OBJECT PRIVILEGE`, the owner of the view must be able to grant `SELECT` on all objects referenced in the view.
`GRANT <role> TO <user>`	System privilege `GRANT ANY ROLE`, OR the current user has received `<role>` with `WITH ADMIN OPTION`.
`GRANT IMPERSONATION ON <user> TO <role>`	The current user must have the `DBA` role.
`GRANT CONNECTION <connection> TO <user>`	System privilege `GRANT ANY CONNECTION`, OR `<connection>` was granted to the current user or one of their roles with `WITH ADMIN OPTION`.
`GRANT ACCESS ON CONNECTION <connection> TO <user>`	System privilege `GRANT ANY CONNECTION`, OR `<connection>` was granted to the current user or one of their roles with `WITH ADMIN OPTION`.

Revoke

SQL statement	Required privileges
`REVOKE <sys_priv> FROM u`	System privilege `GRANT ANY PRIVILEGE` or the user must have received this system privilege with the `WITH ADMIN OPTION`.
`REVOKE <obj_priv> ON o FROM u`	System privilege `GRANT ANY OBJECT PRIVILEGE` or the user has the corresponding privileges to grant the object privilege being revoked AND System privilege `USE ANY SCHEMA`, object privilege `USAGE` on the schema containing o, or the schema containing o is owned by the current user or one of that user's roles.
`REVOKE r FROM u`	System privilege `GRANT ANY ROLE` or the user must have received the role to be revoked with the `WITH ADMIN OPTION`.
`REVOKE CONNECTION c TO u`	System privilege `GRANT ANY CONNECTION` or the user must have received this connection with the `WITH ADMIN OPTION`.

Import

SQL statement	Required privileges
`IMPORT INTO (<col_defs>) FROM <file/dbms> ...`	System privilege `IMPORT` AND If an error table is used, the corresponding privileges required to perform an `INSERT` into the error table AND If a connection is used, system privilege `USE ANY CONNECTION`, or the connection has been granted to the current user or one of that user's roles. AND Any required privileges on the remote source to read the data
`IMPORT INTO (<col_defs>) FROM <script> ...`	System privilege `IMPORT` AND The corresponding privileges required to run the SQL statement returned by the script AND If a connection is used, system privilege `USE ANY CONNECTION`, or the connection has been granted to the current user or one of that user's roles. AND Any required privileges on the remote source to read the data
`IMPORT INTO t FROM <file/dbms> ...`	System privilege `IMPORT` AND The corresponding privileges to perform an `INSERT` into t AND If an error table is used, the corresponding privileges required to perform an `INSERT` into the error table AND If a connection is used, system privilege `USE ANY CONNECTION`, or the connection has been granted to the current user or one of that user's roles. AND Any required privileges on the remote source to read the data
`IMPORT INTO t FROM <script> ...`	System privilege `IMPORT` AND The corresponding privileges to perform an `INSERT` into t AND The corresponding privileges required to run the SQL statement returned by the script AND If a connection is used, system privilege `USE ANY CONNECTION`, or the connection has been granted to the current user or one of that user's roles. AND Any required privileges on the remote source to read the data

Export

`EXPORT (<subquery>) INTO <file/dbms> ...`	System privilege `EXPORT` AND The corresponding privileges to execute the statement in the subquery AND If a connection is used, system privilege `USE ANY CONNECTION`, or the connection has been granted to the current user or one of that user's roles. AND Any required privileges on the remote target to write the data
`EXPORT (<subquery>) INTO <script> ...`	System privilege `EXPORT` AND The corresponding privileges to execute the statement in the subquery AND The corresponding privileges required to run the SQL statement returned by the script AND If a connection is used, system privilege `USE ANY CONNECTION`, or the connection has been granted to the current user or one of that user's roles. AND Any required privileges on the remote target to write the data
`EXPORT t INTO <file/dbms> ...`	System privilege `EXPORT` AND The corresponding privileges to `SELECT` t AND If a connection is used, system privilege `USE ANY CONNECTION`, or the connection has been granted to the current user or one of that user's roles. AND Any required privileges on the remote target to write the data
`EXPORT t INTO <script> ...`	System privilege `EXPORT` AND The corresponding privileges to `SELECT` t AND The corresponding privileges required to run the SQL statement returned by the script AND If a connection is used, system privilege `USE ANY CONNECTION`, or the connection has been granted to the current user or one of that user's roles. AND Any required privileges on the remote target to write the data

Miscellaneous

SQL statement	Required privileges
`ALTER SESSION ...`	No privileges are needed for this statement.
`KILL SESSION ...`	System privilege `KILL ANY SESSION` if it's not your own session.
`ALTER SYSTEM ...`	System privilege `ALTER SYSTEM`.
`DESC[RIBE] o`	Schema objects can be described with the `DESCRIBE` statement if the user or one of the user's roles is the owner of or has access to that object (via object or system privileges).

System tables for rights management

Category	System table	Description
Users	`EXA_DBA_USERS`	All users of the database
	`EXA_ALL_USERS`	All users of the database, restricted information
	`EXA_USER_USERS`	Current user
Roles	`EXA_DBA_ROLES` and `EXA_ALL_ROLES`	All roles of the database
	`EXA_DBA_ROLE_PRIVS`	Granted roles
	`EXA_USER_ROLE_PRIVS`	Roles directly granted to the current user
	`EXA_ROLE_ROLE_PRIVS`	Roles possessed by the current user indirectly through other roles
	`EXA_SESSION_ROLES`	Roles possessed by the current user
Connections	`EXA_DBA_CONNECTIONS`	All connections of the database
	`EXA_ALL_CONNECTIONS`	All connections of the database, restricted information
	`EXA_DBA_CONNECTION_PRIVS`	Granted connections
	`EXA_USER_CONNECTION_PRIVS`	Connections directly granted to the current user
	`EXA_ROLE_CONNECTION_PRIVS`	Connections possessed by the current user indirectly via other roles
	`EXA_SESSION_CONNECTIONS`	Connection to which the current user has access
System privileges	`EXA_DBA_SYS_PRIVS`	Granted system privileges
	`EXA_USER_SYS_PRIVS`	System privileges directly granted to the current user
	`EXA_ROLE_SYS_PRIVS`	System privileges granted to the roles of the current user
	`EXA_SESSION_PRIVS`	System privileges currently available to the user
Object privileges	`EXA_DBA_OBJ_PRIVS` and `EXA_DBA_RESTRICTED_OBJ_PRIVS`	Object privileges granted to objects on the database
	`EXA_ALL_OBJ_PRIVS`	Similar to `EXA_DBA_OBJ_PRIVS`, but only for accessible objects of the database
	`EXA_USER_OBJ_PRIVS` and `EXA_USER_RESTRICTED_OBJ_PRIVS`	Object privileges on the objects to which the current user has access apart from through the `PUBLIC` role
	`EXA_ROLE_OBJ_PRIVS` and `EXA_ROLE_RESTRICTED_OBJ_PRIVS`	Object privileges that have been granted to the roles of the user
	`EXA_ALL_OBJ_PRIVS_MADE`	Object privileges self-granted by the current user or those concerning that user's objects
	`EXA_USER_OBJ_PRIVS_MADE`	Object privileges that relate to objects of the current user
	`EXA_ALL_OBJ_PRIVS_RECD`	Object privileges that have been directly granted to the current user or via PUBLIC
	`EXA_USER_OBJ_PRIVS_RECD`	Object privileges that have been directly granted to the current user
	`EXA_DBA_IMPERSONATION_PRIVS`	All impersonation privileges
	`EXA_USER_IMPERSONATION_PRIVS`	Impersonation privileges of the current user

Object accessibility

The following system tables show information about objects to which the user has access:

The following tables show the object and system privileges that allow a user to access a schema.

If a user is owner of a schema then the user has access to it.

For all objects, the USE ANY SCHEMA system privilege or USAGE object privilege is required on the schema of the object in addition to the other privileges.

System privileges

Object	System privileges that provide access through `EXA_ALL_*`
Table	`ALTER ANY TABLE` `DELETE ANY TABLE` `DROP ANY TABLE` `INSERT ANY TABLE` `SELECT ANY TABLE` `UPDATE ANY TABLE`
Script	`DROP ANY SCRIPT` `EXECUTE ANY SCRIPT`
View	`DROP ANY VIEW` `SELECT ANY TABLE`
Function	`DROP ANY FUNCTION` `EXECUTE ANY FUNCTION`
Schema	`USE ANY SCHEMA`
Virtual schema	`USE ANY SCHEMA`

Object privileges

Object	Object privileges that provide access through `EXA_ALL_*`
Table	`ALTER` `DELETE` `INSERT` `REFERENCES` `SELECT` `UPDATE`
Script	`EXECUTE`
View	`SELECT`
Function	`EXECUTE`
Schema	`USAGE`
Virtual schema	`USAGE`

Details on rights management

System and object privileges

System privileges

Users

Roles

Connections

Schema

Tables

Views

Functions

Scripts

Miscellaneous

Object privileges

Required privileges for SQL statements

Users

Roles

Connections

Schemas

Tables

Views

Functions

Scripts

Consumer Groups

Grant

Revoke

Import

Export

Miscellaneous

System tables for rights management

Object accessibility

System privileges

Object privileges

PRODUCT

RESOURCES