Skip to content
Products
/
/
/
Database Access Control M...
Last updated

Database Access Control Matrix

This section describes access at the most basic level.

Read more about Getting Your API Keys.

Database Access features are only visible by accounts without Policy-based Database Permissions. Contact your Customer Success Representative for more information.

Actions You Can Perform using the Master Key

The following table lists actions that can be performed through the TD Console or the REST APIs. Some actions might not be available at the REST API level and some other actions (for example, Data Import) are not available within TD Console.

ActionOwnerAdminFull AccessQuery onlyImport only
Add UserOKOK
Manage UserOKOK (1)
Delete UserOKOK (1)
List DatabasesOKOKOKOKOK
Create DatabaseOKOKn/a (2)n/a (2)n/a (2)
Manage DatabaseOKOKOK (2)OK (2)OK (2)
Delete DatabaseOKOKOK (2)OK (2)OK (2)
Show TableOKOKOKOKOK
List TablesOKOKOKOK
Create TableOKOKOKOK
Delete TableOKOKOK
Data Import (td-agent)OKOKOKOK
Data Import (Result Output to TD)OKOKOKOK
Data Import (Bulk Import)OKOKOKOK
Data Import (embulk-output-td)OKOKOK
Data Import (Data Connector)OKOKOKOK
Data Import (FileUploader v2)OKOKOKOK
Data Import (Insert Into)OKOKOK(3)
Delete DataOKOKOK
Issue QueryOKOKOKOK
Kill Own QueryOKOKOKOK
Kill Query from OthersOKOKOK(4)
Export TableOKOKOKOK

Notes:

  1. ‘Administrator’ users can only ‘Manage User’ and ‘Delete User’ for ‘Restricted’ users but are not allowed to manage and delete other Administrators user or the account ‘Owner’.
    The ‘Manage User’ permission includes granting or revoking the ‘Administrator’ role – therefore an ‘Administrator’ user can promote a user to ‘Administrator’ but cannot demote a user from ‘Administrator’ to ‘Restricted’ user.

  2. Any user (including Restricted ones) can create a new database and they will ‘own’ and have all permissions for it. ‘Full Access’, ‘Query-only’, and ‘Import-only’ actions for ‘Create Database’ don’t apply in that case. ‘Restricted’ users can only ‘Delete’ and ‘Manage’ databases they created (and therefore own). ‘Administrators’ and ‘Owner’ can always manage databases.

  3. While the end-goal of INSERT INTO is to write the result back into a table, it requires special permissions. The executing user must possess read (‘Query-only’, ‘Full Access’, ‘Admin’, or ‘Owner’) permissions for all the databases accessed by the query as well as read and write permission (‘Full Access’, ‘Admin’, or ‘Owner’) to the database the result is inserted into the query will fail otherwise.

  4. Restricted users with ‘Query-only permission can see all the jobs running on the database they have 'Query-only’ permissions for but will not be able to kill a job unless it’s their own.

Actions You Can Perform using the Write-only Key

ActionOwnerAdminFull AccessQuery onlyImport only
Add User
Manage User
Delete User
List Databases
Create DatabaseOKOKn/a (1)n/a (1)n/a (1)
Manage Database
Delete Database
List Tables
Create TableOKOKOKOK
Delete Table
Data Import (td-agent)OKOKOKOK
Data Import (Result Output to TD)OKOKOKOK
Data Import (Bulk Import)(2)(2)(2)(2)
Data Import (embulk-output-td)(2)(2)(2)
Data Import (Data Connector)(2)(2)(2)(2)
Data Import (Insert Into)(3)(3)(3)(3)(3)
Issue Query
Kill Own Query
Kill Query from Others
Export Table

Notes:

  1. Any user (including Restricted ones) can NOT create a new database and they will ‘own’ and have all permissions for it. ‘Full Access’, ‘Query-only’, and ‘Import-only’ permissions for ‘Create Database’ don’t apply in that case. ‘Restricted’ users can only ‘Delete’ and ‘Manage’ databases they created (and therefore own). ‘Administrators’ and ‘Owner’ can always manage databases.

  2. Bulk Import require the ability to check the status of a job, and this is not possible using a Write-only key.

  3. INSERT INTO requires the ability to execute a query, which is not allowed using a Write-only key.

Previous page
Next page