Setting Policy Based Database Permissions Using the API
Copy for LLM
Copy page as Markdown for LLMs
View as Markdown
Open this page as Markdown
Open in ChatGPT
Get insights from ChatGPT
Open in Claude
Get insights from Claude
Connect to Cursor
Install MCP server on Cursor
Connect to VS Code
Install MCP server on VS Code

You can set up database permissions using the API, enabling you to grant individual users access to specific databases.

For each account, you can set user access to databases using the following permissions:

Permission	Description
Manage	The user has all available permissions, including owner_manage, download, edit, query, and import, and, can perform any operation on databases in the account. (Indicated under the Full Access category in TD Console)
Download	The User has permission to download specified databases. (Indicated under the Limited Access category only in TD Console)
Owner_Manage	The user can manage their own databases. (Indicated as Manage Own Database under the Limited Access category in TD Console)
Import	The user can run import jobs against any database in the account. (Indicated as Import Only in TD Console)
Query	The user can view and run queries against any database in the account. (Indicated as Query Only in TD Console)
Edit	The user has edit permissions on specified accounts. (Indicated as General Access in TD Console)

Learn more about policy-based database permissions

Setting Manage Databases Permission

You can give a user full database access by using the permission: ~~manage~~ —granting the user all available permissions, including owner_manage, download, edit, query, and import, in addition to performing any operation on databases in the account.

$ curl --location --request PATCH \
'https://api.treasuredata.com/v3/access_control/policies/<policy_id>/permissions' \
--header 'Authorization: TD1 <api_key>' \
--header 'Content-Type: application/json' \
--data-raw '{"Databases": [{"operation": "manage"}]}'

Setting Download Database Permission

Set a user's database access to download—granting them permission to download specified databases.

$ curl 'https://{{host}}/v3/access_control/policies/{{policy_id}}/permissions' \
-X 'PATCH' \
--data-raw '{"Databases":[{"operation":”download"}]}'

Setting Owner_Manage Database Permission

Set a user's database access to owner_manager—granting them permission to manage their own databases.

curl 'https://{{host}}/v3/access_control/policies/{{policy_id}}/permissions' \
-X 'PATCH' \
--data-raw '{"Databases":[{"operation":”owner_manage"}]}'

Setting Import Database Permission

Set a user's database access to import—granting permission to run data import jobs against databases in the account.

curl --location --request PATCH 'https://api.treasuredata.com/v3/access_control/policies/<policy_id>/permissions' \
--header 'Authorization: TD1 <api_key>' \
--header 'Content-Type: application/json' \
--data-raw '{
    "Databases": [
        {"operation": "import", "ids": <db_id>}
    ]
}
'

Setting Query Database Permission

Set a user's database access to query—granting permission to view and run queries against specific databases in the account.

curl --location --request PATCH 'https://api.treasuredata.com/v3/access_control/policies/<policy_id>/permissions' \
--header 'Authorization: TD1 <api_key>' \
--header 'Content-Type: application/json' \
--data-raw '{
    "Databases": [
        {"operation": "query", "ids": <db_id>}
    ]
}
'

Setting Edit Database Permission

Set a user's database permission to edit—granting them permission to edit databases in the account.

curl --location --request PATCH 'https://api.treasuredata.com/v3/access_control/policies/<policy_id>/permissions' \
--header 'Authorization: TD1 <api_key>' \
--header 'Content-Type: application/json' \
--data-raw '{
    "Databases": [
        {"operation": "edit", "ids": <db_id>}
    ]
}'

Updating a Database Policy Using the API

You can update a database policy by making the following calls.

Get the policy you want to update using the policy ID. For instance, you can view the current permission for a policy: manage , edit to database(10), query to database(1,2,3), import to database(5,4).

curl --location --request GET 'https://api.treasuredata.com/v3/access_control/policies/<policy_id>/permissions' \
--header 'Authorization: TD1 <api_key>'

 {
  "Databases": [
    {"operation":"manage"},
		{"operation": "edit", "ids": "10"},
    {"operation": "query", "ids": "1,2,3"},
    {"operation": "import", "ids": "5,4"}
  ]
}

You can use PATCH to update the permissions to something like manage , query to database(1,3), import to database(2,5,6).

curl --location --request PATCH 'https://api.treasuredata.com/v3/access_control/policies/<policy_id>/permissions' \
--header 'Authorization: TD1 <api_key>' \
--header 'Content-Type: application/json' \
--data-raw '{
    "Databases": [
         {"operation": "manage"},
         {"operation": "query", "ids": "1,3"},
         {"operation": "import", "ids": "2,5,6"}
    ]
}'