GRANT ON TABLE

Grants a single privilege on a table to a user or role.

Syntax

GRANT <privilege> ON TABLE <zone.schema.table> TO {USER | ROLE} <grantee>

Description

## Overview GRANT ON TABLE grants a single privilege on a table to a user or role. Table-level grants are the finest-grained surface; column-level grants are not supported in this command. ## Behavior - The grantee must additionally have USAGE on the schema (and on the zone) to actually reach the table; the table grant alone is not sufficient. - The grant is idempotent. - Dropping the table removes all grants on the table. - The Control Plane maps SQL privileges onto a coarser permission level for the data plane: SELECT is read; INSERT/UPDATE/DELETE/TRUNCATE are write; ownership-style privileges are admin. ## Access Control Requires the `ManageGrants` privilege on the table (or higher). ## Compatibility DeltaForge extension.

Parameters

Name	Type	Description
privilege		Specifies the privilege to grant. Valid privileges for a table include `SELECT`, `INSERT`, `UPDATE`, `DELETE`, `TRUNCATE`, and `REFERENCES`.
table		Specifies the fully qualified table name (`<zone>.<schema>.<table>`).
grantee_type		Specifies the grantee kind: `USER` or `ROLE`.
grantee		Specifies the user or role name.

Examples

-- Read access
GRANT SELECT ON TABLE gold.analytics.customers TO ROLE analyst;

-- Write access for a pipeline service principal
GRANT INSERT ON TABLE silver.staging.orders TO ROLE pipeline_runner;

-- Bulk-load access (TRUNCATE for idempotent reload)
GRANT TRUNCATE ON TABLE silver.staging.orders TO ROLE pipeline_runner;

Pitfalls

• Granting SELECT on a table is not enough on its own. The grantee also needs USAGE on the containing schema and zone or the table will not resolve in their session.

See Also

• REVOKE_ON_TABLE
• GRANT_ON_SCHEMA
• SHOW_GRANTS_TO_PRINCIPAL