Sign inTry Free

Predefined Roles for Workspace Groups in an Organization

On this page

Workspace Group Roles

Role

Description

Permissions

Owner

  • Owners are granted full access to the workspace group, including the ability to create and terminate workspaces or terminate the workspace group.

  • Users granted the Owner role in the organization inherit the Owner role on all workspace groups in the organization.

  • ACTIVATE SMARTDR

  • CONFIGURE ALERTS

  • CONFIGURE SMARTDR

  • CONTROL ACCESS

  • CREATE DATABASE

  • CREATE WORKSPACE

  • DROP DATABASE

  • LOAD DATA

  • MONITOR

  • OPERATE

  • TERMINATE

  • USE

  • VIEW

  • VIEW SMARTDR

Operator

  • Operators are granted access to administrative actions for the workspace group including scale, suspend, resume, backup, recover, and configure network policies, passwords, update windows or certificates.

  • Operators have some ability to access and modify data in workspace groups including creating or dropping databases.

  • Users granted the Operator role in the organization inherit the Operator role on all workspace groups in the organization.

  • ACTIVATE SMARTDR

  • CONFIGURE ALERTS

  • CONFIGURE SMARTDR

  • MONITOR

  • OPERATE

  • USE

  • VIEW

  • VIEW SMARTDR

Observer

  • Observers are granted the ability to view the monitoring details of the workspace group and inspect its configuration without granting access to the data.

  • Users granted the Observer role in the organization inherit the Observer role on all workspace groups in the organization.

  • MONITOR

  • VIEW

  • VIEW SMARTDR

Writer

  • Writers are granted full access to data in the workspace group, including the ability to create and drop databases.  

  • Users granted the Writer role in the organization inherit the Writer role on all workspace groups in the organization.

  • CONFIGURE SMARTDR

  • CREATE DATABASE

  • DROP DATABASE

  • LOAD DATA

  • MONITOR

  • USE

  • VIEW

  • VIEW SMARTDR

Reader

  • Readers are granted read access to all databases in the workspace group. 

  • Users granted the Reader role in the organization inherit the Reader role on all workspace groups in the organization.

  • MONITOR

  • USE

  • VIEW

  • VIEW SMARTDR

Limited Access

  • The Limited Access role grants no specific access beyond the ability to see the workspace group and its member workspaces.

  • Users with the Limited Access role are synchronized to the workspace group where they may be granted access to specific databases or tables using database RBAC commands

  • VIEW

All Roles

  • Any user granted any role on a workspace group will be synchronized to that workspace group and added to a group granted a role with appropriate permissions. See the User Synchronization section below for more details.

Synchronization Between Cloud Roles and Database Engine Roles

When a user is added to a workspace group, that user is automatically assigned to the corresponding engine user group and role as per the following table. Refer to Cloud User and Role Synchronization with the Database Engine for a detailed explanation..

Cloud Role

Engine User Group

Engine Role

Engine Permissions

Owner

CloudOwners

CloudOwner

  • ALTER

  • ALTER EVENT TRACE

  • ALTER EXTENSION

  • ALTER PIPELINE

  • ALTER ROUTINE

  • ALTER USER

  • ALTER VIEW

  • BACKUP

  • CLUSTER

  • CONNECTION_ADMIN

  • CREATE

  • CREATE DATABASE

  • CREATE EXTENSION

  • CREATE EXTERNAL CATALOG

  • CREATE LINK

  • CREATE PIPELINE

  • CREATE POOL

  • CREATE ROUTINE

  • CREATE TEMPORARY TABLES

  • CREATE USER

  • CREATE VIEW

  • DELETE

  • DROP

  • DROP DATABASE

  • DROP EXTENSION

  • DROP EXTERNAL CATALOG

  • DROP LINK

  • DROP PIPELINE

  • DROP POOL

  • DROP VIEW

  • EXECUTE

  • GRANT OPTION

  • INDEX

  • INSERT

  • LOCK TABLES

  • OUTBOUND

  • PROCESS

  • RELOAD

  • SELECT

  • SHOW EXTENSION

  • SHOW EXTERNAL CATALOG

  • SHOW LINK

  • SHOW METADATA

  • SHOW PIPELINE

  • SHOW ROUTINE

  • SHOW VIEW

  • START PIPELINE

  • SYSTEM_VARIABLES_ADMIN

  • UPDATE

Operator

CloudOperators

CloudOperator

  • ALTER EXTENSION

  • ALTER ROUTINE

  • BACKUP

  • CONNECTION_ADMIN

  • CREATE

  • CREATE DATABASE

  • CREATE EXTENSION

  • CREATE EXTERNAL CATALOG

  • CREATE POOL

  • CREATE ROUTINE

  • CREATE TEMPORARY TABLES

  • DROP

  • DROP DATABASE

  • DROP EXTENSION

  • DROP EXTERNAL CATALOG

  • DROP POOL

  • INDEX

  • OUTBOUND

  • PROCESS

  • RELOAD

  • SELECT

  • SHOW EXTENSION

  • SHOW EXTERNAL CATALOG

  • SHOW METADATA

  • SHOW PIPELINE

  • SHOW ROUTINE

  • START PIPELINE

  • SYSTEM_VARIABLES_ADMIN

Writer

CloudWriters

CloudWriter

  • ALTER

  • ALTER PIPELINE

  • ALTER ROUTINE

  • ALTER VIEW

  • CREATE

  • CREATE DATABASE

  • CREATE EXTENSION

  • CREATE EXTERNAL CATALOG

  • CREATE LINK

  • CREATE PIPELINE

  • CREATE ROUTINE

  • CREATE TEMPORARY TABLES

  • CREATE VIEW

  • DELETE

  • DROP

  • DROP DATABASE

  • DROP EXTENSION

  • DROP EXTERNAL CATALOG

  • DROP LINK

  • DROP PIPELINE

  • DROP VIEW

  • INDEX

  • INSERT

  • LOCK TABLES

  • EXECUTE

  • SELECT

  • SHOW EXTENSION

  • SHOW EXTERNAL CATALOG

  • SHOW LINK

  • SHOW METADATA

  • SHOW PIPELINE

  • SHOW ROUTINE

  • SHOW VIEW

  • START PIPELINE

  • UPDATE

Reader

CloudReaders

CloudReader

  • SELECT

  • SHOW LINK

  • SHOW EXTENSION

  • SHOW EXTERNAL CATALOG

  • SHOW METADATA

  • SHOW ROUTINE

  • SHOW VIEW

Database User Administrator

DatabaseUserAdministrators

DatabaseUserAdministrator

  • ALTER USER

  • CREATE USER

Observer

CloudObservers

None

None

Limited Access

CloudLimitedAccessUsers

None

None

All Roles

CloudUsers

None

None

Last modified: December 17, 2025

Was this article helpful?

On this page

Was this article helpful?

Verification instructions

Note: You must install cosign to verify the authenticity of the SingleStore file.

Use the following steps to verify the authenticity of singlestoredb-server, singlestoredb-toolbox, singlestoredb-studio, and singlestore-client SingleStore files that have been downloaded.

You may perform the following steps on any computer that can run cosign, such as the main deployment host of the cluster.

  1. (Optional) Run the following command to view the associated signature files.

    curl undefined

  2. Download the signature file from the SingleStore release server.

    • Option 1: Click the Download Signature button next to the SingleStore file.

    • Option 2: Copy and paste the following URL into the address bar of your browser and save the signature file.

    • Option 3: Run the following command to download the signature file.

      curl -O undefined

  3. After the signature file has been downloaded, run the following command to verify the authenticity of the SingleStore file.

    echo -n undefined |
        cosign verify-blob --certificate-oidc-issuer https://oidc.eks.us-east-1.amazonaws.com/id/CCDCDBA1379A5596AB5B2E46DCA385BC \
          --certificate-identity https://kubernetes.io/namespaces/freya-production/serviceaccounts/job-worker \
          --bundle undefined \
          --new-bundle-format -
    Verified OK

Try Out This Notebook to See What’s Possible in SingleStore

Get access to other groundbreaking datasets and engage with our community for expert advice.

Sign UpLog In