diff --git a/website/docs/reference/resource-configs/grants.md b/website/docs/reference/resource-configs/grants.md index 5b5bb819426..4b9fe8a1794 100644 --- a/website/docs/reference/resource-configs/grants.md +++ b/website/docs/reference/resource-configs/grants.md @@ -249,7 +249,39 @@ models:
-* Granting to / revoking from is only fully supported for Redshift users (not groups or roles). +For Redshift, you need to distinguish between users, roles, and groups. It is important to explicitly grant roles and groups access to your models. You can revoke access as well. + +**For users:** +When granting access to individual users, use the `+grants` syntax in your configuration to add or modify permissions for these users without replacing existing configurations. In the following example, you only need to list the users: + +```yaml +models: + my_schema: + schema: my_schema + description: "My schema" + +grants: + select: ["gspider"] # example of user access +``` + +**For roles and groups:** +Inheritance of grants are not supported for groups and roles in Redshift. Accordingly, for every model, you need to provide the complete list of roles or groups that require access each time you make a change to a model. + +Additionally, you must prefix each role or group with 'role' or 'group': + +```yaml +models: + my_schema: + schema: my_schema + description: "Schema for reporting" + grants: + select: ["role my_role", "group my_group"] +``` + +Some things to note: + +- Ensure that any roles or groups mentioned must already exist in Redshift. +- The merge strategy of grants (via the `+` prefix in front of `+grants`) is not supported for roles and groups. +- Always use the appropriate prefix (role or group) when specifying roles and groups in the grants configuration.