All Products
Search
Document Center

E-MapReduce:Manage Users and Permissions

Last Updated:Jun 21, 2026

Use the user management and role management features in the Security Center to set fine-grained permissions on resources, ensuring that only authorized users can access or manage them.

Prerequisites

You have created an instance. For more information, see Create an instance.

Roles and users

Roles

EMR Serverless StarRocks provides the following built-in roles:

Role name

Description

db_admin

Manages database objects, such as creating and modifying them.

public

A global role that is automatically granted to all users.

Provides basic permissions to access public system resources.

user_admin

Manages user accounts, including creating users and granting permissions.

Users

EMR Serverless StarRocks provides the following user types.

User type

Description

Super administrator

A user is considered a super administrator if they have the user_admin role, or both the user_admin and db_admin roles. The system provides a default super administrator account named admin.

Regular user

A regular user has only the default public role or is also assigned the db_admin role.

User management

Create a user

  1. Go to the StarRocks Manager page.

    1. Log on to the E-MapReduce console.

    2. In the left navigation pane, choose EMR Serverless > StarRocks.

    3. In the top menu bar, select a region as needed.

    4. Click StarRocks Manager, or click Connect in the Actions column of the created instance.

      For more information on connecting to a StarRocks instance, see Connect to a StarRocks instance by using EMR StarRocks Manager.

  2. In the left navigation pane, choose Security > Users.

  3. On the Users page, click Add User.

  4. In the dialog box, configure the following parameters and click OK.

    Parameter

    Description

    User Source

    The authentication method. The following options are available:

    • Custom: Creates a user using StarRocks's built-in user management.

    • RAM User: Uses an existing RAM user for authentication. This applies to scenarios where you integrate with DLF.

      Note
      • Supported versions: StarRocks v3.2 and later.

      • Not applicable to: DLF 1.0 (Legacy).

    Username

    • Custom: Enter a username. It must be 2 to 64 characters long and can contain only letters, digits, hyphens (-), and underscores (_).

    • RAM User: Enter the name of an existing RAM user. If you have not created a RAM user, see Create a RAM user.

    Password and Confirm Password

    Enter a password. It must be 8 to 30 characters long and include uppercase and lowercase letters, digits, and special characters (for example, @, #, $, %, ^, *, _, +, -).

    Role

    You can assign existing built-in or custom roles to the new user.

    Note

    To follow the principle of least privilege, grant users only the minimum permissions they need. This practice helps prevent security risks caused by excessive permissions.

Grant permissions to a user

You can grant the new user permissions on specific resources.

  1. On the Users page, click Add Permission in the Actions column for the target user.

  2. On the Permission Settings tab, click Add Permission.

  3. In the Add Permission panel, configure the following parameters and click OK.

    Parameter

    Description

    Resource

    The following resources are supported:

    • Catalogs: Controls access to internal data catalogs, databases, and tables.

    • External Data Catalogs: Controls access to external data catalogs, such as Hive, Iceberg, and Hudi.

    • Database: Controls a user's permissions to create, modify, delete, or query a specific database.

    • Table: Controls create, read, update, and delete (CRUD) permissions on specific tables.

    • Views: Controls permissions to view or operate on specific views.

    • Materialized View: Controls permissions to manage or access specific materialized views.

    Permission

    Available permissions:

    • Catalogs: ALL, USAGE, CREATE DATABASE, DROP, ALTER.

    • External Data Catalogs: ALL, USAGE, CREATE DATABASE, DROP, ALTER.

    • Database: ALL, ALTER, DROP, CREATE TABLE, CREATE VIEW, CREATE FUNCTION, CREATE MATERIALIZED VIEW, CREATE PIPE.

    • Table: ALL, ALTER, DROP, SELECT, INSERT, UPDATE, EXPORT, DELETE.

    • Views: ALL, SELECT, ALTER, DROP.

    • Materialized View: ALL, SELECT, ALTER, REFRESH, DROP.

Edit and delete users

  • Edit a user: In the Actions column for a user, click Modify Description, Change Password, or Add Permission to change their description, password, or permissions.

  • Delete a user:

    • Built-in user: The admin user cannot be deleted.

    • Custom user: A user with the required permissions can click Delete in the Actions column for a target user.

Role management

Create a role

If the built-in roles do not meet your needs, create a custom role for more fine-grained permission control.

  1. On the StarRocks Manager page, choose Security > Roles.

  2. On the Roles page, click Create Role.

  3. In the Create Role dialog box, enter a description and click OK.

Grant permissions to a role

You can grant specific permissions to a new or existing role to meet different business requirements.

  1. On the Roles page, click Add Permission in the Actions column for the target role.

  2. On the Permission Settings tab, click Add Permission.

  3. In the Add Permission panel, select a resource and its corresponding permissions, and then click OK.

    Parameter

    Description

    Resource

    The following resources are supported:

    • Catalogs: Controls this role's access to internal data catalogs, databases, and tables.

    • External Data Catalogs: Controls this role's access to external data catalogs, such as Hive, Iceberg, and Hudi.

    • Database: Controls this role's permissions to create, modify, delete, or query a specific database.

    • Table: Controls this role's create, read, update, and delete (CRUD) permissions on specific tables.

    • Views: Controls this role's permissions to view or operate on specific views.

    • Materialized View: Controls this role's permissions to manage or access specific materialized views.

    Permission

    Available permissions:

    • Catalogs: ALL, USAGE, CREATE DATABASE, DROP, ALTER.

    • External Data Catalogs: ALL, USAGE, CREATE DATABASE, DROP, ALTER.

    • Database: ALL, ALTER, DROP, CREATE TABLE, CREATE VIEW, CREATE FUNCTION, CREATE MATERIALIZED VIEW, CREATE PIPE.

    • Table: ALL, ALTER, DROP, SELECT, INSERT, UPDATE, EXPORT, DELETE.

    • Views: ALL, SELECT, ALTER, DROP.

    • Materialized View: ALL, SELECT, ALTER, REFRESH, DROP.

Edit and delete roles

  • Edit a role:

    • Built-in role: You cannot edit or modify the permissions of a built-in role.

    • Custom role: To edit a custom role, click Edit or Add Permission in the Actions column for that role to change its description, assigned users, and permissions.

  • Delete a role:

    • Built-in role: You cannot delete a built-in role.

    • Custom role: To delete a custom role, click Delete in the Actions column for that role.

Use cases

This section provides two common use cases.

Create a user and grant permissions

  1. On the EMR StarRocks Manager page, choose Security > > > Users.

  2. Create a user.

    1. On the Users page, click Add User.

    2. In the dialog box, configure the parameters and click OK.

      For parameter details, see the table in the Create a user section.

  3. Grant permissions to the new user.

    1. On the Users page, click Add Permission in the Actions column for the new user.

    2. On the Permission Settings tab, click Add Permission.

    3. In the Add Permission panel, select a resource and its corresponding permissions, and then click OK.

Create a role and assign it to a user

Create a custom role if the built-in roles do not meet your specific needs for permission management.

  1. On the EMR StarRocks Manager page, choose Security > Roles.

  2. Create a role.

    1. On the Roles page, click Create Role.

    2. In the Create Role dialog box, enter a description and click OK.

  3. Add permissions to the new role.

    1. On the Roles page, click Add Permission in the Actions column for the new role.

    2. On the Permission Settings tab, click Add Permission.

    3. In the Add Permission panel, select a resource and its corresponding permissions, and then click OK.

  4. Assign the role to an existing user.

    1. Click the User List tab.

    2. On the Users tab, click Add User.

    3. In the Add Permission panel, select the target user and click OK.

Related documents

To view SQL queries, analyze execution plans, and troubleshoot SQL issues for your instance, see Diagnosis and analysis.