SQL permissions(SQL 权限)¶
This page describes the roles that govern access to SQL functionality in Foundry, including SQL Studio, the embedded SQL console, and external SQL clients connected via Arrow Flight SQL or the SQL REST API.
Roles described here are part of the Foundry SQL Server and Download role set categories.
Relevant operations¶
The following operations control SQL access. A user must hold at least one of foundry-sql-server:preview or foundry-sql-server:read on a resource to run any SQL against it.
| Operation | Foundry behavior | External API behavior |
|---|---|---|
Preview: foundry-sql-server:preview |
Results preview returns the first 1,000 rows of the query result. | - |
Query: foundry-sql-server:read |
Results preview defaults to 1,000 rows. In SQL Studio, users can extend the preview limit to 10,000 rows from the settings menu. | Returns the complete query result with no row limit. |
Download: foundry-sql-server:frontend-download |
Required for the Download action in the results panel. Downloads the rows displayed in the results preview (up to 1,000 rows). | — |
Worksheet read: foundry-sql-server:read-worksheet |
Open and view saved SQL worksheets. | — |
Worksheet write: foundry-sql-server:write-worksheet |
Create, edit, and save SQL worksheets. | — |
These operations can be granted as part of the default role sets or via a custom role within a custom role set.
Querying the ontology via ontology SQL does not require an additional role. Access follows the standard ontology roles on the object types being queried.
Custom role configurations¶
Default roles can be customized through custom role sets. Common configurations include:
- Restricting Query: Some organizations restrict
Query datasets using SQLto prevent users from running unbounded queries via the SQL API. In this case,Preview datasets using SQLcan still be granted to allow users to run capped queries inside Foundry. - Separating Download from Query: Some organizations restrict
Download SQL results in Foundryto prevent users from downloading results via the UI download button, even if they are granted preview permissions.
AI-assisted query generation¶
The AI-assisted query generation feature is gated on AIP enablement rather than a roleset permission.
AIP must be enabled for the user's organization and for the project containing the queried resource. For details, see AIP permissions.
中文翻译¶
SQL 权限¶
本文描述了控制 Foundry 中 SQL 功能访问权限的角色,包括 SQL Studio、嵌入式 SQL 控制台,以及通过 Arrow Flight SQL 或 SQL REST API 连接的外部 SQL 客户端。
此处描述的角色属于 Foundry SQL Server 和 Download 角色集类别。
相关操作¶
以下操作控制 SQL 访问权限。用户必须对某个资源至少持有 foundry-sql-server:preview 或 foundry-sql-server:read 权限之一,才能对该资源执行任何 SQL 查询。
| 操作 | Foundry 行为 | 外部 API 行为 |
|---|---|---|
预览:foundry-sql-server:preview |
结果预览返回查询结果的前 1,000 行。 | - |
查询:foundry-sql-server:read |
结果预览默认返回 1,000 行。在 SQL Studio 中,用户可以通过设置菜单将预览限制扩展至 10,000 行。 | 返回完整的查询结果,无行数限制。 |
下载:foundry-sql-server:frontend-download |
结果面板中的下载操作需要此权限。可下载结果预览中显示的行(最多 1,000 行)。 | — |
工作表读取:foundry-sql-server:read-worksheet |
打开并查看已保存的 SQL 工作表。 | — |
工作表写入:foundry-sql-server:write-worksheet |
创建、编辑和保存 SQL 工作表。 | — |
这些操作可以作为默认角色集的一部分授予,也可以通过自定义角色集中的自定义角色授予。
通过本体 SQL 查询本体无需额外角色。其访问权限遵循被查询对象类型的标准本体角色。
自定义角色配置¶
默认角色可以通过自定义角色集进行定制。常见配置包括:
- 限制查询: 某些组织会限制"使用 SQL 查询数据集",以防止用户通过 SQL API 运行无界查询。在这种情况下,仍可授予"使用 SQL 预览数据集"权限,允许用户在 Foundry 内部运行受限查询。
- 分离下载与查询: 某些组织会限制"在 Foundry 中下载 SQL 结果",以防止用户通过 UI 下载按钮下载结果,即使他们已被授予预览权限。
AI 辅助查询生成¶
AI 辅助查询生成功能由 AIP 启用控制,而非角色集权限。
用户所在组织以及包含被查询资源的项目必须启用 AIP。详情请参见 AIP 权限。