User Management
Users are the identity principals that perform operations in Singdata Lakehouse. Lakehouse uses a two-tier user model: instance-level user management and workspace-level user management.
User Tiers
Instance-Level Users
Instance-level users are created in the global account and represent independent identities in the system. Creating, deleting, enabling, and disabling instance-level users is done in the Account Console → User Management page.
- Multiple users can be created under one account; usernames must be unique.
- Instance-level users are granted the
instance_userrole by default and have no data or feature permissions. - A user must be added to a workspace before they can be granted roles and permissions within that workspace.
Workspace-Level Users
A workspace-level user is an instance-level user that has been added to a specific workspace. Only users who have been added to a workspace can be granted roles and permissions within it.
- Use
CREATE USERto add an instance user to a workspace. - Use
DROP USERto remove a user from a workspace. - A user can be a member of multiple workspaces simultaneously.
User Types
| Type | Description | Login Method |
|---|---|---|
| Regular User | Actual personnel within the organization; performs daily data queries, analysis, and management | Web console login, JDBC connection |
| Service User | A special user for automated processes or system-level calls | JDBC connection only; cannot log in via the web console |
Service users include system service users (created by default when Lakehouse is initialized) and custom service users (created by users themselves).
In This Chapter
| Page | Description |
|---|---|
| CREATE USER | Add an instance user to the current workspace; set default cluster and schema |
| ALTER USER | Modify a user's default cluster, default schema, and other properties |
| DROP USER | Remove a user from the current workspace (does not delete the instance user account) |
| SHOW USERS | List all users in the current workspace |
User Lifecycle Management
1. Create an Instance User
Create a new user in the "User Management" page of the account console, setting the username, password, phone number, email, and other information.
2. Add the User to a Workspace
3. Grant the User a Role or Permissions
4. Modify User Properties
5. View User List and Permissions
6. Remove a User from the Workspace
Common Operations
Add a User to a Workspace
Modify User Configuration
View Users
Remove a User from the Workspace
Access Management Best Practices
- Use RBAC: Manage permissions through roles rather than granting them directly to users.
- Follow the principle of least privilege: Grant users only the minimum permissions needed to do their work.
- Review permissions regularly: Use
SHOW GRANTS TO USERto periodically audit user permissions. - Use WITH GRANT OPTION with caution: A user granted this option can re-grant the permission to others.
Notes
CREATE USERdoes not create a new account — it only adds an existing instance user to the workspace. Instance users are created in the console.DROP USERonly removes workspace access; it does not delete the instance user's account and password.- Before removing a user, run
SHOW GRANTS TO USER user_nameto confirm their permissions have been handled.
Related Documentation
| Document | Description |
|---|---|
| SQL Commands Overview | Categorized navigation for all SQL commands |
| Roles and Privileges | Grant roles and permissions to users |
| CREATE USER | Full syntax for adding an instance user to a workspace |
| ALTER USER | Full syntax for modifying user properties |
| DROP USER | Full syntax for removing a user from a workspace |
| SHOW USERS | View the workspace user list |
| GRANT | Grant permissions to users or roles |
| REVOKE | Revoke permissions from users or roles |
| SHOW GRANTS | View the permission list for a user or role |
| Roles | Create and manage roles |