This page describes the roles that govern access to SQL functionality in Foundry, including SQL Studio, the embedded SQL console, and external SQL clients connected via Arrow Flight SQL or the SQL REST API.
Roles described here are part of the Foundry SQL Server and Download role set categories.
The following operations control SQL access. A user must hold at least one of foundry-sql-server:preview or foundry-sql-server:read on a resource to run any SQL against it.
| Operation | Foundry behavior | External API behavior |
|---|---|---|
Preview: foundry-sql-server:preview | Results preview returns the first 1,000 rows of the query result. | - |
Query: foundry-sql-server:read | Results preview defaults to 1,000 rows. In SQL Studio, users can extend the preview limit to 10,000 rows from the settings menu. | Returns the complete query result with no row limit. |
Download: foundry-sql-server:frontend-download | Required for the Download action in the results panel. Downloads the rows displayed in the results preview (up to 1,000 rows). | — |
Worksheet read: foundry-sql-server:read-worksheet | Open and view saved SQL worksheets. | — |
Worksheet write: foundry-sql-server:write-worksheet | Create, edit, and save SQL worksheets. | — |
These operations can be granted as part of the default role sets or via a custom role within a custom role set.
Querying the ontology via ontology SQL does not require an additional role. Access follows the standard ontology roles on the object types being queried.
Default roles can be customized through custom role sets. Common configurations include:
Query datasets using SQL to prevent users from running unbounded queries via the SQL API. In this case, Preview datasets using SQL can still be granted to allow users to run capped queries inside Foundry.Download SQL results in Foundry to prevent users from downloading results via the UI download button, even if they are granted preview permissions.The AI-assisted query generation feature is gated on AIP enablement rather than a roleset permission.
AIP must be enabled for the user's organization and for the project containing the queried resource. For details, see AIP permissions.