Add documentation for CREATEDATAFLOW privilege

antiguru · claude · antiguru · commit 47b99088db1f · 2026-01-15T14:24:46.000+01:00
Document the new CREATEDATAFLOW privilege which controls whether users
can execute queries requiring dataflow rendering on clusters:

- Add privilege description explaining when it's needed and use cases
- Update GRANT/REVOKE syntax to include CREATEDATAFLOW for clusters
- Add to default privileges (PUBLIC gets CREATEDATAFLOW on all clusters)
- Add to object privileges table for CLUSTER

The privilege is useful in production to restrict users to fast-path
queries only, preventing accidental high-latency dataflow rendering.

Co-Authored-By: Claude Opus 4.5 &lt;noreply@anthropic.com&gt;
diff --git a/doc/user/content/sql/grant-privilege.md b/doc/user/content/sql/grant-privilege.md
@@ -28,15 +28,15 @@ object type.
 For specific cluster(s):
 
 ```mzsql
-GRANT <USAGE | CREATE | ALL [PRIVILEGES]> [, ... ]
+GRANT <USAGE | CREATE | CREATEDATAFLOW | ALL [PRIVILEGES]> [, ... ]
 ON CLUSTER <name> [, ...]
 TO <role_name> [, ... ];
 ```
 
 For all clusters:
 
 ```mzsql
-GRANT <USAGE | CREATE | ALL [PRIVILEGES]> [, ... ]
+GRANT <USAGE | CREATE | CREATEDATAFLOW | ALL [PRIVILEGES]> [, ... ]
 ON ALL CLUSTERS
 TO <role_name> [, ... ];
 ```
diff --git a/doc/user/content/sql/revoke-privilege.md b/doc/user/content/sql/revoke-privilege.md
@@ -30,7 +30,7 @@ object type.
 For specific cluster(s):
 
 ```mzsql
-REVOKE <USAGE | CREATE | ALL [PRIVILEGES]> [, ... ]
+REVOKE <USAGE | CREATE | CREATEDATAFLOW | ALL [PRIVILEGES]> [, ... ]
 ON CLUSTER <name> [, ...]
 FROM <role_name> [, ... ]
 ;
@@ -39,7 +39,7 @@ FROM <role_name> [, ... ]
 For all clusters:
 
 ```mzsql
-REVOKE <USAGE | CREATE | ALL [PRIVILEGES]> [, ... ]
+REVOKE <USAGE | CREATE | CREATEDATAFLOW | ALL [PRIVILEGES]> [, ... ]
 ON ALL CLUSTERS
 FROM <role_name> [, ... ]
 ;
diff --git a/doc/user/data/rbac/default_object_privileges.yml b/doc/user/data/rbac/default_object_privileges.yml
@@ -17,3 +17,17 @@ rows:
       When a [data type](/sql/types/) is created (regardless of the owner), all
       roles are granted the `USAGE` privilege. However, to use a data type, the
       role must also have `USAGE` privilege on the schema containing the type.
+
+  - "Default Privilege": "`CREATEDATAFLOW`"
+    "Object(s)": |
+      [`CLUSTER`](/concepts/clusters/)
+    "Object owner": |
+      `PUBLIC`
+    "Granted to": |
+      `PUBLIC`
+    Description: |
+      When a [cluster](/concepts/clusters/) is created (regardless of the owner),
+      all roles are granted the `CREATEDATAFLOW` privilege by default. This ensures
+      backwards compatibility and allows all users to execute queries that require
+      dataflow rendering. Administrators can revoke this privilege to restrict
+      users to only fast-path queries.
diff --git a/doc/user/data/rbac/object_privileges.yml b/doc/user/data/rbac/object_privileges.yml
@@ -7,6 +7,7 @@ rows:
     Privileges: |
       - `USAGE`
       - `CREATE`
+      - `CREATEDATAFLOW`
 
   - Object: "`CONNECTION`"
     Privileges: |
diff --git a/doc/user/data/rbac/privileges_objects.yml b/doc/user/data/rbac/privileges_objects.yml
@@ -94,3 +94,28 @@ rows:
     Abbreviation: "`P`"
     Applies to: |
       - `SYSTEM`
+
+  - Privilege: "**CREATEDATAFLOW**"
+    Description: |
+
+      Permission to execute queries that require dataflow rendering on a cluster.
+
+      When a query cannot be satisfied by an existing index using a [fast path](/sql/explain-plan/#fast-path-queries),
+      Materialize must render a temporary dataflow on the cluster. This privilege controls
+      whether a role is allowed to trigger such dataflow rendering.
+
+      Queries that can be answered using existing indexes (with optional map-filter-project
+      operations) or constant queries (e.g., `SELECT 1 + 1`) do not require this privilege.
+
+      This privilege is useful in production environments to prevent users from accidentally
+      executing high-latency queries that require dataflow rendering, ensuring they only
+      run queries that can be satisfied by existing indexes.
+
+      {{< note >}}
+      The [persist fast-path optimization](/sql/explain-plan/#fast-path-queries) is still
+      available even without this privilege, as it does not render a dataflow.
+      {{</ note >}}
+
+    Abbreviation: "`D`"
+    Applies to: |
+      - `CLUSTER`
diff --git a/doc/user/data/rbac/public_privileges.yml b/doc/user/data/rbac/public_privileges.yml
@@ -10,3 +10,9 @@ rows:
       - All `*.public` schemas (e.g., `materialize.public`);
       - `materialize` database; and
       - `quickstart` cluster.
+
+  - Privilege: "`CREATEDATAFLOW`"
+    Description: |
+      Permission to execute queries that require dataflow rendering.
+    "On database object(s)": |
+      - All clusters.
