I tested it out today. While the inheritance aspect is useful and good. Outside that, it's not really a feature that would be useful for us. What we would need are following main things: 1. ALTER DEFAULT PRIVILEGES should be at a ROLE/GROUP level instead of a user level in a schema as we want the role to govern the default privileges for objects in a set of schemas instead of defining it for each user. For example: ALTER DEFAULT PRIVILEGES FOR ROLE ABC in schema XYZ GRANT INSERT on tables to ROLE ABC; There by we can just add/drop user into a role or group without having to grant default privileges for every user added to the group/role. 2. GRANT TRUNCATE TABLE TO ALL tables IN SCHEMA XYZ TO ROLE ABC; We need the truncate table to be granular. We don't want to grant truncate to all the tables using a role. That's a security risk. We ended up building our own procs using a super user as security define and custom validations between user/schema to handle the truncate today. Ideally, truncate should a grantable permissions at user/role/group level to a table/schema. 3. GRANT ALTER TABLE TO ALL tables IN SCHEMA XYZ TO ROLE ABC; This doesn't exist, but the ability to alter a table and add/drop a column again depends on whether somebody is a owner of that object. We have created a procedure to take ownership of a table using our own proc (with custom validation based on user's group/schema where the operation is tried etc.) Also, I agree with Ben's comments. Above all, instead of adding hierarchy to the GROUP why was ROLE added. Is ROLE not redundant/duplicate with GROUP.

This will make group redundant. Why was RBAC introduced instead of expanding the functions of group?

This is a wonderful video and while RBAC is not perfect, it will help us implement a good level of security in our new data warehouse.

The example only has roles stacked in a linear pattern, not using one to many assignment. If user_1 is granted role_a, role_b and role_c does user_1 have the sum of permissions from granted roles which would be the same as using group membership to multiple groups?

By using roles you lose the ability to assign permissions through 'default privilege' for future created objects which seems to be a massive oversight in the roles implementation !! We have tables constantly being created and dropped in schemas with multiple groups assigned select permission. How can this be managed through roles?

Could you let me know where does the permission denied errors will be stored ??

i have granted only select command while it is allowing user to create or drop table why is that

We have implemented this role based machnisam 3 years back.

How can we grant privilege to the azure AD federated redshift user ??

great but we need group ownership to schema/table, not only the user.