SQL Command Permissions Summary

The following table identifies the permissions required for common SQL commands.

Notes:

  • A <db-name>/*/* policy with connect permission is assumed for all SQL operations in the table.
  • A && in the SQL Command column identifies a super-user operation.
  • A ## in the Resource column signifies that additional policies may be required to provide access to resources used within the operation(s).
SQL Command Permission Resource
\d usage-schema <db-name>/public/*
ANALYZE <table-name> usage-schema <db-name>/<schema-name>/*
select <db-name>/<schema-name>/<table-name>
ALTER AGGREGATE … RENAME TO usage-schema, create <db-name>/<schema-name>/*
ALTER SEQUENCE usage-schema <db-name>/<schema-name>/*
ALTER TABLE … RENAME usage-schema <db-name>/<schema-name>/*
ALTER TABLE

<table-name>

SET DISTRIBUTED BY

 usage-schema, create <db-name>/<schema-name>/*
select <db-name>/<schema-name>/<table-name>
BEGIN … COMMIT usage-schema <db-name>/<schema-name>/*
##
\c, CONNECT <db-name> connect <db-name>/*/*
COPY <table-name> FROM && usage-schema <db-name>/<schema-name>/*
insert, select <db-name>/<schema-name>/<table-name>
COPY <table-name> TO && usage-schema <db-name>/<schema-name>/*
select <db-name>/<schema-name>/<table-name>
CREATE AGGREGATE usage-schema, create <db-name>/<schema-name>/*
execute <db-name>/<schema-name>/<sfunc-name>
CREATE EXTERNAL TABLE usage-schema, create <db-name>/<schema-name>/*
select <protocol-name>
CREATE FUNCTION

<func-name>

(trusted <language-name>)

 usage-schema, create <db-name>/<schema-name>/*
usage <db-name>/<language-name>
execute <db-name>/<schema-name>/<func-name>
##
CREATE FUNCTION

<func-name>

(untrusted <language-name>) &&

 usage-schema, create <db-name>/<schema-name>/*
##
CREATE LANGUAGE && usage <db-name>/c
CREATE OPERATOR

CREATE OPERATOR CLASS &&

CREATE SEQUENCE

CREATE TABLE

CREATE TYPE

CREATE VIEW

 usage-schema, create <db-name>/<schema-name>/*
CREATE SCHEMA create-schema <db-name>/*/*
CREATE TABLE

(<private-schema>)

create <db-name>/<private-schema>/*
CREATE TABLE … AS usage-schema, create <db-name>/<schema-name>/*
select <db-name>/<schema-name>/<table-name>
CREATE TABLE …

TABLESPACE

<tablespace-name>

 usage-schema, create <db-name>/<schema-name>/*
create <tablespace-name>
CREATE TEMP SEQUENCE

CREATE TEMP TABLE

 temp <db-name>/*/*
CREATE WRITABLE EXTERNAL TABLE usage-schema, create <db-name>/<schema-name>/*
insert <protocol-name>
DROP AGGREGATE

DROP FUNCTION

DROP OPERATOR

DROP OPERATOR CLASS &&

DROP SCHEMA

DROP TABLE

DROP VIEW

 usage-schema <db-name>/<schema-name>/*
EXECUTE usage-schema <db-name>/<schema-name>/*
##
EXPLAIN usage-schema <db-name>/<schema-name>/*
##
INSERT INTO

<table-name>

 usage-schema <db-name>/<schema-name>/*
insert <db-name>/<schema-name>/<table-name>
PREPARE usage-schema <db-name>/<schema-name>/*
SELECT <agg-name> usage-schema <db-name>/<schema-name>/*
execute <db-name>/<schema-name>/<agg-name>
execute <db-name>/<schema-name>/<sfunc-name>
##
SELECT <func-name> usage-schema <db-name>/<schema-name>/*
execute <db-name>/<schema-name>/<func-name>
SELECT (using operator) execute <db-name>/<schema-name>/<op-func>
##
SELECT…FROM

<table-name>

 usage-schema <db-name>/<schema-name>/*
select <db-name>/<schema-name>/<table-name>
SELECT…INTO…FROM <table-name> usage-schema, create <db-name>/<schema-name>/*
select <db-name>/<schema-name>/<table-name>
SELECT…FROM

<view-name>

 usage-schema <db-name>/<schema-name>/*
select <db-name>/<schema-name>/<view-name>
TRUNCATE usage-schema <db-name>/<schema-name>/*
VACUUM usage-schema <db-name>/<schema-name>/*
VACUUM ANALYZE

<table-name>

 usage-schema <db-name>/<schema-name>/*
select <db-name>/<schema-name>/<table-name>