SQL Command Permissions Summary
The following table identifies the permissions required for common SQL commands.
Notes:
- A <db-name>/*/* policy with
connect
permission is assumed for all SQL operations in the table. - A
&&
in the SQL Command column identifies a super-user operation. - A
##
in the Resource column signifies that additional policies may be required to provide access to resources used within the operation(s).
SQL Command | Permission | Resource |
---|---|---|
\d | usage-schema | <db-name>/public/* |
ANALYZE <table-name> | usage-schema | <db-name>/<schema-name>/* |
select | <db-name>/<schema-name>/<table-name> | |
ALTER AGGREGATE … RENAME TO | usage-schema, create | <db-name>/<schema-name>/* |
ALTER SEQUENCE | usage-schema | <db-name>/<schema-name>/* |
ALTER TABLE … RENAME | usage-schema | <db-name>/<schema-name>/* |
ALTER TABLE <table-name> SET DISTRIBUTED BY |
usage-schema, create | <db-name>/<schema-name>/* |
select | <db-name>/<schema-name>/<table-name> | |
BEGIN … COMMIT | usage-schema | <db-name>/<schema-name>/* |
## | ||
\c, CONNECT <db-name> | connect | <db-name>/*/* |
COPY <table-name> FROM && | usage-schema | <db-name>/<schema-name>/* |
insert, select | <db-name>/<schema-name>/<table-name> | |
COPY <table-name> TO && | usage-schema | <db-name>/<schema-name>/* |
select | <db-name>/<schema-name>/<table-name> | |
CREATE AGGREGATE | usage-schema, create | <db-name>/<schema-name>/* |
execute | <db-name>/<schema-name>/<sfunc-name> | |
CREATE EXTERNAL TABLE | usage-schema, create | <db-name>/<schema-name>/* |
select | <protocol-name> | |
CREATE FUNCTION <func-name> (trusted <language-name>) |
usage-schema, create | <db-name>/<schema-name>/* |
usage | <db-name>/<language-name> | |
execute | <db-name>/<schema-name>/<func-name> | |
## | ||
CREATE FUNCTION <func-name> (untrusted <language-name>) && |
usage-schema, create | <db-name>/<schema-name>/* |
## | ||
CREATE LANGUAGE && | usage | <db-name>/c |
CREATE OPERATOR CREATE OPERATOR CLASS && CREATE SEQUENCE CREATE TABLE CREATE TYPE CREATE VIEW |
usage-schema, create | <db-name>/<schema-name>/* |
CREATE SCHEMA | create-schema | <db-name>/*/* |
CREATE TABLE (<private-schema>) |
create | <db-name>/<private-schema>/* |
CREATE TABLE … AS | usage-schema, create | <db-name>/<schema-name>/* |
select | <db-name>/<schema-name>/<table-name> | |
CREATE TABLE … TABLESPACE <tablespace-name> |
usage-schema, create | <db-name>/<schema-name>/* |
create | <tablespace-name> | |
CREATE TEMP SEQUENCE CREATE TEMP TABLE |
temp | <db-name>/*/* |
CREATE WRITABLE EXTERNAL TABLE | usage-schema, create | <db-name>/<schema-name>/* |
insert | <protocol-name> | |
DROP AGGREGATE DROP FUNCTION DROP OPERATOR DROP OPERATOR CLASS && DROP SCHEMA DROP TABLE DROP VIEW |
usage-schema | <db-name>/<schema-name>/* |
EXECUTE | usage-schema | <db-name>/<schema-name>/* |
## | ||
EXPLAIN | usage-schema | <db-name>/<schema-name>/* |
## | ||
INSERT INTO <table-name> |
usage-schema | <db-name>/<schema-name>/* |
insert | <db-name>/<schema-name>/<table-name> | |
PREPARE | usage-schema | <db-name>/<schema-name>/* |
SELECT <agg-name> | usage-schema | <db-name>/<schema-name>/* |
execute | <db-name>/<schema-name>/<agg-name> | |
execute | <db-name>/<schema-name>/<sfunc-name> | |
## | ||
SELECT <func-name> | usage-schema | <db-name>/<schema-name>/* |
execute | <db-name>/<schema-name>/<func-name> | |
SELECT (using operator) | execute | <db-name>/<schema-name>/<op-func> |
## | ||
SELECT…FROM <table-name> |
usage-schema | <db-name>/<schema-name>/* |
select | <db-name>/<schema-name>/<table-name> | |
SELECT…INTO…FROM <table-name> | usage-schema, create | <db-name>/<schema-name>/* |
select | <db-name>/<schema-name>/<table-name> | |
SELECT…FROM <view-name> |
usage-schema | <db-name>/<schema-name>/* |
select | <db-name>/<schema-name>/<view-name> | |
TRUNCATE | usage-schema | <db-name>/<schema-name>/* |
VACUUM | usage-schema | <db-name>/<schema-name>/* |
VACUUM ANALYZE <table-name> |
usage-schema | <db-name>/<schema-name>/* |
select | <db-name>/<schema-name>/<table-name> |