Home  /  Manage Materialize  /  Access control (Role-based)

Appendix: Privileges by commands

Command Privileges
ALTER CLUSTER

  • Ownership of the cluster.

  • To rename a cluster, you must also have membership in the <new_owner_role>.

  • To swap names with another cluster, you must also have ownership of the other cluster.
ALTER CONNECTION
  • Ownership of the connection.
ALTER DEFAULT PRIVILEGES
  • Role membership in role_name.
  • USAGE privileges on the containing database if database_name is specified.
  • USAGE privileges on the containing schema if schema_name is specified.
  • superuser status if the target_role is PUBLIC or ALL ROLES is specified.
ALTER INDEX
  • Ownership of the index.
ALTER MATERIALIZED VIEW
  • Ownership of the materialized view.
ALTER NETWORK POLICY
  • Ownership of the network policy.
ALTER ROLE
  • CREATEROLE privileges on the system.
ALTER ... OWNER
  • Role membership in new_owner.
  • Ownership of the object being altered.
  • CREATE privileges on the containing cluster if the object is a cluster replica.
  • CREATE privileges on the containing database if the object is a schema.
  • CREATE privileges on the containing schema if the object is namespaced by a schema.
ALTER ... RENAME
  • Ownership of the object being renamed.
ALTER ... SWAP
  • Ownership of both objects being swapped.
ALTER SECRET
  • Ownership of the secret being altered.
ALTER SINK
  • Ownership of the sink being altered.
  • SELECT privileges on the new relation being written out to an external system.
  • CREATE privileges on the cluster maintaining the sink.
  • USAGE privileges on all connections and secrets used in the sink definition.
  • USAGE privileges on the schemas that all connections and secrets in the statement are contained in.
ALTER SOURCE
  • Ownership of the source being altered.
ALTER SYSTEM RESET
ALTER SYSTEM SET
COMMENT ON
  • Ownership of the object being commented on (unless the object is a role).
  • To comment on a role, you must have the CREATEROLE privilege.
COPY FROM
  • USAGE privileges on the schema containing the table.
  • INSERT privileges on the table.
COPY TO
  • USAGE privileges on the schemas that all relations and types in the query are contained in.
  • SELECT privileges on all relations in the query.
    • NOTE: if any item is a view, then the view owner must also have the necessary privileges to execute the view definition. Even if the view owner is a superuser, they still must explicitly be granted the necessary privileges.
  • USAGE privileges on all types used in the query.
  • USAGE privileges on the active cluster.
CREATE CLUSTER
  • CREATECLUSTER privileges on the system.
CREATE CLUSTER REPLICA
  • Ownership of the cluster.
CREATE CONNECTION
  • CREATE privileges on the containing schema.
  • USAGE privileges on all connections and secrets used in the connection definition.
  • USAGE privileges on the schemas that all connections and secrets in the statement are contained in.
CREATE DATABASE
  • CREATEDB privileges on the system.
CREATE INDEX
  • Ownership of the object on which to create the index.
  • CREATE privileges on the containing schema.
  • CREATE privileges on the containing cluster.
  • USAGE privileges on all types used in the index definition.
  • USAGE privileges on the schemas that all types in the statement are contained in.
CREATE MATERIALIZED VIEW
  • Ownership of existing view if OR REPLACE is specified.
  • CREATE privileges on the containing schema.
  • CREATE privileges on the containing cluster.
  • USAGE privileges on all types used in the materialized view definition.
  • USAGE privileges on the schemas that all types in the statement are contained in.
CREATE NETWORK POLICY
  • CREATENETWORKPOLICY privileges on the system.
CREATE ROLE
  • CREATEROLE privileges on the system.
CREATE SCHEMA
  • CREATE privileges on the containing database.
CREATE SECRET
  • CREATE privileges on the containing schema.
CREATE SINK
  • CREATE privileges on the containing schema.
  • SELECT privileges on the item being written out to an external system.
    • NOTE: if the item is a view, then the view owner must also have the necessary privileges to execute the view definition.
  • CREATE privileges on the containing cluster if the sink is created in an existing cluster.
  • CREATECLUSTER privileges on the system if the sink is not created in an existing cluster.
  • USAGE privileges on all connections and secrets used in the sink definition.
  • USAGE privileges on the schemas that all connections and secrets in the statement are contained in.
CREATE SOURCE
  • CREATE privileges on the containing schema.
  • CREATE privileges on the containing cluster if the source is created in an existing cluster.
  • CREATECLUSTER privileges on the system if the source is not created in an existing cluster.
  • USAGE privileges on all connections and secrets used in the source definition.
  • USAGE privileges on the schemas that all connections and secrets in the statement are contained in.
CREATE TABLE
  • CREATE privileges on the containing schema.
  • USAGE privileges on all types used in the table definition.
  • USAGE privileges on the schemas that all types in the statement are contained in.
CREATE TYPE
  • CREATE privileges on the containing schema.
  • USAGE privileges on all types used in the type definition.
  • USAGE privileges on the schemas that all types in the statement are contained in.
CREATE VIEW
  • Ownership of existing view if OR REPLACE is specified.
  • CREATE privileges on the containing schema.
  • USAGE privileges on all types used in the view definition.
  • USAGE privileges on the schemas that all types in the statement are contained in.
DELETE
  • USAGE privileges on the schemas that all relations and types in the query are contained in.
  • DELETE privileges on table_name.
  • SELECT privileges on all relations in the query.
    • NOTE: if any item is a view, then the view owner must also have the necessary privileges to execute the view definition. Even if the view owner is a superuser, they still must explicitly be granted the necessary privileges.
  • USAGE privileges on all types used in the query.
  • USAGE privileges on the active cluster.
DROP CLUSTER REPLICA
  • Ownership of the dropped cluster replica.
  • USAGE privileges on the containing cluster.
DROP CLUSTER
  • Ownership of the dropped cluster.
DROP CONNECTION
  • Ownership of the dropped connection.
  • USAGE privileges on the containing schema.
DROP DATABASE
  • Ownership of the dropped database.
DROP INDEX
  • Ownership of the dropped index.
  • USAGE privileges on the containing schema.
DROP MATERIALIZED VIEW
  • Ownership of the dropped materialized view.
  • USAGE privileges on the containing schema.
DROP NETWORK POLICY
  • CREATENETWORKPOLICY privileges on the system.
DROP OWNED
  • Role membership in role_name.
DROP ROLE
  • CREATEROLE privileges on the system.
DROP SCHEMA
  • Ownership of the dropped schema.
  • USAGE privileges on the containing database.
DROP SECRET
  • Ownership of the dropped secret.
  • USAGE privileges on the containing schema.
DROP SINK
  • Ownership of the dropped sink.
  • USAGE privileges on the containing schema.
DROP SOURCE
  • Ownership of the dropped source.
  • USAGE privileges on the containing schema.
DROP TABLE
  • Ownership of the dropped table.
  • USAGE privileges on the containing schema.
DROP TYPE
  • Ownership of the dropped type.
  • USAGE privileges on the containing schema.
DROP USER
  • CREATEROLE privileges on the system.
DROP VIEW
  • Ownership of the dropped view.
  • USAGE privileges on the containing schema.
EXPLAIN ANALYZE
  • USAGE privileges on the schemas that all relations in the explainee are contained in.
EXPLAIN FILTER PUSHDOWN
  • USAGE privileges on the schemas that all relations in the explainee are contained in.
EXPLAIN PLAN
  • USAGE privileges on the schemas that all relations in the explainee are contained in.
EXPLAIN SCHEMA
  • USAGE privileges on the schemas that all items in the query are contained in.
EXPLAIN TIMESTAMP
  • USAGE privileges on the schemas that all relations in the query are contained in.
GRANT PRIVILEGE
  • Ownership of affected objects.
  • USAGE privileges on the containing database if the affected object is a schema.
  • USAGE privileges on the containing schema if the affected object is namespaced by a schema.
  • superuser status if the privilege is a system privilege.
GRANT ROLE
  • CREATEROLE privileges on the systems.
INSERT
  • USAGE privileges on the schemas that all relations and types in the query are contained in.
  • INSERT privileges on table_name.
  • SELECT privileges on all relations in the query.
    • NOTE: if any item is a view, then the view owner must also have the necessary privileges to execute the view definition. Even if the view owner is a superuser, they still must explicitly be granted the necessary privileges.
  • USAGE privileges on all types used in the query.
  • USAGE privileges on the active cluster.
REASSIGN OWNED
  • Role membership in old_role and new_role.
REVOKE PRIVILEGE
  • Ownership of affected objects.
  • USAGE privileges on the containing database if the affected object is a schema.
  • USAGE privileges on the containing schema if the affected object is namespaced by a schema.
  • superuser status if the privilege is a system privilege.
REVOKE ROLE
  • CREATEROLE privileges on the systems.
SELECT
  • CREATE privileges on the containing schema.
  • CREATE privileges on the containing cluster if the source is created in an existing cluster.
  • CREATECLUSTER privileges on the system if the source is not created in an existing cluster.
  • USAGE privileges on all connections and secrets used in the source definition.
  • USAGE privileges on the schemas that all connections and secrets in the statement are contained in.
SHOW COLUMNS
  • USAGE privileges on the schema containing item_ref.
SHOW CREATE CLUSTER There are no privileges required to execute this statement.
SHOW CREATE CONNECTION
  • USAGE privileges on the schema containing the connection.
SHOW CREATE INDEX
  • USAGE privileges on the schema containing the index.
SHOW CREATE MATERIALIZED VIEW
  • USAGE privileges on the schema containing the materialized view.
SHOW CREATE SINK
  • USAGE privileges on the schema containing the sink.
SHOW CREATE SOURCE
  • USAGE privileges on the schema containing the source.
SHOW CREATE TABLE
  • USAGE privileges on the schema containing the table.
SHOW CREATE VIEW
  • USAGE privileges on the schema containing the view.
SUBSCRIBE
  • USAGE privileges on the schemas that all relations and types in the query are contained in.
  • SELECT privileges on all relations in the query.
    • NOTE: if any item is a view, then the view owner must also have the necessary privileges to execute the view definition. Even if the view owner is a superuser, they still must explicitly be granted the necessary privileges.
  • USAGE privileges on all types used in the query.
  • USAGE privileges on the active cluster.
UPDATE
  • USAGE privileges on the schemas that all relations and types in the query are contained in.
  • UPDATE privileges on the table being updated.
  • SELECT privileges on all relations in the query.
    • NOTE: if any item is a view, then the view owner must also have the necessary privileges to execute the view definition. Even if the view owner is a superuser, they still must explicitly be granted the necessary privileges.
  • USAGE privileges on all types used in the query.
  • USAGE privileges on the active cluster.
VALIDATE CONNECTION
  • USAGE privileges on the containing schema.
  • USAGE privileges on the connection.
Back to top ↑