mz_aclitem data expresses a granted privilege on some object.
mz_aclitem represents a privilege granted to some user on some object. The format of
<grantee>is the role ID of the role that has some privilege.
<privileges>is the abbreviation of the privileges that
granteehas concatenated together.
<grantor>is the role ID of the role that granted the privileges.
A list of all privileges and their abbreviations are below:
|Privilege||Description||Abbreviation||Applicable Object Types|
||Allows reading rows from an object.||r(”read”)||Table, View, Materialized View, Source|
||Allows inserting into an object.||a(”append”)||Table|
||Allows updating an object (requires SELECT if a read is necessary).||w(”write”)||Table|
||Allows deleting from an object (requires SELECT if a read is necessary).||d||Table|
||Allows creating a new object within another object.||C||Database, Schema, Cluster|
||Allows using an object or looking up members of an object.||U||Database, Schema, Connection, Secret, Cluster|
||Allows creating, altering, deleting roles and the ability to grant and revoke role membership.||R(“Role”)||System|
||Allows creating databases.||B(“dataBase”)||System|
||Allows creating clusters.||N(“compute Node”)||System|
CREATEROLE privilege is very powerful. It allows roles to grant and revoke membership in
other roles, even if it doesn’t have explicit membership in those roles. As a consequence, any role
with this privilege can obtain the privileges of any other role in the system.
mz_aclitem is casted to
text, the role IDs are automatically converted to role names.
For details about casting, including contexts, see Functions: Cast.
There are no supported operations or functions on