PostgreSQL Grant

When an object is created, it is assigned an owner. The owner is normally the role that executed the creation statement.
For most kinds of objects, the initial state is that only the owner (or a superuser) can do anything with the object. To allow other roles to use it, privileges must be granted.
There are several different kinds of privilege: SELECT, INSERT, UPDATE, DELETE,REFERENCES, TRIGGER, CREATE, CONNECT, TEMPORARY, EXECUTE, and USAGE.

PRIVILEGES To:

———-

1) GROUPS

2) USERS

3) ROLES

4) SCHEMA & SEARCH PATH

Lab to create USERS, SCHEMAS, ROLES, Alter SEARCH_PATH,
GRANT and REVOKE privileges

5) OBJECT OWNERSHIP

Privileges:

PRIVILEGES	Description
SELECT	Allows SELECT from any column, or the specific columns listed, of the specified table, this privilege allows the object to be read.
INSERT	Allows INSERT of a new row into the specified table.
UPDATE	Allows UPDATE of any column, or the specific columns listed, of the specified table.
DELETE	Allows DELETE of a row from the specified table.
TRUNCATE	Allows TRUNCATE on the specified table.
REFERENCES	To create a foreign key constraint, it is necessary to have this privilege on both the referencing and referenced columns. The privilege may be granted for all columns of a table, or just specific columns.
TRIGGER	Allows the creation of a trigger on the specified table.
CREATE	For databases, allows new schemas to be created within the database. For schemas, allows new objects to be created within the schema. For tablespaces, allows tables, indexes, and temporary files to be created within the tablespace,
CONNECT	Allows the user to connect to the specified database.
TEMPORARY TEMP	Allows temporary tables to be created while using the specified database.
EXECUTE	Allows the use of the specified function and the use of any operators that are implemented on top of the function. This is the only type of privilege that is applicable to functions. (This syntax works for aggregate functions, as well.)
USAGE	For procedural languages, allows the use of the specified language for the creation of functions in that language. This is the only type of privilege that is applicable to procedural languages. For schemas, allows access to objects contained in the specified schema For sequences, this privilege allows the use of the currval and nextval functions. For foreign-data wrappers, this privilege enables the grantee to create new servers using that foreign-data wrapper. For servers, this privilege enables the grantee to create, alter, and drop his own user’s user mappings associated with that server. Also, it enables the grantee to query the options of the server and associated user mappings.
ALL PRIVILEGES	Grant all of the available privileges at once. The PRIVILEGES key word is optional in PostgreSQL, though it is required by strict SQL.

Examples

— Connect the u2 user in postgres database

postgres=# \conninfo
You are connected to database "postgres" as user "u2" via socket in "/tmp" at port "5432".

— List down the user

postgres=# \du    
                             List of roles
 Role name |                   Attributes                   | Member of 
-----------+------------------------------------------------+-----------
 john      | Superuser                                      | {}
 postgres  | Superuser, Create role, Create DB, Replication | {}
 u1        |                                                | {}
 u10       |                                                | {}
 u11       |                                                | {}
 u2        | Superuser                                      | {}

— list the table

postgres=# \dt    
            List of relations
 Schema |    Name     | Type  |  Owner   
--------+-------------+-------+----------
 benz2  | buy         | table | u2
 benz2  | comment_log | table | u2
 benz2  | contable    | table | u2
 benz2  | demo        | table | u2
 benz2  | dept        | table | postgres

— Connect as u1 user

[postgres@r1 ~]$ psql -U u1 
Password for user u1:

— Check the privileges of dept tables as u1 user

postgres=> \dp benz2.dept
                          Access privileges
 Schema | Name | Type  | Access privileges | Column access privileges 
--------+------+-------+-------------------+--------------------------
 benz2  | dept | table |                   | 
(1 row)

Note: Here u1 user don’t have any privilege to access dept table

— connect the superuser as u2 grant the read & insert permission to u1 user to access the dept table

postgres=# grant select on benz2.dept to u1;
GRANT
postgres=# grant insert on benz2.dept to u1;
GRANT

–connect the u1 user and check the privilege using \dp command

postgres=> \dp benz2.dept                                                       
                              Access privileges
 Schema | Name | Type  |     Access privileges     | Column access privileges 
--------+------+-------+---------------------------+--------------------------
 benz2  | dept | table | postgres=arwdDxt/postgres+| 
        |      |       | u1=ar/postgres            | 
(1 row)

Here “ar” means insert & read(select)

The entries shown by \dp are interpreted thus:

rolename=xxxx -- privileges granted to a role
        =xxxx -- privileges granted to PUBLIC

            r -- SELECT ("read")
            w -- UPDATE ("write")
            a -- INSERT ("append")
            d -- DELETE
            D -- TRUNCATE
            x -- REFERENCES
            t -- TRIGGER
            X -- EXECUTE
            U -- USAGE
            C -- CREATE
            c -- CONNECT
            T -- TEMPORARY
      arwdDxt -- ALL PRIVILEGES (for tables, varies for other objects)
            * -- grant option for preceding privilege

        /yyyy -- role that granted this privilege

— issue the select statement against the dept table as u1 user

postgres=> select * from benz2.dept;
ERROR:  permission denied for schema benz2
LINE 1: select * from benz2.dept;

because you need to specify grant usuage option on benz2 schema ^

— again connect the u2 superuser and grant all privilege to u1 user to accessing dept table

postgres=# grant USAGE ON schema benz2 TO u1;
GRANT

— Now issue the select statement as u1 user against dept table

postgres=> select * from benz2.dept;
 dept_id | department | address
---------+------------+---------
       1 |        ece | chennai
(1 row)

Some basic command of grant :

— Create a “nologin” role to act as the owner

create role dbowner nologin;

— Change the owner of your database to this

alter database mydb owner dbowner;

— Grant all your logins to this new role

grant dbowner to user1, user2;

1)GROUPS:

A group to whom to grant privileges

granting privileges is from enterprisedb

grant all privileges on database <db_name> to <group_name>

2.USERS:

when the uer create a table, those table belong to the PUBLIC schema Database can be split up between multiple users usign schemas.

granting privileges is from enterprisedb

grant all privileges on database <db_name> to <user_name>
grant all privileges on <table_name> to <user_name>

Revoking privileges is from enterprisedb

revoke all privileges on database <db_name> from <user_name>
Grant insert privilege to all users on table tab1:
GRANT INSERT ON tab1 TO PUBLIC;

Grant all available privileges to user manuel on view kinds:

GRANT ALL PRIVILEGES ON emp TO nijam;

Note that while the above will indeed grant all privileges if executed by a superuser or the owner of “emp”, when executed by someone else it will only grant those permissions for which the someone else has grant options.

Grant membership in role admins to user nijam:

GRANT admins TO nijam;

3.ROLE:

Database roles are conceptually completely separate from operating system users. In practice it might be convenient to maintain a correspondence, but this is not required. Database roles are global across a database cluster installation (and not per individual database)

To assign privileges, the GRANT command is used. So, if “nijam” is an existing role, and “emp” is an existing table, the privilege to update the table can be granted with

GRANT UPDATE ON emp TO nijam;

The special name PUBLIC can be used to grant a privilege to every role on the system. Writing ALL in place of a specific privilege specifies that all privileges that apply to the object will be granted.

GRANT all ON emp TO public;

4.SCHEMA:

Each user have their own schema and multiple schema the schema search path can be altered so that each user find their tables first and access the other user tables also.schema as a namespace for tables that also provides security.By creating a schema for users and granting them rights on that schema,The user will create tables on that schema instead of public.schema search path is set which users objects set in postgreSQL database.

default for all users $user, public.

search path can be set on a users basis, to look thorough any random list of schemas.

Use psql’s \dp command to obtain information about existing privileges for tables and columns

\dp emp
Access privileges
Schema |  Name   | Type  |   Access privileges   | Column access privileges 
--------+---------+-------+-----------------------+--------------------------
 public | emp     | table | u1=arwdDxt/u1 | col1:
: =r/u1             :       u1_rw=rw/u1
: admin=arw/u1        
(1 row)

5.OBJECT OWNERSHIP:

We gave connect privilege to user for database connect

GRANT CONNECT ON DATABASE database_name TO user_name;

We gave connect privilege to ALL user for database connect

GRANT CONNECT ON DATABASE database_name TO Public;
GRANT CONNECT ON DATABASE database_name TO user_name;
REVOKE ALL ON ALL TABLES IN SCHEMA schema_name FROM PUBLIC;
GRANT CONNECT ON DATABASE database_name TO user_name;

we gave permission to access all objects in database on particular user

grant all privileges on database dbname to dbuser;
GRANT CONNECT ON DATABASE database_name TO user_name;

Create role with Login privilege

CREATE ROLE demo_role WITH LOGIN;
GRANT CONNECT ON DATABASE database_name TO user_name;

Revoke Login Permission

ALTER ROLE demo_role WITH NOLOGIN;

Granting connect, update,insert privileges

GRANT CONNECT ON DATABASE database_name TO user_name;
GRANT UPDATE ON demo TO demo_role;
GRANT INSERT ON demo TO PUBLIC;

To view the grant table

\z
                                    Access privileges
 Schema |    Name     |   Type   |     Access privileges      | Column access privileges
--------+-------------+----------+----------------------------+------------------------  
 public | demo        | table    | postgres=arwdDxt/postgres +|
        |             |          | demo_role=w/postgres      +|
        |             |          | test_user=arwdDxt/postgres+|
        |             |          | =a/postgres                |
 public | demo_id_seq | sequence |                            |
(2 rows)

About Courses

Greenplum

About Courses

Greenplum

Privileges:

Become An Instructor?

About Courses

Greenplum

About Courses

Greenplum

PostgreSQL Grant

Privileges:

Login with your site account

Modal title