ALTER DEFAULT PRIVILEGES
ALTER DEFAULT PRIVILEGES defines default privileges that will be applied to objects created in
the future. It does not affect any existing objects.
Default privileges are specified for a certain object type and can be applied to all objects of that type, all objects of that type created within a specific set of databases, or all objects of that type created within a specific set of schemas. Default privileges are also specified for objects created by a certain set of roles or by all roles.
ALTER DEFAULT PRIVILEGES cannot be used to revoke the default owner privileges on objects. Those
privileges must be revoked manually after the object is created. Though owners can always re-grant
themselves any privilege on an object that they own.
The REVOKE variant of ALTER DEFAULT PRIVILEGES is used to revoke previously created default
privileges on objects created in the future. It will not revoke any privileges on objects that have
already been created. When revoking a default privilege, all the fields in the revoke statement
(target_role, schema_name, database_name, privilege, grantee) must exactly match an
existing default privilege. The existing default privileges can easily be viewed by the following
query: SELECT * FROM mz_internal.mz_show_default_privileges.
All new environments are created with a single default privilege, USAGE is granted on all TYPES
to the PUBLIC role. This can be revoked like any other default privilege.
Syntax
abreviated_grant
abbreviated_revoke
privilege
| Field | Use |
|---|---|
| target_role | The default privilege will apply to objects created by this role. Use the PUBLIC pseudo-role to target objects created by all roles. |
| ALL ROLES | The default privilege will apply to objects created by all roles. This is shorthand for specifying PUBLIC as the target_role. |
| schema_name | The default privilege will apply only to objects created in this schema, if specified. |
| database_name | The default privilege will apply only to objects created in this database, if specified. |
| SELECT | Allows reading rows from an object. The abbreviation for this privilege is ‘r’ (read). |
| INSERT | Allows inserting into an object. The abbreviation for this privilege is ‘a’ (append). |
| UPDATE | Allows updating an object (requires SELECT if a read is necessary). The abbreviation for this privilege is ‘w’ (write). |
| DELETE | Allows deleting from an object (requires SELECT if a read is necessary). The abbreviation for this privilege is ’d'. |
| CREATE | Allows creating a new object within another object. The abbreviation for this privilege is ‘C’. |
| USAGE | Allows using an object or looking up members of an object. The abbreviation for this privilege is ‘U’. |
| ALL PRIVILEGES | All applicable privileges for the provided object type. |
| grantee | The role name that will gain the default privilege. Use the PUBLIC pseudo-role to grant privileges to all roles. |
| revokee | The role name that will not gain the default privilege. Use the PUBLIC pseudo-role to remove default privileges previously granted to PUBLIC. |
Compatibility
For PostgreSQL compatibility reasons, you must specify TABLES as the object
type for sources, views, and materialized views.
Examples
ALTER DEFAULT PRIVILEGES FOR ROLE mike GRANT SELECT ON TABLES TO joe;
ALTER DEFAULT PRIVILEGES FOR ROLE interns IN DATABASE dev GRANT ALL PRIVILEGES ON TABLES TO intern_managers;
ALTER DEFAULT PRIVILEGES FOR ROLE developers REVOKE USAGE ON SECRETS FROM project_managers;
ALTER DEFAULT PRIVILEGES FOR ALL ROLES GRANT SELECT ON TABLES TO managers;
Privileges
The privileges required to execute this statement are:
- Role membership in
role_name. USAGEprivileges on the containing database ifdatabase_nameis specified.USAGEprivileges on the containing schema ifschema_nameis specified.- superuser status if the target_role is
PUBLICor ALL ROLES is specified.