PolarDB uses a role-based access model with two account types: privileged accounts for administrative tasks and standard accounts for application workloads. Each account type has a defined set of permissions — operations outside that set are blocked.
How it works
PolarDB implements a Resource Access Management (RAM) model. Rather than granting permissions to individual accounts directly, the model assigns accounts to roles. Each role defines what operations an account can perform.
Privileged accounts handle database administration: creating databases, managing extensions, configuring replication, and creating other accounts.
Standard accounts run business logic: reading and writing application data.
Reserve privileged accounts for administrative tasks. For application users, create standard accounts and grant only the permissions the application requires.
Privileged account permissions
The following operations are available to privileged accounts.
| Operation | Details |
|---|---|
| Create a database | See Create a database. |
| Create an extension | See Plug-ins. |
| Create an account with equal or lower permissions | See Create a user. |
| Create and use an event trigger | See Create a trigger. |
| Create and modify an object type | See Create an object type. |
| Invoke garbage collection | See Garbage collection mechanism. |
| Create and modify a foreign data wrapper (FDW) | See Read and write external data files by using oss_fdw. |
| Modify the sequence used by ROWID | See ALTER SEQUENCE. |
| Create publications and subscriptions | See Publications and subscriptions below. |
| Create a system context | See System context below. |
| Use two-phase transactions | See Two-phase transactions below. |
| Send signals to backends | See Signals below. |
| View background process status | Query pg_stat_activity. |
| Rename an object | Run RENAME <object_name> TO <new_name>. |
Publications and subscriptions
Privileged accounts can create logical replication publications and subscriptions.
-- Create a publication
CREATE PUBLICATION my_publication FOR TABLE test_t;
-- Create a subscription
CREATE SUBSCRIPTION my_subscription
CONNECTION 'channel_name=XXXX dbname=XXXX user=XXXX password=XXXX'
PUBLICATION my_publication;Creating a subscription requires a network channel. For details, see Network channels. If errors occur, contact support.
System context
Privileged accounts can create system contexts for use with application packages.
CREATE CONTEXT hr_context USING test_package;Two-phase transactions
Privileged accounts can prepare, commit, and roll back two-phase transactions across sessions.
-- Session 1: prepare the transaction
BEGIN;
INSERT INTO t VALUES (1, 'a');
PREPARE TRANSACTION 'test_1';
-- Session 2: commit or roll back
COMMIT PREPARED 'test_1';
-- Or roll back:
ROLLBACK PREPARED 'test_1';Signals
Privileged accounts can send signals to cancel queries or terminate sessions for non-superuser processes.
-- Cancel a running query (process ID 4300)
SELECT pg_cancel_backend(4300);
-- Terminate the session for a process
SELECT pg_terminate_backend(4300);Prohibited operations
The following operations are blocked for both privileged and standard accounts to protect the cluster from destructive changes that could affect stability or security for all users.
| Operation | Reason |
|---|---|
| Create a folder | Direct filesystem access is not permitted on managed instances. |
| Modify system parameters | System-level configuration is managed by PolarDB. |
| Create a tablespace | Storage layout is managed by PolarDB. |
| Kill a superuser process | Superuser processes are reserved for PolarDB internal operations. |
| Execute an untrusted language | Only PL/SQL is a trusted language. Other procedural languages run outside the database sandbox and are not permitted. |
User group permissions
PolarDB for PostgreSQL (Compatible with Oracle) inherits predefined group roles from PostgreSQL. These group permissions have a union relationship with the permissions owned by privileged accounts — a privileged account holds the sum of its own permissions and the group role permissions listed here.
| Group role | Access level | Description |
|---|---|---|
pg_read_all_stats and pg_stat_scan_tables | Full | Read all statistics views, as if having SELECT rights on pg_stat_* system views. |
pg_signal_backend | Full | Send signals to other backends to cancel queries or terminate sessions, as if having direct signal rights on non-superuser processes. |
pg_polar_superuser | Full | Grants the full set of privileged account permissions. |
pg_polar_replication | Full | Grants streaming replication permission, as if having replication rights on the cluster. |
pg_monitor | Full | Read and run monitoring views and functions, as if having SELECT and EXECUTE rights on monitoring objects. Local file read and write are denied. |
pg_read_all_data and pg_write_all_data | Limited | Read all user tables and most system tables, and write to all user tables, as if having SELECT, INSERT, UPDATE, and DELETE rights on those objects. Some system tables are hidden for security. |
pg_read_all_settings | Limited | Read configuration variables within granted permissions, as if having SELECT rights on configuration views. Some variables are hidden for security. |
pg_read_server_files and pg_write_server_files | Prohibited | Local file read and write are not permitted. |
pg_execute_server_program | Prohibited | Running binary commands on the server is not permitted. |