PolarDB Privilege Model and Access Control Explained - PolarDB

PolarDB for Oracle uses a privilege-based access control model inherited from PostgreSQL. Every database object has an owner, and only the owner (or a superuser) can act on it until privileges are explicitly granted to other roles.

Key concepts

Owner

Every object is assigned an owner at creation time — normally the role that ran the CREATE statement. The right to modify or destroy an object is tied to ownership and cannot be granted or revoked separately.

To transfer ownership, use ALTER with the appropriate object type:

ALTER TABLE table_name OWNER TO new_owner;

Superusers can always reassign ownership. An ordinary role can only do so if it is both the current owner (or a member of the owning role) and a member of the new owning role.

Privileges

PolarDB for Oracle supports 12 privilege types: SELECT, INSERT, UPDATE, DELETE, TRUNCATE, REFERENCES, TRIGGER, CREATE, CONNECT, TEMPORARY, EXECUTE, and USAGE. Which privileges apply to a given object depends on the object type.

PUBLIC

PUBLIC is a special role name that represents every role in the system. Granting a privilege to PUBLIC makes it available to all current and future roles.

Grant option

When you grant a privilege WITH GRANT OPTION, the recipient can grant it to other roles in turn. If the grant option is revoked, everyone who received the privilege through that chain loses it as well.

Privilege descriptions

SELECT

Allows SELECT from any column, or specific columns, of a table, view, materialized view, or other table-like object. Also enables:

COPY TO
Referencing existing column values in UPDATE or DELETE
The currval function on sequences
Reading large objects

INSERT

Allows inserting a new row into a table, view, or similar object. Also enables COPY FROM. When granted on specific columns, only those columns can be assigned values in INSERT — other columns receive default values.

UPDATE

Allows updating any column, or specific columns, of a table, view, or similar object. Also enables:

nextval and setval on sequences
Writing or truncating large objects
SELECT ... FOR UPDATE and SELECT ... FOR SHARE (requires SELECT privilege on at least one column as well)

In practice, any non-trivial UPDATE also requires SELECT privilege, because the query must read column values to identify which rows to update.

DELETE

Allows deleting rows from a table, view, or similar object. In practice, any non-trivial DELETE also requires SELECT privilege, because the query must read column values to identify which rows to delete.

TRUNCATE

Allows TRUNCATE on a table.

REFERENCES

Allows creating a foreign key constraint that references a table, or specific columns of a table.

TRIGGER

Allows creating a trigger on a table, view, or similar object.

CREATE

The effect depends on the object type:

Database: Allows creating new schemas and publications within the database, and installing trusted extensions.
Schema: Allows creating new objects within the schema. To rename an existing object, you must own the object and hold CREATE on the containing schema.
Tablespace: Allows creating tables, indexes, and temporary files within the tablespace, and creating databases that use the tablespace as their default.

Revoking CREATE does not affect existing objects — it only prevents new ones from being created.

CONNECT

Allows connecting to the database. This privilege is checked at connection startup, in addition to any restrictions imposed by pg_hba.conf.

TEMPORARY

Allows creating temporary tables while connected to the database.

EXECUTE

Allows calling a function or procedure, including any operators implemented on top of the function. This is the only privilege type applicable to functions and procedures.

USAGE

The effect depends on the object type:

Procedural languages: Allows using the language to create functions. This is the only privilege type applicable to procedural languages.
Schemas: Allows looking up objects within the schema (assuming the objects' own privileges are also met). Revoking this privilege does not prevent users from seeing object names via system catalogs, and existing sessions may have already resolved lookups, so this is not a completely secure way to prevent object access.
Sequences: Allows the currval and nextval functions.
Types and domains: Allows using the type or domain when creating tables, functions, and other schema objects. This privilege controls which roles can create dependencies on a type — it does not restrict all uses of the type.
Foreign data wrappers: Allows creating new servers using the wrapper.
Foreign servers: Allows creating foreign tables using the server. Grantees may also create, alter, or drop their own user mappings associated with the server.

Grant and revoke privileges

Use GRANT to assign privileges:

-- Grant a specific privilege
GRANT UPDATE ON accounts TO joe;

-- Grant all applicable privileges
GRANT ALL ON accounts TO joe;

-- Grant with the ability to pass the privilege on
GRANT SELECT ON accounts TO joe WITH GRANT OPTION;

Use REVOKE to remove privileges:

-- Revoke all privileges from PUBLIC
REVOKE ALL ON accounts FROM PUBLIC;

Only the object's owner or a superuser can grant or revoke privileges — unless a grant option has been explicitly passed to another role.

An owner can revoke their own ordinary privileges (for example, to make a table read-only for everyone including themselves). Because owners always hold all grant options implicitly, they can always re-grant their own privileges.

Common role setup examples

The following examples show complete SQL sequences for two common privilege patterns.

Read-only role

-- Create the role
CREATE ROLE readonly;
GRANT CONNECT ON DATABASE mydb TO readonly;
GRANT USAGE ON SCHEMA public TO readonly;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO readonly;
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO readonly;

-- Assign the role to a user
CREATE USER readonly_user1 WITH PASSWORD '<password>';
GRANT readonly TO readonly_user1;

Read-write role

-- Create the role
CREATE ROLE readwrite;
GRANT CONNECT ON DATABASE mydb TO readwrite;
GRANT USAGE ON SCHEMA public TO readwrite;
GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA public TO readwrite;
ALTER DEFAULT PRIVILEGES IN SCHEMA public
  GRANT SELECT, INSERT, UPDATE, DELETE ON TABLES TO readwrite;

-- Assign the role to a user
CREATE USER readwrite_user1 WITH PASSWORD '<password>';
GRANT readwrite TO readwrite_user1;

Default PUBLIC privileges

When an object is created, PostgreSQL grants certain privileges to PUBLIC automatically. The following table shows the defaults by object type.

Object type	Default PUBLIC privileges
`DATABASE`	`CONNECT`, `TEMPORARY`
`DOMAIN`	`USAGE`
`FUNCTION` or `PROCEDURE`	`EXECUTE`
`LANGUAGE`	`USAGE`
`TYPE`	`USAGE`
`FOREIGN DATA WRAPPER`	None
`FOREIGN SERVER`	None
`LARGE OBJECT`	None
`SCHEMA`	None
`SEQUENCE`	None
`TABLE` (and table-like objects)	None
Table column	None
`TABLESPACE`	None

To remove default public access immediately after creation, run REVOKE in the same transaction as the CREATE statement — this eliminates any window during which other roles could use the object. To change defaults for future objects, use ALTER DEFAULT PRIVILEGES.

ACL privilege abbreviations

Access Control List (ACL) values use one-letter abbreviations for each privilege. You see these abbreviations in psql output and in ACL columns of system catalogs.

Table 1. ACL privilege abbreviations

Privilege	Abbreviation	Applicable object types
`SELECT`	`r` ("read")	`LARGE OBJECT`, `SEQUENCE`, `TABLE` (and table-like objects), table column
`INSERT`	`a` ("append")	`TABLE`, table column
`UPDATE`	`w` ("write")	`LARGE OBJECT`, `SEQUENCE`, `TABLE`, table column
`DELETE`	`d`	`TABLE`
`TRUNCATE`	`D`	`TABLE`
`REFERENCES`	`x`	`TABLE`, table column
`TRIGGER`	`t`	`TABLE`
`CREATE`	`C`	`DATABASE`, `SCHEMA`, `TABLESPACE`
`CONNECT`	`c`	`DATABASE`
`TEMPORARY`	`T`	`DATABASE`
`EXECUTE`	`X`	`FUNCTION`, `PROCEDURE`
`USAGE`	`U`	`DOMAIN`, `FOREIGN DATA WRAPPER`, `FOREIGN SERVER`, `LANGUAGE`, `SCHEMA`, `SEQUENCE`, `TYPE`

Table 2. Summary of access privileges

Object type	All privileges	Default PUBLIC privileges	psql command
`DATABASE`	`CTc`	`Tc`	`\l`
`DOMAIN`	`U`	`U`	`\dD+`
`FUNCTION` or `PROCEDURE`	`X`	`X`	`\df+`
`FOREIGN DATA WRAPPER`	`U`	none	`\dew+`
`FOREIGN SERVER`	`U`	none	`\des+`
`LANGUAGE`	`U`	`U`	`\dL+`
`LARGE OBJECT`	`rw`	none
`SCHEMA`	`UC`	none	`\dn+`
`SEQUENCE`	`rwU`	none	`\dp`
`TABLE` (and table-like objects)	`arwdDxt`	none	`\dp`
Table column	`arwx`	none	`\dp`
`TABLESPACE`	`C`	none	`\db+`
`TYPE`	`U`	`U`	`\dT+`

Read the ACL output

Each entry in an ACL value uses the format grantee=privileges/grantor. A * after a privilege letter means the privilege was granted with grant option. An empty grantee field stands for PUBLIC.

For example, calvin=r*w/hobbes means:

Role calvin has SELECT (r) with grant option (*)
Role calvin has UPDATE (w) without grant option
Both were granted by role hobbes

If calvin holds privileges on the same object from a different grantor, those appear as a separate ACL entry.

Example

Suppose user miriam creates mytable and runs:

GRANT SELECT ON mytable TO PUBLIC;
GRANT SELECT, UPDATE, INSERT ON mytable TO admin;
GRANT SELECT (col1), UPDATE (col1) ON mytable TO miriam_rw;

Running \dp mytable in psql shows:

    => \dp mytable
                                      Access privileges
     Schema |  Name   | Type  |   Access privileges   |   Column privileges   | Policies
    --------+---------+-------+-----------------------+-----------------------+----------
     public | mytable | table | miriam=arwdDxt/miriam+| col1:                +|
            |         |       | =r/miriam            +|   miriam_rw=rw/miriam |
            |         |       | admin=arw/miriam      |                       |
    (1 row)

Reading the output:

miriam=arwdDxt/miriam — the owner holds all applicable privileges on the table
=r/miriam — PUBLIC has SELECT, granted by miriam
admin=arw/miriam — admin has SELECT, UPDATE, and INSERT, granted by miriam
Column privileges show miriam_rw has SELECT and UPDATE on col1

Empty "Access privileges" column

If the "Access privileges" column is empty for an object, the object has default privileges — its ACL entry in the system catalog is null. Default privileges always include all privileges for the owner, plus any default PUBLIC privileges for the object type (see the table above). The first GRANT or REVOKE on an object instantiates the default privileges explicitly (producing an entry like miriam=arwdDxt/miriam) and then applies the requested change.

Similarly, entries are shown in "Column privileges" only for columns with nondefault privileges. (Note: for this purpose, "default privileges" always means the built-in default privileges for the object's type. An object whose privileges have been affected by an ALTER DEFAULT PRIVILEGES command will always be shown with an explicit privilege entry that includes the effects of the ALTER.)

The owner's implicit grant options are not shown in the access privileges display. A * appears only when grant options have been explicitly granted to someone.