Database object privileges
Privileges can be granted explicitly on most user-visible objects in a Vertica database, such as tables and models. For some objects such as projections, privileges are implicitly derived from other objects.
Explicitly granted privileges
The following table provides an overview of privileges that can be explicitly granted on Vertica database objects:
Database Object | Privileges | |||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
ALTER | DROP | CREATE | DELETE | EXECUTE | INSERT | READ | REFERENCES | SELECT | TEMP | TRUNCATE | UPDATE | USAGE | WRITE | |
Database | • | • | ||||||||||||
Schema | ! | ! | • | ! | ! | ! | ! | ! | ! | • | ||||
Table | • | • | • | • | • | • | • | • | ||||||
View | • | • | • | |||||||||||
Sequence | • | • | • | |||||||||||
Procedure | • | |||||||||||||
User-defined function | • | • | • | |||||||||||
Model | • | • | • | |||||||||||
Library | • | |||||||||||||
Resource Pool | • | |||||||||||||
Storage Location | • | • | ||||||||||||
Key | • | • | • | |||||||||||
TLS Configuration | • |
Implicitly granted privileges
Metadata privileges
Superusers have unrestricted access to all non-cryptographic database metadata. For non-superusers, access to the metadata of specific objects depends on their privileges on those objects:
Metadata | User access |
---|---|
Catalog objects:
|
Users must possess USAGE privilege on the schema and any type of access (SELECT) or modify privilege on the object to see catalog metadata about the object. For internal objects such as projections and ROS containers, which have no access privileges directly associated with them, you must have the requisite privileges on the associated schema and tables to view their metadata. For example, to determine whether a table has any projection data, you must have USAGE on the table schema and SELECT on the table. |
User sessions and functions, and system tables related to these sessions |
Non-superusers can access information about their own (current) sessions only, using the following functions: |
Projection privileges
Projections, which store table data, do not have an owner or privileges directly associated with them. Instead, the privileges to create, access, or alter a projection are derived from the privileges that are set on its anchor tables and respective schemas.
Cryptographic privileges
Unless they have ownership, superusers only have implicit DROP privileges on keys, certificates, and TLS Configurations. This allows superusers to see the existence of these objects in their respective system tables (CRYPTOGRAPHIC_KEYS, CERTIFICATES, and TLS_CONFIGURATIONS) and DROP them, but does not allow them to see the key or certificate texts.
For details on granting additional privileges, see GRANT (key) and GRANT (TLS configuration).