OpenText Analytics Database 26.2.x – Database privileges

Admin: Ownership and implicit privileges

Mon, 01 Jan 0001 00:00:00 +0000

All users have implicit privileges on the objects that they own. On creating an object, its owner automatically is granted all privileges associated with the object's type (see Database object privileges). Regardless of object type, the following privileges are inseparable from ownership and cannot be revoked, not even by the owner:

Authority to grant all object privileges to other users, and revoke them
ALTER (where applicable) and DROP
Extension of privilege granting authority on their objects to other users, and revoking that authority

Object owners can revoke all non-implicit, or ordinary, privileges from themselves. For example, on creating a table, its owner is automatically granted all implicit and ordinary privileges:

Implicit table privileges	Ordinary table privileges
ALTER DROP	DELETE INSERT REFERENCES SELECT TRUNCATE UPDATE

If user Joan creates table t1, she can revoke ordinary privileges UPDATE and INSERT from herself, which effectively makes this table read-only:


=> \c - Joan
You are now connected as user "Joan".
=> CREATE TABLE t1 (a int);
CREATE TABLE
=> INSERT INTO t1 VALUES (1);
 OUTPUT
--------
      1
(1 row)

=> COMMIT;
COMMIT
=> REVOKE UPDATE, INSERT ON TABLE t1 FROM Joan;
REVOKE PRIVILEGE
=> INSERT INTO t1 VALUES (3);
ERROR 4367:  Permission denied for relation t1
=> SELECT * FROM t1;
 a
---
 1
(1 row)

Joan can subsequently restore UPDATE and INSERT privileges to herself:


=> GRANT UPDATE, INSERT on TABLE t1 TO Joan;
GRANT PRIVILEGE
dbadmin=> INSERT INTO t1 VALUES (3);
 OUTPUT
--------
      1
(1 row)

=> COMMIT;
COMMIT
dbadmin=> SELECT * FROM t1;
 a
---
 1
 3
(2 rows)

Admin: Inherited privileges

Mon, 01 Jan 0001 00:00:00 +0000

You can manage inheritance of privileges at three levels:

Database
Schema
Tables, views, and models

By default, inherited privileges are enabled at the database level and disabled at the schema level. If privilege inheritance is enabled at both levels, newly created tables, views, and models automatically inherit their parent schema's privileges. You can also disable privilege inheritance on individual objects with the following statements:

Admin: Default user privileges

Mon, 01 Jan 0001 00:00:00 +0000

To set the minimum level of privilege for all users, OpenText™ Analytics Database uses the special PUBLIC role, which it grants to each user automatically. This role is automatically enabled, but the database administrator or a superuser can also grant higher privileges to users separately using GRANT statements.

Default privileges for MC users

Privileges on Management Console (MC) are managed through roles, which determine a user's access to MC and to MC-managed databases through the MC interface. MC privileges do not alter or override user privileges or roles. See Users, roles, and privileges in MC for details.

Admin: Effective privileges

Mon, 01 Jan 0001 00:00:00 +0000

A user's effective privileges on an object encompass privileges of all types, including:

Implicit privileges through object ownership
Explicit privileges through GRANT statements on objects
Inherited privileges through privileges on objects with inheritance enabled

You can view your effective privileges on an object with the GET_PRIVILEGES_DESCRIPTION meta-function.

Admin: Privileges required for common database operations

Mon, 01 Jan 0001 00:00:00 +0000

This topic lists the required privileges for database objects.

Unless otherwise noted, superusers can perform all operations shown in the following tables. Object owners always can perform operations on their own objects.

Note

Certain actions, such as setting another user's resource pool or selecting a view, depend on the effective privileges of other users. If that other user acquires these prerequisite privileges through a role, it must be a default role for the action to succeed.

For more information on changing a user's default roles, see Enabling roles automatically.

Schemas

The PUBLIC schema is present in any newly-created database. Newly-created users must be granted access to this schema:

=> GRANT USAGE ON SCHEMA public TO user;

A database superuser must also explicitly grant new users CREATE privileges, as well as grant them individual object privileges so the new users can create or look up objects in the PUBLIC schema.

Operation	Required Privileges
CREATE SCHEMA	Database: CREATE
DROP SCHEMA	Schema: owner
ALTER SCHEMA	Database: CREATE

Tables

Operation	Required Privileges
CREATE TABLE	Schema: CREATE Note Referencing sequences in the CREATE TABLE statement requires the following privileges: Sequence schema: USAGE Sequence: SELECT
DROP TABLE	Schema: USAGE or schema owner
TRUNCATE TABLE	Schema: USAGE or schema owner
ALTER TABLE ADD/DROP/ RENAME/ALTER-TYPE COLUMN	Schema: USAGE
ALTER TABLE ADD/DROP CONSTRAINT	Schema: USAGE
ALTER TABLE PARTITION (REORGANIZE)	Schema: USAGE
ALTER TABLE RENAME	USAGE and CREATE privilege on the schema that contains the table
ALTER TABLE...SET SCHEMA	New schema: CREATE Old Schema: USAGE
SELECT	Schema: USAGE SELECT privilege on table
INSERT	Table: INSERT Schema: USAGE
DELETE	Schema: USAGE Table: DELETE, SELECT when executing DELETE that references table column values in a WHERE or SET clause
UPDATE	Schema: USAGE Table: UPDATE, SELECT when executing UPDATE that references table column values in a WHERE or SET clause
REFERENCES	Schema: USAGE on schema that contains constrained table and source of foreign key Table: REFERENCES to create foreign key constraints that reference this table
ANALYZE_STATISTICS ANALYZE_STATISTICS_PARTITION	Schema: USAGE Table: One of INSERT, DELETE, or UPDATE
DROP_STATISTICS	Schema: USAGE Table: One of INSERT, DELETE, or UPDATE
DROP_PARTITIONS	Schema: USAGE

Views

Operation	Required Privileges
CREATE VIEW	Schema: CREATE on view schema, USAGE on schema with base objects Base objects: SELECT
DROP VIEW	Schema: USAGE or owner View: Owner
SELECT	Base table: View owner must have SELECT...WITH GRANT OPTION Schema: USAGE View: SELECT

Projections

Operation	Required Privileges
CREATE PROJECTION	Anchor table: SELECT Schema: USAGE and CREATE, or owner Note If a projection is implicitly created with the table, no additional privilege is needed other than privileges for table creation.
AUTO/DELAYED PROJECTION	On projections created during INSERT...SELECT or COPY operations: Schema: USAGE Anchor table: SELECT
ALTER PROJECTION	Schema: USAGE and CREATE
DROP PROJECTION	Schema: USAGE or owner

External procedures

Operation	Required Privileges
CREATE PROCEDURE (external)	Superuser
DROP PROCEDURE (external)	Superuser
EXECUTE	Schema: USAGE Procedure: EXECUTE

Stored procedures

Operation	Required Privileges
CREATE PROCEDURE (stored)	Schema: CREATE

Triggers

Operation	Required Privileges
CREATE TRIGGER	Superuser

Schedules

Operation	Required Privileges
CREATE SCHEDULE	Superuser

Libraries

Operation	Required Privileges
CREATE LIBRARY	Superuser
DROP LIBRARY	Superuser

User-defined functions

Note

The following table uses these abbreviations:

UDF = Scalar
UDT = Transform
UDAnF= Analytic
UDAF = Aggregate

Operation	Required Privileges
CREATE FUNCTION (SQL)CREATE FUNCTION (scalar) CREATE TRANSFORM FUNCTION CREATE ANALYTIC FUNCTION (UDAnF) CREATE AGGREGATE FUNCTION (UDAF)	Schema: CREATE Base library: USAGE (if applicable)
DROP FUNCTION DROP TRANSFORM FUNCTION DROP AGGREGATE FUNCTION DROP ANALYTIC FUNCTION	Schema: USAGE privilege Function: owner
ALTER FUNCTION (scalar)...RENAME TO	Schema: USAGE and CREATE
ALTER FUNCTION (scalar)...SET SCHEMA	Old schema: USAGE New Schema: CREATE
EXECUTE (SQL/UDF/UDT/ ADAF/UDAnF) function	Schema: USAGE Function: EXECUTE

Sequences

Operation	Required Privileges
CREATE SEQUENCE	Schema: CREATE
DROP SEQUENCE	Schema: USAGE or owner
ALTER SEQUENCE	Schema: USAGE and CREATE
ALTER SEQUENCE...SET SCHEMA	Old schema: USAGE New schema: CREATE
CURRVAL NEXTVAL	Sequence schema: USAGE Sequence: SELECT

Resource pools

Operation	Required Privileges
CREATE RESOURCE POOL	Superuser
ALTER RESOURCE POOL	Superuser to alter: MAXMEMORYSIZE PRIORITY QUEUETIMEOUT Non-superuser, UPDATE to alter: PLANNEDCONCURRENCY SINGLEINITIATOR MAXCONCURRENCY
SET SESSION RESOURCE_POOL	Resource pool: USAGE Users can only change their own resource pool setting using ALTER USER syntax
DROP RESOURCE POOL	Superuser

Users/profiles/roles

Operation	Required Privileges
CREATE USER CREATE PROFILE CREATE ROLE	Superuser
ALTER USER ALTER PROFILE ALTER ROLE	Superuser
DROP USER DROP PROFILE DROP ROLE	Superuser

Object visibility

You can use one or a combination of vsql \d meta commands and SQL system tables to view objects on which you have privileges to view.

Use \dn to view schema names and owners
Use \dt to view all tables in the database, as well as the system table V_CATALOG.TABLES
Use \dj to view projections showing the schema, projection name, owner, and node, as well as the system table V_CATALOG.PROJECTIONS

Operation	Required Privileges
Look up schema	Schema: At least one privilege
Look up object in schema or in system tables	Schema: USAGE At least one privilege on any of the following objects: TABLE VIEW FUNCTION PROCEDURE SEQUENCE
Look up projection	All anchor tables: At least one privilege Schema (all anchor tables): USAGE
Look up resource pool	Resource pool: SELECT
Existence of object	Schema: USAGE

I/O operations

Operation	Required Privileges
CONNECT TO VERTICA DISCONNECT	None
EXPORT TO VERTICA	Source table: SELECT Source schema: USAGE Destination table: INSERT Destination schema: USAGE
COPY FROM VERTICA	Source/destination schema: USAGE Source table: SELECT Destination table: INSERT
COPY FROM `file`	Superuser
COPY FROM STDIN	Schema: USAGE Table: INSERT
COPY LOCAL	Schema: USAGE Table: INSERT

Comments

Operation	Required Privileges
COMMENT ON { is one of }: AGGREGATE FUNCTION ANALYTIC FUNCTION COLUMN CONSTRAINT FUNCTION LIBRARY NODE PROJECTION SCHEMA SEQUENCE TABLE TRANSFORM FUNCTION VIEW	Object owner or superuser

Operation

Required Privileges

COMMENT ON { is one of }:

Object owner or superuser

Transactions

Operation	Required Privileges
COMMIT	None
ROLLBACK	None
RELEASE SAVEPOINT	None
SAVEPOINT	None

Sessions

Operation	Required Privileges
SET { is one of }: DATESTYLE ESCAPE_STRING_WARNING INTERVALSTYLE LOCALE ROLE SEARCH_PATH SESSION AUTOCOMMIT SESSION CHARACTERISTICS SESSION MEMORYCAP SESSION RESOURCE POOL SESSION RUNTIMECAP SESSION TEMPSPACE STANDARD_CONFORMING_STRINGS TIMEZONE	None
SHOW { name \| ALL }	None

Operation

Required Privileges

SET { is one of }:

None

SHOW { name | ALL }

None

Tuning operations

Operation	Required Privileges
PROFILE	Same privileges required to run the query being profiled
EXPLAIN	Same privileges required to run the query for which you use the EXPLAIN keyword

TLS configuration

Operation	Required Privileges
ALTER	ALTER privileges on the TLS Configuration
DROP	DROP privileges on the TLS Configuration
Add certificates to a TLS Configuration	USAGE on the certificate's private key

Cryptographic key

Operation	Required Privileges
Create a certificate from the key	USAGE privileges on the key
DROP	DROP privileges on the key

Certificate

Operation	Required Privileges
Add certificate to TLS Configuration	ALTER privileges on the TLS Configuration and one of the following: USAGE privileges on the certificate USAGE privileges on the certificate's private key
DROP	DROP privileges on the certificate's private key

Operation

Required Privileges

Add certificate to TLS Configuration

ALTER privileges on the TLS Configuration and one of the following:

USAGE privileges on the certificate
USAGE privileges on the certificate's private key

DROP

DROP privileges on the certificate's private key

Admin: Database object privileges

Mon, 01 Jan 0001 00:00:00 +0000

Privileges can be granted explicitly on most user-visible objects in the database, such as tables and models. For some objects such as projections, privileges are implicitly derived from other objects.

Explicitly granted privileges

The following table provides an overview of privileges that can be explicitly granted on database objects:

Database Object	Privileges
ALTER	DROP	CREATE	DELETE	EXECUTE	INSERT	READ	REFERENCES	SELECT	TEMP	TRUNCATE	UPDATE	USAGE	WRITE
Database			•							•
Schema	!	!	•	!		!		!	!		!	!	•
Table	•	•		•		•		•	•		•	•
View	•	•							•
Sequence	•	•							•
Procedure					•
User-defined function	•	•			•
Model	•	•											•
Library													•
Resource Pool													•
Storage Location							•							•
Key	•	•												•
TLS Configuration	•

Implicitly granted privileges

Metadata privileges

Superusers have unrestricted access to all non-cryptographic database metadata. For non-superusers, access to the metadata of specific objects depends on their privileges on those objects:

Metadata	User access
Catalog objects: Tables Columns Constraints Sequences External procedures Projections ROS containers	Users must possess USAGE privilege on the schema and any type of access (SELECT) or modify privilege on the object to see catalog metadata about the object. For internal objects such as projections and ROS containers, which have no access privileges directly associated with them, you must have the requisite privileges on the associated schema and tables to view their metadata. For example, to determine whether a table has any projection data, you must have USAGE on the table schema and SELECT on the table.
User sessions and functions, and system tables related to these sessions	Non-superusers can access information about their own (current) sessions only, using the following functions: CURRENT_DATABASE CURRENT_SCHEMA CURRENT_USER / SESSION_USER HAS_TABLE_PRIVILEGE

Metadata

User access

Catalog objects:

Tables
Columns
Constraints
Sequences
External procedures
Projections
ROS containers

Users must possess USAGE privilege on the schema and any type of access (SELECT) or modify privilege on the object to see catalog metadata about the object.

For internal objects such as projections and ROS containers, which have no access privileges directly associated with them, you must have the requisite privileges on the associated schema and tables to view their metadata. For example, to determine whether a table has any projection data, you must have USAGE on the table schema and SELECT on the table.

User sessions and functions, and system tables related to these sessions

Non-superusers can access information about their own (current) sessions only, using the following functions:

Projection privileges

Projections, which store table data, do not have an owner or privileges directly associated with them. Instead, the privileges to create, access, or alter a projection are derived from the privileges that are set on its anchor tables and respective schemas.

Cryptographic privileges

Unless they have ownership, superusers only have implicit DROP privileges on keys, certificates, and TLS Configurations. This allows superusers to see the existence of these objects in their respective system tables (CRYPTOGRAPHIC_KEYS, CERTIFICATES, and TLS_CONFIGURATIONS) and DROP them, but does not allow them to see the key or certificate texts.

For details on granting additional privileges, see GRANT (key) and GRANT (TLS configuration).

Admin: Granting and revoking privileges

Mon, 01 Jan 0001 00:00:00 +0000

OpenText™ Analytics Database supports GRANT and REVOKE statements to control user access to database objects—for example, GRANT (schema) and REVOKE (schema), GRANT (table) and REVOKE (table), and so on. Typically, a superuser creates users and roles shortly after creating the database, and then uses GRANT statements to assign them privileges.

Where applicable, GRANT statements require USAGE privileges on the object schema. The following users can grant and revoke privileges:

Superusers: all privileges on all database objects, including the database itself
Non-superusers: all privileges on objects that they own
Grantees of privileges that include WITH GRANT OPTION: the same privileges on that object

In the following example, a dbadmin (with superuser privileges) creates user Carol. Subsequent GRANT statements grant Carol schema and table privileges:

CREATE and USAGE privileges on schema PUBLIC
SELECT, INSERT, and UPDATE privileges on table public.applog. This GRANT statement also includes WITH GRANT OPTION. This enables Carol to grant the same privileges on this table to other users —in this case, SELECT privileges to user Tom:

=> CREATE USER Carol;
CREATE USER
=> GRANT CREATE, USAGE ON SCHEMA PUBLIC to Carol;
GRANT PRIVILEGE
=> GRANT SELECT, INSERT, UPDATE ON TABLE public.applog TO Carol WITH GRANT OPTION;
GRANT PRIVILEGE
=> GRANT SELECT ON TABLE public.applog TO Tom;
GRANT PRIVILEGE

Admin: Modifying privileges

Mon, 01 Jan 0001 00:00:00 +0000

A superuser or object owner can use one of the ALTER statements to modify a privilege, such as changing a sequence owner or table owner. Reassignment to the new owner does not transfer grants from the original owner to the new owner; grants made by the original owner are dropped.

Admin: Viewing privileges granted on objects

Mon, 01 Jan 0001 00:00:00 +0000

You can view information about privileges, grantors, grantees, and objects by querying these system tables:

An asterisk (*) appended to a privilege indicates that the user can grant the privilege to other users.

You can also view the effective privileges on a specified database object by using the GET_PRIVILEGES_DESCRIPTION meta-function.

Viewing explicitly granted privileges

To view explicitly granted privileges on objects, query the GRANTS table.

The following query returns the explicit privileges for the schema, myschema.

=> SELECT grantee, privileges_description FROM grants WHERE object_name='myschema';
 grantee | privileges_description
---------+------------------------
 Bob     | USAGE, CREATE
 Alice   | CREATE
 (2 rows)

Viewing inherited privileges

To view which tables and views inherit privileges from which schemas, query the INHERITING_OBJECTS table.

The following query returns the tables and views that inherit their privileges from their parent schema, customers.

=> SELECT * FROM inheriting_objects WHERE object_schema='customers';
     object_id     |     schema_id     | object_schema |  object_name  | object_type
-------------------+-------------------+---------------+---------------+-------------
 45035996273980908 | 45035996273980902 | customers     | cust_info     | table
 45035996273980984 | 45035996273980902 | customers     | shipping_info | table
 45035996273980980 | 45035996273980902 | customers     | cust_set      | view
 (3 rows)

To view the specific privileges inherited by tables and views and information on their associated grant statements, query the INHERITED_PRIVILEGES table.

The following query returns the privileges that the tables and views inherit from their parent schema, customers.

=> SELECT object_schema,object_name,object_type,privileges_description,principal,grantor FROM inherited_privileges WHERE object_schema='customers';
 object_schema |  object_name  | object_type |                          privileges_description                           | principal | grantor
---------------+---------------+-------------+---------------------------------------------------------------------------+-----------+---------
 customers     | cust_info     | Table       | INSERT*, SELECT*, UPDATE*, DELETE*, ALTER*, REFERENCES*, DROP*, TRUNCATE* | dbadmin   | dbadmin
 customers     | shipping_info | Table       | INSERT*, SELECT*, UPDATE*, DELETE*, ALTER*, REFERENCES*, DROP*, TRUNCATE* | dbadmin   | dbadmin
 customers     | cust_set      | View        | SELECT*, ALTER*, DROP*                                                    | dbadmin   | dbadmin
 customers     | cust_info     | Table       | SELECT                                                                    | Val       | dbadmin
 customers     | shipping_info | Table       | SELECT                                                                    | Val       | dbadmin
 customers     | cust_set      | View        | SELECT                                                                    | Val       | dbadmin
 customers     | cust_info     | Table       | INSERT                                                                    | Pooja     | dbadmin
 customers     | shipping_info | Table       | INSERT                                                                    | Pooja     | dbadmin
 (8 rows)

Viewing effective privileges on an object

To view the current user's effective privileges on a specified database object, user the GET_PRIVILEGES_DESCRIPTION meta-function.

In the following example, user Glenn has set the REPORTER role and wants to check his effective privileges on schema s1 and table s1.articles.

Table s1.articles inherits privileges from its schema (s1).
The REPORTER role has the following privileges:
- SELECT on schema s1
- INSERT WITH GRANT OPTION on table s1.articles
User Glenn has the following privileges:
- UPDATE and USAGE on schema s1.
- DELETE on table s1.articles.

GET_PRIVILEGES_DESCRIPTION returns the following effective privileges for Glenn on schema s1:

=> SELECT GET_PRIVILEGES_DESCRIPTION('schema', 's1');
   GET_PRIVILEGES_DESCRIPTION
--------------------------------
 SELECT, UPDATE, USAGE
(1 row)

GET_PRIVILEGES_DESCRIPTION returns the following effective privileges for Glenn on table s1.articles:


=> SELECT GET_PRIVILEGES_DESCRIPTION('table', 's1.articles');
   GET_PRIVILEGES_DESCRIPTION
--------------------------------
 INSERT*, SELECT, UPDATE, DELETE
(1 row)

OpenText Analytics Database 26.2.x – Database privileges

Admin: Ownership and implicit privileges

Admin: Inherited privileges

Admin: Default user privileges

Default privileges for MC users

Admin: Effective privileges

Admin: Privileges required for common database operations

Note

Schemas

Tables

Note

Views

Projections

Note

External procedures

Stored procedures

Triggers

Schedules

Libraries

User-defined functions

Note

Sequences

Resource pools

Users/profiles/roles

Object visibility

I/O operations

Comments

Transactions

Sessions

Tuning operations

TLS configuration

Cryptographic key

Certificate

Admin: Database object privileges

Explicitly granted privileges

Implicitly granted privileges

Metadata privileges

Projection privileges

Cryptographic privileges

Admin: Granting and revoking privileges

Admin: Modifying privileges

Admin: Viewing privileges granted on objects

Viewing explicitly granted privileges

Viewing inherited privileges

Viewing effective privileges on an object

See also