GRANT controls each for interacting with specific , , , or . For privileges required by specific statements, see the documentation for the respective .
You can use GRANT to directly grant privileges to a role or user, or you can grant membership to an existing role, which grants that role’s privileges to the grantee. Users granted a privilege with WITH GRANT OPTION can in turn grant that privilege to others. The owner of an object implicitly has the GRANT OPTION for all privileges, and the GRANT OPTION is inherited through role memberships.
For new databases, users with the following roles are automatically granted the :
- Every user who is part of (including ).
- Every user who is part of for the new database.
The “ statement performs a schema change. For more information about how online schema changes work in CockroachDB, see .
Syntax
Parameters
| Parameter | Description |
|---|---|
ALLALL PRIVILEGES | Grant all privileges. |
privilege_list | A comma-separated list of privileges to grant. For guidelines, see . |
grant_targets | A comma-separated list of database, table, sequence, or function names. The list should be preceded by the object type (e.g., DATABASE mydatabase). If the object type is not specified, all names are interpreted as table or sequence names. |
target_types | A comma-separated list of . |
ALL SEQUENCES IN SCHEMA | Grant privileges on all sequences in a schema or list of schemas. |
ALL TABLES IN SCHEMA | Grant privileges on all tables and sequences in a schema or list of schemas. |
ALL FUNCTIONS IN SCHEMA | Grant privileges on all in a schema or list of schemas. |
schema_name_list | A comma-separated list of . |
role_spec_list | A comma-separated list of . |
WITH ADMIN OPTION | Designate the user as a role admin. Role admins can grant or membership for the specified role. |
WITH GRANT OPTION | Allow the user to grant the specified privilege to others. |
Supported privileges
Roles and users can be granted the following privileges:Required privileges
-
To grant privileges, the user granting the privileges must also have the privilege being granted on the target database or tables. For example, a user granting the
SELECTprivilege on a table to another user must have theSELECTprivileges on that table andWITH GRANT OPTIONonSELECT. -
To grant roles, the user granting role membership must be a role admin (i.e., members with the
WITH ADMIN OPTION) or a member of theadminrole. To grant membership to theadminrole, the user must haveWITH ADMIN OPTIONon theadminrole.
Details
Granting privileges
When a role or user is granted privileges for a table, the privileges are limited to the table. The user does not automatically get privileges to new or existing tables in the database. To grant privileges to a user on all new and/or existing tables in a database, see Grant privileges on all tables in a database. For privileges required by specific statements, see the documentation for the respective .Granting roles
- Users and roles can be members of roles.
- The
rootuser is automatically created as anadminrole and assigned theALLprivilege for new databases. - All privileges of a role are inherited by all its members.
- Membership loops are not allowed (direct:
A is a member of B is a member of Aor indirect:A is a member of B is a member of C ... is a member of A).
Limitations
User/role management operations (such as and ) are . As such, they inherit the . For example, schema changes wait for concurrent using the same resources as the schema changes to complete. In the case of being modified inside a transaction, most transactions need access to the set of role memberships. Using the default settings, role modifications require schema leases to expire, which can take up to 5 minutes. This means that elsewhere in the system can cause user/role management operations inside transactions to take several minutes to complete. This can have a cascading effect. When a user/role management operation inside a transaction takes a long time to complete, it can in turn block all user-initiated transactions being run by your application, since the user/role management operation in the transaction has to commit before any other transactions that access role memberships (i.e., most transactions) can make progress. If you want user/role management operations to finish more quickly, and do not care whether concurrent transactions will immediately see the side effects of those operations, set theallow_role_memberships_to_change_during_transaction to true.
When this session variable is enabled, any user/role management operations issued in the current session will only need to wait for the completion of statements in other sessions where allow_role_memberships_to_change_during_transaction is not enabled.
To accelerate user/role management operations across your entire application, you have the following options:
- Set the session variable in all sessions by .
-
Apply the
allow_role_memberships_to_change_during_transactionsetting globally to an entire cluster using the statement:
Examples
Setup
The following examples use MovR, a fictional vehicle-sharing application, to demonstrate CockroachDB SQL statements. For more information about the MovR example application and dataset, see . To follow along, run to start a temporary, in-memory cluster with themovr dataset preloaded:
Grant privileges on databases
Grant privileges on specific tables in a database
Grant privileges on all tables in a database or schema
To grant all the privileges on existing tables to a user:Grant system-level privileges on the entire cluster
live above the database level and apply to the entire cluster.root and users have system-level privileges by default, and are capable of granting it to other users and roles using the GRANT statement.
For example, the following statement allows the user max (created in a previous example) to use the statement by assigning the MODIFYCLUSTERSETTING system privilege:
Make a table readable to every user in the system
Grant privileges on schemas
Grant privileges on user-defined types
To grant privileges on , use the following statements.Grant the privilege to manage the replication zones for a database or table
max can then use the statement to add, modify, reset, or remove replication zones for the table rides.

