> ## Documentation Index
> Fetch the complete documentation index at: https://cockroachlabs.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# GRANT

export const InternalLink = ({version, path = "", children, ...props}) => {
  let detectedVersion = version || "stable";
  if (typeof window !== 'undefined' && !version) {
    const match = window.location.pathname.match(/\/docs\/([^/]+)/);
    if (match) {
      detectedVersion = match[1];
    }
  }
  const normalizedPath = path.startsWith("/") ? path.slice(1) : path;
  return <a href={`/docs/${detectedVersion}/${normalizedPath}`} {...props}>
      {children}
    </a>;
};

The `GRANT` <InternalLink path="sql-statements">statement</InternalLink> controls each <InternalLink path="security-reference/authorization#users-and-roles">role or user's</InternalLink> <InternalLink path="security-reference/authorization#privileges">SQL privileges</InternalLink> for interacting with specific <InternalLink path="create-database">databases</InternalLink>, <InternalLink path="create-schema">schemas</InternalLink>, <InternalLink path="create-table">tables</InternalLink>, or <InternalLink path="enum">user-defined types</InternalLink>. For privileges required by specific statements, see the documentation for the respective <InternalLink path="sql-statements">SQL statement</InternalLink>.

You can use `GRANT` to directly grant privileges to a role or user, or you can grant membership to an existing role, which grants that role's privileges to the grantee. Users granted a privilege with `WITH GRANT OPTION` can in turn grant that privilege to others. The owner of an object implicitly has the `GRANT OPTION` for all privileges, and the `GRANT OPTION` is inherited through role memberships.

For new databases, users with the following roles are automatically granted the <InternalLink path="security-reference/authorization#supported-privileges">`ALL` privilege</InternalLink>:

* Every user who is part of <InternalLink path="security-reference/authorization#admin-role">the `admin` role</InternalLink> (including <InternalLink path="security-reference/authorization">the `root` user</InternalLink>).
* Every user who is part of <InternalLink path="security-reference/authorization#admin-role">the `owner` role</InternalLink> for the new database.

<Note>
  The \`\` statement performs a schema change. For more information about how online schema changes work in CockroachDB, see <InternalLink path="online-schema-changes">Online Schema Changes</InternalLink>.
</Note>

## Syntax

<img src="https://mintcdn.com/cockroachlabs/uBcLAizjWFXF4pfd/images/sql-diagrams/v25.1/grant.svg?fit=max&auto=format&n=uBcLAizjWFXF4pfd&q=85&s=bac3fc8455500eea1ad94fe830866a3f" alt="grant syntax diagram" style={{maxWidth: "100%", overflowX: "auto"}} width="1513" height="847" data-path="images/sql-diagrams/v25.1/grant.svg" />

### Parameters

| Parameter                   | Description                                                                                                                                                                                                                                      |
| --------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| `ALL`<br />`ALL PRIVILEGES` | Grant all [privileges](#supported-privileges).                                                                                                                                                                                                   |
| `privilege_list`            | A comma-separated list of [privileges](#supported-privileges) to grant. For guidelines, see <InternalLink path="security-reference/authorization#managing-privileges">Managing privileges</InternalLink>.                                        |
| `grant_targets`             | A comma-separated list of database, table, sequence, or function names. The list should be preceded by the object type (e.g., `DATABASE mydatabase`). If the object type is not specified, all names are interpreted as table or sequence names. |
| `target_types`              | A comma-separated list of <InternalLink path="create-type">user-defined types</InternalLink>.                                                                                                                                                    |
| `ALL SEQUENCES IN SCHEMA`   | Grant [privileges](#supported-privileges) on all sequences in a schema or list of schemas.                                                                                                                                                       |
| `ALL TABLES IN SCHEMA`      | Grant [privileges](#supported-privileges) on all tables and sequences in a schema or list of schemas.                                                                                                                                            |
| `ALL FUNCTIONS IN SCHEMA`   | Grant [privileges](#supported-privileges) on all <InternalLink path="user-defined-functions">user-defined functions</InternalLink> in a schema or list of schemas.                                                                               |
| `schema_name_list`          | A comma-separated list of <InternalLink path="create-schema">schemas</InternalLink>.                                                                                                                                                             |
| `role_spec_list`            | A comma-separated list of <InternalLink path="security-reference/authorization#users-and-roles">roles</InternalLink>.                                                                                                                            |
| `WITH ADMIN OPTION`         | Designate the user as a role admin. Role admins can grant or <InternalLink path="revoke">revoke</InternalLink> membership for the specified role.                                                                                                |
| `WITH GRANT OPTION`         | Allow the user to grant the specified privilege to others.                                                                                                                                                                                       |

## Supported privileges

Roles and users can be granted the following privileges:

| Privilege                                                         | Levels                                          | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
| ----------------------------------------------------------------- | ----------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `ALL`                                                             | System, Database, Schema, Table, Sequence, Type | For the object to which `ALL` is applied, grants all privileges at the system, database, schema, table, sequence, or type level.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
| `BACKUP`                                                          | System, Database, Table                         | Grants the ability to create <InternalLink path="backup-and-restore-overview">backups</InternalLink> at the system, database, or table level.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
| `CANCELQUERY`                                                     | System                                          | Grants the ability to cancel queries.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
| `CHANGEFEED`                                                      | Table                                           | Grants the ability to create <InternalLink path="change-data-capture-overview">changefeeds</InternalLink> on a table.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
| <a id="connect" /> `CONNECT`                                      | Database                                        | Grants the ability to view a database's metadata, which consists of objects in a database's `information_schema` and `pg_catalog` system catalogs. This allows the role to view the database's table, schemas, user-defined types, and list the database when running `SHOW DATABASES`. The `CONNECT` privilege is also required to run backups of the database.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
| `CONTROLJOB`                                                      | System                                          | Grants the ability to <InternalLink path="pause-job">pause</InternalLink>, <InternalLink path="resume-job">resume</InternalLink>, and <InternalLink path="cancel-job">cancel</InternalLink> jobs. Non-admin roles cannot control jobs created by admin roles.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
| `CREATE`                                                          | Database, Schema, Table, Sequence               | Grants the ability to create objects at the database, schema, table, or sequence level. When applied at the database level, grants the ability to configure <InternalLink path="zone-config-extensions">multi-region zone configs</InternalLink>. In CockroachDB v23.2 and later, the <InternalLink path="cluster-settings">cluster setting</InternalLink> `sql.auth.public_schema_create_privilege.enabled` controls whether users receive `CREATE` privileges on the public schema or not. The setting applies at the time that the <InternalLink path="create-schema">public schema is created</InternalLink>, which happens whenever <InternalLink path="create-database">a database is created</InternalLink>. The setting is `true` by default, but can be set to `false` for increased compatibility with [PostgreSQL version 15](https://www.postgresql.org/about/news/postgresql-15-released-2526/) as described in [this commit](https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=b073c3ccd06e4cb845e121387a43faa8c68a7b62). |
| `CREATEDB`                                                        | System                                          | Grants the ability to <InternalLink path="create-database">create</InternalLink> or <InternalLink path="alter-database#rename-to">rename</InternalLink> a database.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |
| `CREATELOGIN`                                                     | System                                          | Grants the ability to manage authentication using the `WITH PASSWORD`, `VALID UNTIL`, and `LOGIN`/`NOLOGIN` role options.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
| `CREATEROLE`                                                      | System                                          | Grants the ability to <InternalLink path="create-role">create</InternalLink>, modify, or <InternalLink path="drop-role">delete</InternalLink> non-admin roles.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
| `DELETE`                                                          | Table, Sequence                                 | Grants the ability to delete objects at the table or sequence level.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
| `DROP`                                                            | Database, Table, Sequence                       | Grants the ability to drop objects at the database, table, or sequence level.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
| `EXECUTE`                                                         | Function                                        | Grants the ability to execute <InternalLink path="functions-and-operators">functions</InternalLink>.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
| `EXTERNALCONNECTION`                                              | System                                          | Grants the ability to connect to external systems such as object stores, key management systems, Kafka feeds, or external file systems. Often used in conjunction with the `BACKUP`, `RESTORE`, and `CHANGEFEED` privilege.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
| `EXTERNALIOIMPLICITACCESS`                                        | System                                          | Grants the ability to interact with external resources that require implicit access.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
| `INSERT`                                                          | Table, Sequence                                 | Grants the ability to insert objects at the table or sequence level.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
| <a id="modifyclustersetting" /> `MODIFYCLUSTERSETTING`            | System                                          | Grants the ability to modify <InternalLink path="cluster-settings">cluster settings</InternalLink>.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |
| `MODIFYSQLCLUSTERSETTING`                                         | System                                          | Grants the ability to modify SQL <InternalLink path="cluster-settings">cluster settings</InternalLink> (cluster settings prefixed with `sql.`).                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
| `NOSQLLOGIN`                                                      | System                                          | Prevents roles from connecting to the SQL interface of a cluster.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
| <a id="repaircluster" /> `REPAIRCLUSTER`, `REPAIRCLUSTERMETADATA` | System                                          | Grants the ability to perform cluster debugging and repair operations, including: edit <InternalLink path="show-create-schedule">scheduled jobs</InternalLink>, edit <InternalLink path="show-create-external-connection">external connections</InternalLink>, <InternalLink path="ui-transactions-page#transaction-statistics">reset SQL statistics</InternalLink>, update <InternalLink path="configure-replication-zones">zone configurations</InternalLink>, <InternalLink path="alter-range#relocate">relocate ranges</InternalLink>, and check for constraint violations with <InternalLink version="releases" path="cockroachdb-feature-availability">`SCRUB`</InternalLink>. See also: [`VIEWCLUSTERMETADATA`](#viewclustermetadata).                                                                                                                                                                                                                                                                                                            |
| `REPLICATION`                                                     | System                                          | Grants the ability to create a <InternalLink path="logical-data-replication-overview">logical data replication</InternalLink> or <InternalLink path="physical-cluster-replication-overview">physical cluster replication</InternalLink> stream.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
| `RESTORE`                                                         | System, Database                                | Grants the ability to restore <InternalLink path="backup-and-restore-overview">backups</InternalLink> at the system or database level. Refer to `RESTORE` <InternalLink path="restore#required-privileges">Required privileges</InternalLink> for more details.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
| `SELECT`                                                          | Table, Sequence                                 | Grants the ability to run <InternalLink path="query-data">selection queries</InternalLink> at the table or sequence level.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
| `TRIGGER`                                                         | Table                                           | Grants the ability to create <InternalLink path="triggers">triggers</InternalLink> on a table.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
| `UPDATE`                                                          | Table, Sequence                                 | Grants the ability to run <InternalLink path="update-data">update statements</InternalLink> at the table or sequence level.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
| `USAGE`                                                           | Schema, Sequence, Type                          | Grants the ability to use <InternalLink path="schema-design-overview">schemas</InternalLink>, <InternalLink path="create-sequence">sequences</InternalLink>, or <InternalLink path="create-type">user-defined types</InternalLink>.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |
| <a id="viewactivity" /> `VIEWACTIVITY`                            | System                                          | Grants the ability to view other user's activity statistics of a cluster.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
| <a id="viewactivityredacted" /> `VIEWACTIVITYREDACTED`            | System                                          | Grants the ability to view other user's activity statistics, but prevents the role from accessing the statement diagnostics bundle in the DB Console, and viewing some columns in introspection queries that contain data about the cluster.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
| <a id="viewclustermetadata" /> `VIEWCLUSTERMETADATA`              | System                                          | Grants the ability to view range information, data distribution, store information, and Raft information.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
| <a id="viewclustersetting" /> `VIEWCLUSTERSETTING`                | System                                          | Grants the ability to view <InternalLink path="cluster-settings">cluster settings</InternalLink> and their values.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
| <a id="viewdebug" /> `VIEWDEBUG`                                  | System                                          | Grants the ability to view the <InternalLink path="ui-debug-pages">Advanced Debug Page</InternalLink> of the DB Console and work with the debugging and profiling endpoints.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
| <a id="viewjob" /> `VIEWJOB`                                      | System                                          | Grants the ability to view <InternalLink path="show-jobs">jobs</InternalLink> on the cluster.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
| `VIEWSYSTEMTABLE`                                                 | System                                          | Grants read-only access (`SELECT`) on all tables in the `system` database, without granting the ability to modify the cluster. This privilege was introduced in v23.1.11.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
| `ZONECONFIG`                                                      | Database, Table, Sequence                       | Grants the ability to configure <InternalLink path="configure-replication-zones">replication zones</InternalLink> at the database, table, and sequence level.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |

## Required privileges

* To grant privileges, the user granting the privileges must also have the privilege being granted on the target database or tables. For example, a user granting the `SELECT` privilege on a table to another user must have the `SELECT` privileges on that table and `WITH GRANT OPTION` on `SELECT`.

* To grant roles, the user granting role membership must be a role admin (i.e., members with the `WITH ADMIN OPTION`) or a member of the `admin` role. To grant membership to the `admin` role, the user must have `WITH ADMIN OPTION` on the `admin` role.

## Details

### Granting privileges

When a role or user is granted privileges for a table, the privileges are limited to the table. The user does *not* automatically get privileges to new or existing tables in the database. To grant privileges to a user on all new and/or existing tables in a database, see [Grant privileges on all tables in a database](#grant-privileges-on-all-tables-in-a-database-or-schema).

For privileges required by specific statements, see the documentation for the respective <InternalLink path="sql-statements">SQL statement</InternalLink>.

### Granting roles

* Users and roles can be members of roles.
* The `root` user is automatically created as an `admin` role and assigned the `ALL` privilege for new databases.
* All privileges of a role are inherited by all its members.
* Membership loops are not allowed (direct: `A is a member of B is a member of A` or indirect: `A is a member of B is a member of C ... is a member of A`).

## Known limitations

User/role management operations (such as <InternalLink path="grant">`GRANT`</InternalLink> and <InternalLink path="revoke">`REVOKE`</InternalLink>) are <InternalLink path="online-schema-changes">schema changes</InternalLink>. As such, they inherit the <InternalLink path="online-schema-changes">limitations of schema changes</InternalLink>.

For example, schema changes wait for concurrent <InternalLink path="transactions">transactions</InternalLink> using the same resources as the schema changes to complete. In the case of <InternalLink path="security-reference/authorization#roles">role memberships</InternalLink> being modified inside a transaction, most transactions need access to the set of role memberships. Using the default settings, role modifications require schema leases to expire, which can take up to 5 minutes.

This means that <InternalLink path="query-behavior-troubleshooting#hanging-or-stuck-queries">long-running transactions</InternalLink> elsewhere in the system can cause user/role management operations inside transactions to take several minutes to complete. This can have a cascading effect. When a user/role management operation inside a transaction takes a long time to complete, it can in turn block all user-initiated transactions being run by your application, since the user/role management operation in the transaction has to commit before any other transactions that access role memberships (i.e., most transactions) can make progress.

If you want user/role management operations to finish more quickly, and do not care whether concurrent transactions will immediately see the side effects of those operations, set the <InternalLink path="set-vars">session variable</InternalLink> `allow_role_memberships_to_change_during_transaction` to `true`.

When this session variable is enabled, any user/role management operations issued in the current session will only need to wait for the completion of statements in other sessions where `allow_role_memberships_to_change_during_transaction` is not enabled.

To accelerate user/role management operations across your entire application, you have the following options:

1. Set the session variable in all sessions by <InternalLink path="connection-parameters#supported-options-parameters">passing it in the client connection string</InternalLink>.
2. Apply the `allow_role_memberships_to_change_during_transaction` setting globally to an entire cluster using the <InternalLink path="alter-role#set-default-session-variable-values-for-all-users">`ALTER ROLE ALL`</InternalLink> statement:

   ```sql theme={"theme":{"light":"catppuccin-mocha","dark":"catppuccin-mocha"}}
   ALTER ROLE ALL SET allow_role_memberships_to_change_during_transaction = true;
   ```

## Examples

#### Setup

To follow along, run <InternalLink path="cockroach-demo">`cockroach demo`</InternalLink> to start a temporary, in-memory cluster with the <InternalLink path="movr">`movr`</InternalLink> sample dataset preloaded:

```shell theme={"theme":{"light":"catppuccin-mocha","dark":"catppuccin-mocha"}}
$ cockroach demo
```

### Grant privileges on databases

```sql theme={"theme":{"light":"catppuccin-mocha","dark":"catppuccin-mocha"}}
CREATE USER IF NOT EXISTS max WITH PASSWORD 'roach';
```

```sql theme={"theme":{"light":"catppuccin-mocha","dark":"catppuccin-mocha"}}
GRANT ALL ON DATABASE movr TO max WITH GRANT OPTION;
```

```sql theme={"theme":{"light":"catppuccin-mocha","dark":"catppuccin-mocha"}}
SHOW GRANTS ON DATABASE movr;
```

```
  database_name | grantee | privilege_type | is_grantable
----------------+---------+----------------+---------------
  movr          | admin   | ALL            |      t
  movr          | max     | ALL            |      t
  movr          | public  | CONNECT        |      f
  movr          | root    | ALL            |      t
(4 rows)
```

### Grant privileges on specific tables in a database

```sql theme={"theme":{"light":"catppuccin-mocha","dark":"catppuccin-mocha"}}
GRANT DELETE ON TABLE rides TO max;
```

```sql theme={"theme":{"light":"catppuccin-mocha","dark":"catppuccin-mocha"}}
SHOW GRANTS ON TABLE rides;
```

```
  database_name | schema_name | table_name | grantee | privilege_type | is_grantable
----------------+-------------+------------+---------+----------------+---------------
  movr          | public      | rides      | admin   | ALL            |      t
  movr          | public      | rides      | max     | DELETE         |      f
  movr          | public      | rides      | root    | ALL            |      t
(3 rows)
```

### Grant privileges on all tables in a database or schema

To grant all the privileges on existing tables to a user:

```sql theme={"theme":{"light":"catppuccin-mocha","dark":"catppuccin-mocha"}}
GRANT ALL ON * TO max;
```

```sql theme={"theme":{"light":"catppuccin-mocha","dark":"catppuccin-mocha"}}
SHOW GRANTS ON TABLE movr.public.*;
```

```
  database_name | schema_name |         table_name         | grantee | privilege_type | is_grantable
----------------+-------------+----------------------------+---------+----------------+---------------
  movr          | public      | promo_codes                | admin   | ALL            |      t
  movr          | public      | promo_codes                | max     | ALL            |      f
  movr          | public      | promo_codes                | root    | ALL            |      t
  movr          | public      | rides                      | admin   | ALL            |      t
  movr          | public      | rides                      | max     | ALL            |      f
  movr          | public      | rides                      | root    | ALL            |      t
  movr          | public      | user_promo_codes           | admin   | ALL            |      t
  movr          | public      | user_promo_codes           | max     | ALL            |      f
  movr          | public      | user_promo_codes           | root    | ALL            |      t
  movr          | public      | users                      | admin   | ALL            |      t
  movr          | public      | users                      | max     | ALL            |      f
  movr          | public      | users                      | root    | ALL            |      t
  movr          | public      | vehicle_location_histories | admin   | ALL            |      t
  movr          | public      | vehicle_location_histories | max     | ALL            |      f
  movr          | public      | vehicle_location_histories | root    | ALL            |      t
  movr          | public      | vehicles                   | admin   | ALL            |      t
  movr          | public      | vehicles                   | max     | ALL            |      f
  movr          | public      | vehicles                   | root    | ALL            |      t
(18 rows)
```

To ensure that anytime a new table is created, all the privileges on that table are granted to a user, use <InternalLink path="alter-default-privileges">`ALTER DEFAULT PRIVILEGES`</InternalLink>:

```sql theme={"theme":{"light":"catppuccin-mocha","dark":"catppuccin-mocha"}}
ALTER DEFAULT PRIVILEGES FOR ALL ROLES GRANT ALL ON TABLES TO max;
```

To check that this is working as expected, <InternalLink path="create-table">create a table</InternalLink>:

```sql theme={"theme":{"light":"catppuccin-mocha","dark":"catppuccin-mocha"}}
CREATE TABLE IF NOT EXISTS usertable(x INT);
```

Then, check that the all privileges on the newly created table are granted to the user you specified using <InternalLink path="show-grants">`SHOW GRANTS`</InternalLink>:

```sql theme={"theme":{"light":"catppuccin-mocha","dark":"catppuccin-mocha"}}
SHOW GRANTS ON TABLE usertable;
```

```
  database_name | schema_name | table_name | grantee | privilege_type | is_grantable
----------------+-------------+------------+---------+----------------+---------------
  movr          | public      | usertable  | admin   | ALL            |      t
  movr          | public      | usertable  | max     | ALL            |      f
  movr          | public      | usertable  | root    | ALL            |      t
(3 rows)
```

### Grant system-level privileges on the entire cluster

<InternalLink path="security-reference/authorization#supported-privileges">System-level privileges</InternalLink> live above the database level and apply to the entire cluster.

`root` and <InternalLink path="security-reference/authorization#admin-role">`admin`</InternalLink> users have system-level privileges by default, and are capable of granting it to other users and roles using the `GRANT` statement.

For example, the following statement allows the user `max` (created in a [previous example](#grant-privileges-on-databases)) to use the <InternalLink path="set-cluster-setting">`SET CLUSTER SETTING`</InternalLink> statement by assigning the `MODIFYCLUSTERSETTING` system privilege:

```sql theme={"theme":{"light":"catppuccin-mocha","dark":"catppuccin-mocha"}}
GRANT SYSTEM MODIFYCLUSTERSETTING TO max;
```

### Make a table readable to every user in the system

```sql theme={"theme":{"light":"catppuccin-mocha","dark":"catppuccin-mocha"}}
GRANT SELECT ON TABLE vehicles TO public;
```

```sql theme={"theme":{"light":"catppuccin-mocha","dark":"catppuccin-mocha"}}
SHOW GRANTS ON TABLE vehicles;
```

```
  database_name | schema_name | table_name | grantee | privilege_type | is_grantable
----------------+-------------+------------+---------+----------------+---------------
  movr          | public      | vehicles   | admin   | ALL            |      t
  movr          | public      | vehicles   | max     | ALL            |      f
  movr          | public      | vehicles   | public  | SELECT         |      f
  movr          | public      | vehicles   | root    | ALL            |      t
(4 rows)
```

### Grant privileges on schemas

```sql theme={"theme":{"light":"catppuccin-mocha","dark":"catppuccin-mocha"}}
CREATE SCHEMA IF NOT EXISTS cockroach_labs;
```

```sql theme={"theme":{"light":"catppuccin-mocha","dark":"catppuccin-mocha"}}
GRANT ALL ON SCHEMA cockroach_labs TO max WITH GRANT OPTION;
```

```sql theme={"theme":{"light":"catppuccin-mocha","dark":"catppuccin-mocha"}}
SHOW GRANTS ON SCHEMA cockroach_labs;
```

```
  database_name |  schema_name   | grantee | privilege_type | is_grantable
----------------+----------------+---------+----------------+---------------
  movr          | cockroach_labs | admin   | ALL            |      t
  movr          | cockroach_labs | max     | ALL            |      t
  movr          | cockroach_labs | root    | ALL            |      t
(3 rows)
```

### Grant privileges on user-defined types

To grant privileges on <InternalLink path="create-type">user-defined types</InternalLink>, use the following statements.

```sql theme={"theme":{"light":"catppuccin-mocha","dark":"catppuccin-mocha"}}
CREATE TYPE IF NOT EXISTS status AS ENUM ('open', 'closed', 'inactive');
```

```sql theme={"theme":{"light":"catppuccin-mocha","dark":"catppuccin-mocha"}}
GRANT ALL ON TYPE status TO max WITH GRANT OPTION;
```

```sql theme={"theme":{"light":"catppuccin-mocha","dark":"catppuccin-mocha"}}
SHOW GRANTS ON TYPE status;
```

```
  database_name | schema_name | type_name | grantee | privilege_type | is_grantable
----------------+-------------+-----------+---------+----------------+---------------
  movr          | public      | status    | admin   | ALL            |      t
  movr          | public      | status    | max     | ALL            |      t
  movr          | public      | status    | public  | USAGE          |      f
  movr          | public      | status    | root    | ALL            |      t
(4 rows)
```

### Grant the privilege to manage the replication zones for a database or table

```sql theme={"theme":{"light":"catppuccin-mocha","dark":"catppuccin-mocha"}}
GRANT ZONECONFIG ON TABLE rides TO max;
```

The user `max` can then use the <InternalLink path="alter-table#configure-zone">`CONFIGURE ZONE`</InternalLink> statement to add, modify, reset, or remove replication zones for the table `rides`.

### Grant role membership

```sql theme={"theme":{"light":"catppuccin-mocha","dark":"catppuccin-mocha"}}
CREATE ROLE IF NOT EXISTS developer WITH CREATEDB;
```

```sql theme={"theme":{"light":"catppuccin-mocha","dark":"catppuccin-mocha"}}
CREATE USER IF NOT EXISTS abbey WITH PASSWORD 'lincoln';
```

```sql theme={"theme":{"light":"catppuccin-mocha","dark":"catppuccin-mocha"}}
GRANT developer TO abbey;
```

```sql theme={"theme":{"light":"catppuccin-mocha","dark":"catppuccin-mocha"}}
SHOW GRANTS ON ROLE developer;
```

```
  role_name | member | is_admin
------------+--------+-----------
  developer | abbey  |    f
(1 row)
```

### Grant the admin option

```sql theme={"theme":{"light":"catppuccin-mocha","dark":"catppuccin-mocha"}}
GRANT developer TO abbey WITH ADMIN OPTION;
```

```sql theme={"theme":{"light":"catppuccin-mocha","dark":"catppuccin-mocha"}}
SHOW GRANTS ON ROLE developer;
```

```
  role_name | member | is_admin
------------+--------+-----------
  developer | abbey  |    t
(1 row)
```

### Grant privileges with the option to grant to others

```sql theme={"theme":{"light":"catppuccin-mocha","dark":"catppuccin-mocha"}}
GRANT UPDATE ON TABLE rides TO max WITH GRANT OPTION;
```

```sql theme={"theme":{"light":"catppuccin-mocha","dark":"catppuccin-mocha"}}
SHOW GRANTS ON TABLE rides;
```

```
  database_name | schema_name | table_name | grantee | privilege_type | is_grantable
----------------+-------------+------------+---------+----------------+---------------
  movr          | public      | rides      | admin   | ALL            |      t
  movr          | public      | rides      | max     | ALL            |      f
  movr          | public      | rides      | max     | UPDATE         |      t
  movr          | public      | rides      | root    | ALL            |      t
(4 rows)
```

## See also

* <InternalLink path="authorization">Authorization</InternalLink>
* <InternalLink path="revoke">`REVOKE`</InternalLink>
* <InternalLink path="show-grants">`SHOW GRANTS`</InternalLink>
* <InternalLink path="show-roles">`SHOW ROLES`</InternalLink>
* <InternalLink path="alter-table#configure-zone">`CONFIGURE ZONE`</InternalLink>
* <InternalLink path="security-reference/authorization#create-and-manage-users">Manage Users</InternalLink>
