ALL | System, Database, Schema, Table, Sequence, Type | For the object to which ALL is applied, grants all privileges at the system, database, schema, table, sequence, or type level. | |
BACKUP | System, Database, Table | Grants the ability to create at the system, database, or table level. | |
| BYPASSRLS | Table | Grants the ability to bypass policies on a table. This privilege controls the access from an RLS perspective only; the user also needs sufficient privileges to read or write to the table. |
CANCELQUERY | System | Grants the ability to cancel queries. | |
CHANGEFEED | Table | Grants the ability to create on a table. | |
| CONNECT | Database | Grants the ability to view a database’s metadata, which consists of objects in a database’s information\_schema and pg\_catalog system catalogs. This allows the role to view the database’s table, schemas, user-defined types, and list the database when running SHOW DATABASES. The CONNECT privilege is also required to run backups of the database. |
CONTROLJOB | System | Grants the ability to , , and jobs. Non-admin roles cannot control jobs created by admin roles. | |
CREATE | Database, Schema, Table, Sequence | Grants the ability to create objects at the database, schema, table, or sequence level. When applied at the database level, grants the ability to configure . In CockroachDB v23.2 and later, the sql.auth.public\_schema\_create\_privilege.enabled controls whether users receive CREATE privileges on the public schema or not. The setting applies at the time that the , which happens whenever . The setting is true by default, but can be set to false for increased compatibility with PostgreSQL version 15 as described in this commit. | |
CREATEDB | System | Grants the ability to or a database. | |
CREATELOGIN | System | Grants the ability to manage authentication using the WITH PASSWORD, VALID UNTIL, and LOGIN/NOLOGIN role options. | |
CREATEROLE | System | Grants the ability to , modify, or non-admin roles. | |
DELETE | Table, Sequence | Grants the ability to delete objects at the table or sequence level. | |
DROP | Database, Table, Sequence | Grants the ability to drop objects at the database, table, or sequence level. | |
EXECUTE | Function | Grants the ability to execute . | |
EXTERNALCONNECTION | System | Grants the ability to connect to external systems such as object stores, key management systems, Kafka feeds, or external file systems. Often used in conjunction with the BACKUP, RESTORE, and CHANGEFEED privilege. | |
EXTERNALIOIMPLICITACCESS | System | Grants the ability to interact with external resources that require implicit access. | |
INSERT | Table, Sequence | Grants the ability to insert objects at the table or sequence level. | |
| INSPECT | System | Grants the ability to run the statement and view results with . |
| MODIFYCLUSTERSETTING | System | Grants the ability to modify . |
MODIFYSQLCLUSTERSETTING | System | Grants the ability to modify SQL (cluster settings prefixed with sql.). | |
NOSQLLOGIN | System | Prevents roles from connecting to the SQL interface of a cluster. | |
DeprecatedREPLICATION | System | As of v25.2 REPLICATION is deprecated. Instead, use the REPLICATIONSOURCE and REPLICATIONDEST privileges at the table level. Grants the ability to create a or stream. | |
| REPAIRCLUSTER, REPAIRCLUSTERMETADATA | System | Grants the ability to perform cluster debugging and repair operations, including: edit , edit , , update , and . See also: VIEWCLUSTERMETADATA. |
| REPLICATIONDEST | Table | Grants the ability to run logical data replication into an existing table on the destination cluster. For more details, refer to the tutorial. |
| REPLICATIONSOURCE | Table | Grants the ability to run logical data replication from a table on the source cluster. For more details, refer to the tutorial. |
RESTORE | System, Database | Grants the ability to restore at the system or database level. Refer to RESTORE for more details. | |
SELECT | Table, Sequence | Grants the ability to run at the table or sequence level. | |
TRIGGER | Table | Grants the ability to create on a table. | |
UPDATE | Table, Sequence | Grants the ability to run at the table or sequence level. | |
USAGE | Schema, Sequence, Type | Grants the ability to use , , or . | |
| VIEWACTIVITY | System | Grants the ability to view other user’s activity statistics of a cluster. |
| VIEWACTIVITYREDACTED | System | Grants the ability to view other user’s activity statistics, but prevents the role from accessing the statement diagnostics bundle in the DB Console, and viewing some columns in introspection queries that contain data about the cluster. |
| VIEWCLUSTERMETADATA | System | Grants the ability to view range information, data distribution, store information, and Raft information. |
| VIEWCLUSTERSETTING | System | Grants the ability to view and their values. |
| VIEWDEBUG | System | Grants the ability to view the of the DB Console and work with the debugging and profiling endpoints. |
| VIEWJOB | System | Grants the ability to view on the cluster. |
VIEWSYSTEMTABLE | System | Grants read-only access (SELECT) on all tables in the system database, without granting the ability to modify the cluster. This privilege was introduced in v23.1.11. | |
ZONECONFIG | Database, Table, Sequence | Grants the ability to configure at the database, table, and sequence level. | |