Authorization models
Authorization in CockroachDB is unified, meaning that a given SQL user’s permissions on a given cluster are governed by the same policies in different contexts such as accessing the SQL shell or viewing data from the DB Console.Starting in v22.2, CockroachDB introduces a new granular system-level privilege model that provides finer control over a user’s ability to work with the database. This new system-level privilege model is intended to replace the existing role options model in a future release of CockroachDB. As such, any legacy role options that now have corresponding system-level privilege versions are deprecated in CockroachDB v22.2, though both are supported alongside each other in v22.2. We recommend familiarizing yourself with the new system-level privilege model, and implementing it where possible.
| Authorization Model | Features |
|---|---|
| System-level Privileges |
|
| Role Options |
|
Users and roles
Both authorization models make use of the concept of user and roles. There is no technical distinction between a role or user in CockroachDB. A role/user can:- Be permitted to log in to the .
- Be granted privileges to specific actions and database objects.
- Be a member of other users/roles, inheriting their privileges.
- Have other users/roles as members that inherit its privileges.
- Be configured with other role options.
CREATE ROLE will add the NOLOGIN option by default, preventing the user/role from being used to log in. Otherwise, for enhanced PostgreSQL compatibility, the keywords ROLE and USER can be used interchangeably in SQL statements.
Throughout the documentation, however, we will refer to a “user” or “role” based on the intended purpose of the entity.
SQL users
A SQL user can interact with a CockroachDB database using the or through an application.Create and manage users
Use the and statements to create and remove users, the statement to add or change a user’s password and role options, the and statements to manage the user’s privileges, and the statement to list users. A new user must be granted the required privileges for each database and table that the user needs to access.By default, a new user belongs to the
public role and has no privileges other than those assigned to the public role.Automatic role synchronization with external identity providers
CockroachDB can automatically synchronize user role memberships based on group claims from external identity providers (IdPs). This feature is available for:- JWT authentication: When users authenticate via JWT tokens for SQL client connections, CockroachDB can extract group claims from the token and automatically grant or revoke role memberships based on those groups. For details, refer to .
- OIDC authentication: When users authenticate via OIDC to the DB Console, CockroachDB can extract group claims from the ID token, access token, or userinfo endpoint and automatically manage role memberships. For details, refer to .
- On each login, CockroachDB extracts the groups claim from the authentication token or queries the IdP’s userinfo endpoint.
- Each group name is normalized using case folding and Unicode normalization (NFC).
- Each normalized group name is matched against existing CockroachDB role names.
- Roles corresponding to matching groups are automatically granted to the user.
- Roles that no longer match any current groups are automatically revoked.
Groups from the IdP that don’t correspond to existing CockroachDB roles are silently ignored. You must pre-create roles in CockroachDB for them to be granted through IdP group synchronization.
Reserved identities
These identities are reserved within CockroachDB. These identities are created automatically and cannot be removed.| Identity | Description |
|---|---|
node | Used for all internode communications and for executing internal SQL operations that are run as part of regular node background processes. The node user does not appear when listing a cluster’s users. |
root | Used for administrator access in cases where it is required to manage other admins, such as when deploying a new cluster. The root user is created by default for each cluster. The root user is assigned to the admin role and has all privileges across the cluster.For routine administration in production, Cockroach Labs recommends that you:
|
node and root cluster certificates must be handled with care due to the broad level of access they confer on their holders.
Roles
This section describes roles. For role options like
CREATEROLE, see role options.Default roles
Theadmin and public roles exist by default.
admin role
The admin role is created by default and cannot be dropped. Users belonging to the admin role have all privileges for all database objects across the cluster. The root user belongs to the admin role by default.
An admin user is a member of the admin role. Only admin users can use and .
To assign a user to the admin role:
public role
All new users and roles belong to the public role by default. You can grant and revoke the privileges on the public role.
Terminology
Role admin
Role admin is a role option that allows a given user or role to administrate itself, by granting and revoking it to other users and roles.
To create a role admin, use .
Direct member
A user or role that is an immediate member of the role. Example: A is a member of B.Indirect member
A user or role that is a member of the role by association. Example: A is a member of C … is a member of B where ”…” is an arbitrary number of memberships.Object ownership
All CockroachDB objects (such as databases, tables, schemas, and types) must have owners. The user that created the object is the default owner of the object and hasALL privileges on the object. Similarly, any roles that are members of the owner role also have all privileges on the object.
All objects that do not have owners (for example, objects created before upgrading to v20.2) have admin set as the default owner, with the exception of system objects. System objects without owners have node as their owner.
To allow another user to use the object, the owner can assign privileges to the other user. Members of the admin role have ALL privileges on all objects.
Users that own objects cannot be dropped until the .
Privileges
When a user connects to a database, either via the built-in SQL client or a client driver, CockroachDB checks the user and role’s privileges for each statement executed. If the user does not have sufficient privileges for a statement, CockroachDB gives an error.Supported privileges
System-level privileges (also known as global privileges) offer more granular control over a user’s actions when working with CockroachDB, compared to the . You can work with system-level privileges using the statement with theSYSTEM parameter, and the statement.
Roles and users can be granted the following privileges:
| Privilege | Levels | Description |
|---|---|---|
ALL | System, Database, Schema, Table, Sequence, Type | For the object to which ALL is applied, grants all privileges at the system, database, schema, table, sequence, or type level. |
BACKUP | System, Database, Table | Grants the ability to create at the system, database, or table level. |
BYPASSRLS | Table | Grants the ability to bypass policies on a table. This privilege controls the access from an RLS perspective only; the user also needs sufficient privileges to read or write to the table. |
CANCELQUERY | System | Grants the ability to cancel queries. |
CHANGEFEED | Table | Grants the ability to create on a table. |
CONNECT | Database | Grants the ability to view a database’s metadata, which consists of objects in a database’s information_schema and pg_catalog system catalogs. This allows the role to view the database’s table, schemas, user-defined types, and list the database when running SHOW DATABASES. The CONNECT privilege is also required to run backups of the database. |
CONTROLJOB | System | Grants the ability to , , and jobs. Non-admin roles cannot control jobs created by admin roles. |
CREATE | Database, Schema, Table, Sequence | Grants the ability to create objects at the database, schema, table, or sequence level. When applied at the database level, grants the ability to configure . In CockroachDB v23.2 and later, the sql.auth.public_schema_create_privilege.enabled controls whether users receive CREATE privileges on the public schema or not. The setting applies at the time that the , which happens whenever . The setting is true by default, but can be set to false for increased compatibility with PostgreSQL version 15 as described in this commit. |
CREATEDB | System | Grants the ability to or a database. |
CREATELOGIN | System | Grants the ability to manage authentication using the WITH PASSWORD, VALID UNTIL, and LOGIN/NOLOGIN role options. |
CREATEROLE | System | Grants the ability to , modify, or non-admin roles. |
DELETE | Table, Sequence | Grants the ability to delete objects at the table or sequence level. |
DROP | Database, Table, Sequence | Grants the ability to drop objects at the database, table, or sequence level. |
EXECUTE | Function | Grants the ability to execute . |
EXTERNALCONNECTION | System | Grants the ability to connect to external systems such as object stores, key management systems, Kafka feeds, or external file systems. Often used in conjunction with the BACKUP, RESTORE, and CHANGEFEED privilege. |
EXTERNALIOIMPLICITACCESS | System | Grants the ability to interact with external resources that require implicit access. |
INSERT | Table, Sequence | Grants the ability to insert objects at the table or sequence level. |
INSPECT | System | Grants the ability to run the statement and view results with . |
New in v26.2: MAINTAIN | Table, View | Grants the ability to perform maintenance operations on table-like objects without requiring ownership. Users with MAINTAIN on a materialized view can run , and users with MAINTAIN on a table can run and its alias ANALYZE. |
MODIFYCLUSTERSETTING | System | Grants the ability to modify . |
MODIFYSQLCLUSTERSETTING | System | Grants the ability to modify SQL (cluster settings prefixed with sql.). |
NOSQLLOGIN | System | Prevents roles from connecting to the SQL interface of a cluster. |
Deprecated REPLICATION | System | As of v25.2 REPLICATION is deprecated. Instead, use the REPLICATIONSOURCE and REPLICATIONDEST privileges at the table level. Grants the ability to create a or stream. |
REPAIRCLUSTER, REPAIRCLUSTERMETADATA | System | Grants the ability to perform cluster debugging and repair operations, including: edit , edit , , update , and . See also: VIEWCLUSTERMETADATA. |
REPLICATIONDEST | Table | Grants the ability to run logical data replication into an existing table on the destination cluster. For more details, refer to the tutorial. |
REPLICATIONSOURCE | Table | Grants the ability to run logical data replication from a table on the source cluster. For more details, refer to the tutorial. |
RESTORE | System, Database | Grants the ability to restore at the system or database level. Refer to RESTORE for more details. |
SELECT | Table, Sequence | Grants the ability to run at the table or sequence level. |
TRIGGER | Table | Grants the ability to create on a table. |
UPDATE | Table, Sequence | Grants the ability to run at the table or sequence level. |
USAGE | Schema, Sequence, Type | Grants the ability to use , , or . |
VIEWACTIVITY | System | Grants the ability to view other user’s activity statistics of a cluster. |
VIEWACTIVITYREDACTED | System | Grants the ability to view other user’s activity statistics, but prevents the role from accessing the statement diagnostics bundle in the DB Console, and viewing some columns in introspection queries that contain data about the cluster. |
VIEWCLUSTERMETADATA | System | Grants the ability to view range information, data distribution, store information, and Raft information. |
VIEWCLUSTERSETTING | System | Grants the ability to view and their values. |
VIEWDEBUG | System | Grants the ability to view the of the DB Console and work with the debugging and profiling endpoints. |
VIEWJOB | System | Grants the ability to view on the cluster. |
VIEWSYSTEMTABLE | System | Grants read-only access (SELECT) on all tables in the system database, without granting the ability to modify the cluster. This privilege was introduced in v23.1.11. |
ZONECONFIG | Database, Table, Sequence | Grants the ability to configure at the database, table, and sequence level. |
VIEWACTIVITY), if both the system-level privilege and its legacy role option are specified for a user/role, the system-level privilege will take precedence and the legacy role option will be ignored.
Managing privileges
Use the and statements to manage privileges for users and roles. Take the following points into consideration while granting privileges to roles and users:- When a role or user is granted privileges for a database, that role or user is not automatically granted access to any new or existing objects within that database. To change access to those objects, see Default privileges. This does not apply to system-level privileges, which apply cluster-wide.
- When a role or user is granted privileges for a table, the privileges are limited to the table.
- In CockroachDB, privileges are granted to users and roles at the database and table levels, or cluster-wide at the system level. They are not yet supported for other granularities such as columns or rows.
- The
rootuser automatically belongs to theadminrole and has theALLprivilege for new databases. - For privileges required by specific statements, see the documentation for the respective .
Default privileges
By default, CockroachDB grants the current role/userALL privileges on the objects that they create.
To view the default privileges for a role, or for a set of roles, use the statement.
To change the default privileges on objects that a user creates, use the statement.
The creator of an object is also the object’s owner. Any roles that are members of the owner role have ALL privileges on the object, independent of the default privileges. Altering the default privileges of objects created by a role does not affect that role’s privileges as the object’s owner. The default privileges granted to other users/roles are always in addition to the ownership (i.e., ALL) privileges given to the creator of the object.
For more examples of default privileges, see the examples on the and statement pages.
Authorization best practices
We recommend the following best practices to set up access control for your clusters:-
Use the
rootuser only for database administration tasks such as creating and managing other users, creating and managing roles, and creating and managing databases. Do not use therootuser for applications; instead, create users or roles with specific privileges based on your application’s access requirements. -
Use the Principle of Least Privilege (PoLP) as a golden rule when to designing your system of privilege grants.
For improved performance, CockroachDB securely caches . To limit the authentication latency of users logging into a new session, we recommend the following best practices for
ROLEoperations (, , ): -
Run bulk
ROLEoperations inside a transaction. -
Run regularly-scheduled
ROLEoperations together, rather than at different times throughout the day. - Generally, if a system-level privilege exists with the same name as a role option, the system-level privilege should be used.

