Permissions reference

In QuestDB Enterprise version, permissions are used to control which user can execute an action. There are three levels of permissions:

  • database - relate to global actions, e.g. BACKUP, but also table-specific action that apply to all tables, e.g. SELECT
  • table - relate to table actions, e.g. SET TABLE PARAM, and also column actions that apply to all table's columns, e.g. DROP COLUMN or SELECT
  • column - relate to actions on specific table's column, e.g. DROP INDEX

Database permissions:#

permissionleveldescription
ADD COLUMNDatabase | TableAllows adding new column to existing table in rest api and pg wire protocol.
ADD INDEXDatabase | Table | ColumnAllows adding an index on symbol column.
ALTER COLUMN CACHEDatabase | Table | ColumnAllows disabling or enabling caching of symbol column values via ALTER TABLE command.
ATTACH PARTITIONDatabase | TableAllows attaching partition to existing table.
BACKUP DATABASEDatabaseAllows creating database backup via BACKUP DATABASE command.
BACKUP TABLEDatabase | TableAllows creating table BACKUP TABLE command.
CANCEL ANY COPYDatabaseAllows cancelling running COPY command via COPY importId CANCEL command.
CREATE TABLEDatabaseAllows creating tables.
DEDUP ENABLEDatabase | TableAllows enabling deduplication and setting of upsert keys.
DEDUP DISABLEDatabase | TableAllows disabling deduplication.
DETACH PARTITIONDatabase | TableAllows detaching partitions from tables.
DROP COLUMNDatabase | Table | ColumnAllows dropping table columns.
DROP INDEXDatabase | Table | ColumnAllows dropping symbol columns indexes via ALTER TABLE command.
DROP PARTITIONDatabase | TableAllows dropping or squashing existing table partitions.
DROP TABLEDatabase | TableAllows dropping tables.
INSERTDatabase | TableAllows inserting data into table columns.
REINDEXDatabase | Table | ColumnAllows reindexing table's columns.
RENAME COLUMNDatabase | Table | ColumnAllows renaming columns.
RENAME TABLEDatabase | TableAllows renaming tables.
RESUME WALDatabase | TableAllows resuming WAL processing via ALTER TABLE RESUME WAL command.
SELECTDatabase | Table | ColumnAllows selecting/reading table or column data.
SET TABLE PARAMDatabase | TableAllows setting table parameters via ALTER TABLE SET PARAM command.
SET TABLE TYPEDatabase | TableAllows changing table type via ALTER TABLE SET TYPE command.
SNAPSHOTDatabaseAllows preparing database snapshot.
TRUNCATE TABLEDatabase | TableAllows truncating tables.
UPDATEDatabase | Table | ColumnAllows updating table columns.
VACUUM TABLEDatabase | TableAllows reclaiming storage via VACUUM TABLE command.

User management permissions:#

permissionleveldescription
ADD PASSWORDDatabaseAllows setting user password in CREATE USER and ALTER USER commands.
ADD USERDatabaseAllows adding user to group(s).
CREATE GROUPDatabaseAllows creating groups.
CREATE JWKDatabaseAllows creating JWK tokens via ALTER USER command.
CREATE REST TOKENDatabaseAllows creating REST API tokens via ALTER USER command.
CREATE SERVICE ACCOUNTDatabaseAllows creating service accounts.
CREATE USERDatabaseAllows creating users.
DISABLE USERDatabaseAllows disabling users.
DROP GROUPDatabaseAllows dropping groups.
DROP JWKDatabaseAllows dropping JWK tokens via ALTER USER command.
DROP REST TOKENDatabaseAllows dropping REST API tokens via ALTER USER command.
DROP SERVICE ACCOUNTDatabaseAllows dropping service accounts.
DROP USERDatabaseAllows dropping users.
ENABLE USERDatabaseAllows enabling users.
LIST USERSDatabaseAllows listing user details in SHOWS GROUPS, SHOW SERVICE ACCOUNTS and SHOW USERS.
REMOVE PASSWORDDatabaseAllows setting no password via WITH NO PASSWORD clause in CREATE USER and ALTER USER commands.
REMOVE USERDatabaseAllows removing user from group(s).
USER DETAILSDatabaseApplies to SHOW USER, SHOW SERVICE ACCOUNTS, SHOW PERMISSIONS, SHOW GROUPS commands.

Database endpoint permissions:#

permissionleveldescription
HTTPDatabaseAllows access to the REST API endpoint, this includes connection from the Web Console.
ILPDatabaseAllows access to the InfluxDB Line Protocol (ILP) endpoint.
PGWIREDatabaseAllows access to the Postgres Wire endpoint.

Special permissions:#

permissionleveldescription
ALLDatabase | Table | ColumnAll permissions on all levels, it does not include permissions to assume service accounts

Examples#

List of all permissions, with levels they apply to, is returned by all_permissions() function, e.g.

select * from all_permissions();
permissionlevel
SELECTDatabase | Table | Column
INSERTDatabase | Table | Column
UPDATEDatabase | Table | Column
......

โญ Something missing? Page not helpful? Please suggest an edit on GitHub.