변경 내역은 메타데이터 데이터베이스를 사용하여 내부 상태를 유지합니다. 메타데이터 데이터베이스는 애플리케이션 데이터베이스와 동일하거나 다를 수 있습니다. 다른 데이터베이스를 사용하는 것이 좋습니다. 그러나 세분화된 액세스 제어 사용자의 경우 메타데이터 데이터베이스는 애플리케이션 데이터베이스와 같을 수 없습니다. Dataflow 작업을 실행하는 IAM 주 구성원에게는 메타데이터 데이터베이스의 데이터베이스 수준에서 읽기 또는 쓰기 액세스 권한이 필요하기 때문입니다. 이로 인해 애플리케이션 데이터베이스에 구성된 세분화된 액세스 제어 권한이 재정의됩니다.
변경 내역에는 추적되는 테이블 및 열의 데이터 사본이 별도로 포함되어 있으므로 사용자에게 변경 내역에 대한 액세스 권한을 부여할 때는 주의해야 합니다. 변경 내역의 리더는 테이블 및 열에 대한 SELECT 권한이 없는 경우에도 추적된 테이블과 열의 데이터 변경사항을 볼 수 있습니다. 변경 내역과 추적된 테이블 및 열에 별도의 제어를 설정하는 것이 더 유연할 수 있지만 그에 따라 잠재적 위험이 있으므로 데이터베이스 역할과 권한을 구조화해야 합니다. 예를 들어 역할에서 테이블에 대한 SELECT 권한을 취소할 때 변경 내역에서 SELECT를 취소하고 관련 읽기 함수에서 EXECUTE을 취소할지 여부를 고려합니다.
모든 테이블을 추적하는 변경 내역에 SELECT를 부여하면 부여받는 사람은 향후에 추가되는 모든 테이블의 데이터 변경사항을 볼 수 있습니다.
[[["이해하기 쉬움","easyToUnderstand","thumb-up"],["문제가 해결됨","solvedMyProblem","thumb-up"],["기타","otherUp","thumb-up"]],[["이해하기 어려움","hardToUnderstand","thumb-down"],["잘못된 정보 또는 샘플 코드","incorrectInformationOrSampleCode","thumb-down"],["필요한 정보/샘플이 없음","missingTheInformationSamplesINeed","thumb-down"],["번역 문제","translationIssue","thumb-down"],["기타","otherDown","thumb-down"]],["최종 업데이트: 2025-09-05(UTC)"],[],[],null,["# Fine-grained access control for change streams\n\nThis page explains how [fine-grained access control](/spanner/docs/fgac-about) works with\nSpanner change streams for GoogleSQL-dialect databases and PostgreSQL-dialect databases.\n\nFor fine-grained access control users, you allow read access to change streams data by using\nthe following grants. Both grants are required.\n\n- Grant `SELECT` on the change stream.\n\n ### GoogleSQL\n\n ```googlesql\n GRANT SELECT ON CHANGE STREAM CHANGE_STREAM_NAME TO ROLE ROLE_NAME;\n ```\n\n ### PostgreSQL\n\n ```postgresql\n GRANT SELECT ON CHANGE STREAM CHANGE_STREAM_NAME TO ROLE_NAME;\n ```\n- Grant `EXECUTE` on the read function that is automatically\n created for the change stream. You use the read function to read\n change stream records.\n\n ### GoogleSQL\n\n ```googlesql\n GRANT EXECUTE ON TABLE FUNCTION READ_FUNCTION_NAME TO ROLE ROLE_NAME;\n ```\n\n ### PostgreSQL\n\n ```postgresql\n GRANT EXECUTE ON FUNCTION READ_FUNCTION_NAME TO ROLE_NAME;\n ```\n\n For information about naming conventions for change stream read functions and\n formatting for the information that they return, see the following topics:\n - [Change stream read functions and query syntax](/spanner/docs/change-streams/details#change_stream_query_syntax)\n - [Change streams record format](/spanner/docs/change-streams/details#change_streams_record_format)\n\n`INFORMATION_SCHEMA` views for change streams\n---------------------------------------------\n\nThe following views show database roles and privileges information for change\nstreams:\n\n- GoogleSQL-dialect databases: [`INFORMATION_SCHEMA.CHANGE_STREAM_PRIVILEGES`](/spanner/docs/information-schema#change-stream-privileges)\n- PostgreSQL-dialect databases: [`information_schema.change_stream_privileges`](/spanner/docs/information-schema-pg#change-stream-privileges)\n\nThe rows in these views are filtered based on the current database role\nprivileges on change streams. This ensures that principals can view only the\nroles, privileges, and change streams that they have access to.\n\nRow filtering also applies to following change streams-related views: \n\n### GoogleSQL\n\n- [`INFORMATION_SCHEMA.CHANGE_STREAMS`](/spanner/docs/information-schema#change-streams)\n- [`INFORMATION_SCHEMA.CHANGE_STREAM_TABLES`](/spanner/docs/information-schema#change-stream-tables)\n- [`INFORMATION_SCHEMA.CHANGE_STREAM_COLUMNS`](/spanner/docs/information-schema#change-stream-columns)\n- [`INFORMATION_SCHEMA.CHANGE_STREAM_OPTIONS`](/spanner/docs/information-schema#change-stream-options)\n\nThe system role `spanner_info_reader` and its members always see an unfiltered\n`INFORMATION_SCHEMA`.\n\n### PostgreSQL\n\n- [`information_schema.change_streams`](/spanner/docs/information-schema-pg#change-streams)\n- [`information_schema.change_stream_tables`](/spanner/docs/information-schema-pg#change-stream-tables)\n- [`information_schema.change_stream_columns`](/spanner/docs/information-schema-pg#change-stream-columns)\n- [`information_schema.change_stream_options`](/spanner/docs/information-schema-pg#change-stream-options)\n\nThe system role `spanner_info_reader` and its members see an unfiltered\n`information_schema`.\n\nRow filtering also applies to the following metadata views for change stream\nread functions: \n\n### GoogleSQL\n\n- [`INFORMATION_SCHEMA.ROUTINES`](/spanner/docs/information-schema#routines)\n- [`INFORMATION_SCHEMA.ROUTINE_OPTIONS`](/spanner/docs/information-schema#routine_options)\n- [`INFORMATION_SCHEMA.ROUTINE_PRIVILEGES`](/spanner/docs/information-schema#routine_privileges)\n- [`INFORMATION_SCHEMA.PARAMETERS`](/spanner/docs/information-schema#parameters)\n\n### PostgreSQL\n\n- [`information_schema.routines`](/spanner/docs/information-schema-pg#routines)\n- [`information_schema.routine_options`](/spanner/docs/information-schema-pg#routine_options)\n- [`information_schema.routine_privileges`](/spanner/docs/information-schema-pg#routine_privileges)\n- [`information_schema.parameters`](/spanner/docs/information-schema-pg#parameters)\n\nCaveats\n-------\n\n- Change streams use a metadata database to maintain internal state. The\n metadata database can be the same as or different from the application\n database. We recommend that you use a different database. However, for\n fine-grained access control users, the metadata database can't be the same as the\n application database. This is because the IAM principal that\n runs the Dataflow job needs read or write access at the database\n level for the metadata database. This would override the fine-grained access control\n privileges that were configured for the application database.\n\n For more information, see [Consider a separate metadata\n database](/spanner/docs/change-streams/manage#why-metadata).\n- Because a change stream contains a separate copy of the data from the\n tracked tables and columns, be careful when granting users access to the\n change stream. The readers of the change stream can view data changes from\n the tracked tables and columns, even when they don't have `SELECT`\n privileges on the tables and columns. Although it's more flexible\n to set up separate controls on change streams and their tracked tables and\n columns, there's a potential risk, so ensure that you structure database\n roles and privileges accordingly. For example, when revoking the `SELECT`\n privilege on a table from a role, consider whether to also revoke `SELECT`\n on the change stream and revoke `EXECUTE` on the associated read\n function.\n\n- If you grant `SELECT` on a change stream that tracks all tables, the grantee\n can see data changes for any tables added in the future.\n\nWhat's next\n-----------\n\n- [Change streams overview](/spanner/docs/change-streams)\n- [Create and manage change streams](/spanner/docs/change-streams/manage)\n- [Fine-grained access control overview](/spanner/docs/fgac-about)"]]