This page describes the privileges that you can grant to a database role for fine-grained access control.
To learn about database roles and fine-grained access control, see About fine-grained access control.
The following table shows the fine-grained access control privileges and the database objects that they can be granted on.
|Change stream's TVF||✓|
The following sections provide details about each privilege.
Allows the role to read or query from a table, view, or change stream.
If a column list is specified for a table, the privilege is valid on only those columns. If no column list is specified, then the privilege is valid on all columns in the table, including columns added afterward. A column list is not allowed for a view.
Because Cloud Spanner currently only supports invoker rights views, a database role needs the
SELECTprivilege on the view, and also the
SELECTprivilege on the underlying objects referenced in the view. For example, suppose the view
SingerNamesis created on the
CREATE VIEW SingerNames SQL SECURITY INVOKER AS SELECT Singers.SingerId, Singers.FirstName, Singers.LastName FROM Singers;
Suppose also that the database role
myRoleperforms the query
SELECT * FROM SingerNames. The role must have
SELECTon the view and must have
SELECTon the three referenced columns or on the entire
SELECTon a subset of columns for a table, the FGAC user can no longer use
SELECT *on that table. Queries on that table must name all columns to be included.
SELECTgranted on a generated column doesn't grant
SELECTon the underlying base columns.
For interleaved tables,
SELECTgranted on the parent table doesn't propagate to the child table.
When you grant
SELECTon a change stream, you must also grant
EXECUTEon the table-valued function for the change stream. For more information, see EXECUTE.
SELECTis used with an aggregate function on specific columns, for example
SUM(col_a), the role must have the
SELECTprivilege on those columns. If the aggregate function doesn't specify any columns, for example
COUNT(*), the role must have the
SELECTprivilege on at least one column in the table.
GRANT SELECT ON TABLE employees TO ROLE hr_director; GRANT SELECT ON TABLE customers, orders, items TO ROLE account_mgr; GRANT SELECT(name, level, cost_center, location, manager) ON TABLE employees TO ROLE hr_manager; GRANT SELECT(name, address, phone) ON TABLE employees, contractors TO ROLE hr_rep; GRANT SELECT ON VIEW ordersSummary TO ROLE hr_manager; GRANT SELECT ON CHANGE STREAM ordersChangeStream TO ROLE hr_analyst;
Allows the role to insert rows into the specified tables. If a column list is specified, the permission is valid on only those columns. If no column list is specified, then the privilege is valid on all columns in the table.
If column names are specified, any column not included gets its default value upon insert.
INSERTcan't be granted on generated columns.
GRANT INSERT ON TABLE employees, contractors TO ROLE hr_manager; GRANT INSERT(name, address, phone) ON TABLE employees TO ROLE hr_rep;
Allows the role to update rows in the specified tables. Updates can be restricted to a subset of table columns.
In addition to the
UPDATEprivilege, the role needs the
SELECTprivilege on all key columns and all queried columns. Queried columns include columns in the
WHEREclause and columns that are used to compute the new values of updated columns and generated columns.
UPDATEcan't be granted on generated columns.
GRANT UPDATE ON TABLE employees, contractors TO ROLE hr_manager; GRANT UPDATE(name, address, phone) ON TABLE employees TO ROLE hr_rep;
Allows the role to delete rows from the specified tables.
DELETEcan't be granted at the column level.
The role also needs
SELECTon all key columns and any columns that might be included in query
For interleaved tables, the
DELETEprivilege is required only on the parent table. If a child table specifies
ON DELETE CASCADE, rows from the child table are deleted even without the
DELETEprivilege on the child table.
GRANT DELETE ON TABLE employees, contractors TO ROLE hr_admin;
When you grant
SELECT on a change stream,
you must also grant
EXECUTE on the table-valued
function (TVF) for the change stream. For information about TVFs, see
Change stream query syntax.
GRANT EXECUTE ON TABLE FUNCTION READ_my_change_stream TO ROLE hr_analyst;
For more information, see: