This page defines the characteristics, constraints, and intended use of the three predefined system roles that fine-grained access control provides for each database. Each system role has a different set of privileges, which can't be revoked.
public
All fine-grained access control users have IAM membership in
publicby default.All database roles inherit privileges from this role.
Initially,
publichas no privileges, but you can grant it privileges. If you grant a privilege topublic, it's available to all database roles, including database roles created afterward.
spanner_info_reader
This role has the
SELECTprivilege onINFORMATION_SCHEMAviews for GoogleSQL-dialect databases andinformation_schemaviews for PostgreSQL-dialect databases.You can't grant any other privileges to
spanner_info_reader.Grant membership in this role to any database role that needs to have unfiltered read access to the
INFORMATION_SCHEMAviews (GoogleSQL-dialect databases) or theinformation_schemaviews (PostgreSQL-dialect databases).
spanner_sys_reader
This role has the
SELECTprivilege onSPANNER_SYStables.You can't grant any other privileges to
spanner_sys_reader.Grant membership in this role to any database role that must have read access to the
SPANNER_SYSschema.
Restrictions on system roles
You can't delete a system role by using a
DROP ROLEstatement.System roles can't be members of other database roles. That is, the following GoogleSQL statement is invalid:
GRANT ROLE pii_access TO ROLE spanner_info_reader;You can't grant membership in the
publicrole to your database roles. For example, the following GoogleSQL statement is also invalid:GRANT ROLE public TO ROLE pii_access;However, you can grant membership in the
spanner_info_readerandspanner_sys_readerroles. For example, the following are valid statements.GoogleSQL
GRANT ROLE spanner_info_reader TO ROLE pii_access; GRANT ROLE spanner_sys_reader TO ROLE pii_access;PostgreSQL
GRANT spanner_info_reader TO pii_access; GRANT spanner_sys_reader TO pii_access;
More information
For more information, see: