I would like to give a user all the permissions on a database without making it an admin. The reason why I want to do that is that at the moment DEV and PROD are different DBs on the same cluster so I don't want a user to be able to change production objects but it must be able to change objects on DEV.
I tried:
grant ALL on database MY_DB to group MY_GROUP;
but it doesn't seem to give any permission.
Then I tried:
grant all privileges on schema MY_SCHEMA to group MY_GROUP;
and it seems to give me permission to create objects but not to query\delete objects on that schema that belong to other users
I could go on by giving USAGE permission to the user on MY_SCHEMA but then it would complain about not having permissions on the table ...
So I guess my question is: is there any easy way of giving all the permissions to a user on a DB?
I'm working on PostgreSQL 8.1.23.
All commands must be executed while connected to the right database cluster. Make sure of it.
Roles are objects of the database cluster. All databases of the same cluster share the set of defined roles. Privileges are granted / revoked per database / schema / table etc.
A role needs access to the database, obviously. That's granted to PUBLIC
by default. Else:
GRANT CONNECT ON DATABASE my_db TO my_user;
Postgres 14 adds the predefined, non-login roles pg_read_all_data
/ pg_write_all_data
.
They have SELECT
/ INSERT
, UPDATE
, DELETE
privileges for all tables, views, and sequences. Plus USAGE
on schemas. We can GRANT
membership in these roles:
GRANT pg_read_all_data TO my_user;
GRANT pg_write_all_data TO my_user;
This covers all basic DML commands (but not DDL, and not some special commands like TRUNCATE
or the EXECUTE
privilege for functions!). The manual:
pg_read_all_data
Read all data (tables, views, sequences), as if having
SELECT
rights on those objects, andUSAGE
rights on all schemas, even without having it explicitly. This role does not have the role attributeBYPASSRLS
set. If RLS is being used, an administrator may wish to setBYPASSRLS
on roles which this role isGRANT
ed to.
pg_write_all_data
Write all data (tables, views, sequences), as if having
INSERT
,UPDATE
, andDELETE
rights on those objects, andUSAGE
rights on all schemas, even without having it explicitly. This role does not have the role attributeBYPASSRLS
set. If RLS is being used, an administrator may wish to setBYPASSRLS
on roles which this role isGRANT
ed to.
Commands must be executed while connected to the right database. Make sure of it.
The role needs (at least) the USAGE
privilege on the schema. Again, if that's granted to PUBLIC
, you are covered. Else:
GRANT USAGE ON SCHEMA public TO my_user;
To also allow the creation of objects, the role needs the CREATE
privilege. With Postgres 15, security has been tightened and that privilege on the default schema public
is not granted to PUBLIC
any more. You might want that, too. Or just grant ALL
to your role:
GRANT ALL ON SCHEMA public TO my_user;
Or grant USAGE
/ CREATE
/ ALL
on all custom schemas:
DO
$$
BEGIN
-- RAISE NOTICE '%', ( -- use instead of EXECUTE to see generated commands
EXECUTE (
SELECT string_agg(format('GRANT USAGE ON SCHEMA %I TO my_user', nspname), '; ')
FROM pg_namespace
-- SELECT string_agg(format('GRANT ALL ON SCHEMA %I TO my_user', nspname), '; ')
WHERE nspname <> 'information_schema' -- exclude information schema and ...
AND nspname NOT LIKE 'pg\_%' -- ... system schemas
);
END
$$;
Then all permissions for all tables. And don't forget sequences (if any), which are used for legacy serial
columns.
GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO my_user;
GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public TO my_user;
Since Postgres 10, IDENTITY
columns can replace serial
columns, and those don't need separate privileges for the involved sequence. See:
Alternatively, you could use the "Grant Wizard" of pgAdmin 4 to work with a GUI.
This covers privileges for existing objects. To also cover future objects, set DEFAULT PRIVILEGES
. See:
There are some other objects, the manual for GRANT
has the complete list. As of Postgres 14:
privileges on a database object (table, column, view, foreign table, sequence, database, foreign-data wrapper, foreign server, function, procedure, procedural language, schema, or tablespace)
But the rest is rarely needed. More details:
Consider upgrading to a current version.