Skip to Content

PostgreSQL GRANT Statement: A Complete Guide

By: Author David Cao

Posted on Last updated:

0 Comments

Categories Postgresql

Introduction

PostgreSQL is a robust, open-source relational database management system that offers advanced features for data storage, processing, and retrieval. One of the key components of PostgreSQL’s security model is the GRANT statement.

This statement allows database administrators to control access to database objects like tables, views, sequences, and functions by assigning specific privileges to roles.

Effective access control is crucial for ensuring that users and applications can perform their tasks without compromising the integrity or confidentiality of the data. In this comprehensive guide, we’ll explore how to use the PostgreSQL GRANT statement to manage database privileges and provide examples of common use cases.

Understanding the PostgreSQL GRANT Statement

The GRANT statement in PostgreSQL is used to assign privileges on database objects (such as tables, views, or schemas) to roles. Privileges are specific rights that a role can perform on a database object, such as reading data, modifying data, or creating new database structures. When a user or role attempts to perform an operation, PostgreSQL checks whether that role has the necessary privileges.

Get Your Free Linux training!

Join our free Linux training and discover the power of open-source technology. Enhance your skills and boost your career! Learn Linux for Free!

The basic syntax of the GRANT statement is:

GRANT privilege_list | ALL
ON object_name
TO role_name;

Key Elements of the Syntax:

  • privilege_list: A comma-separated list of privileges that you want to assign. Examples include:
    • SELECT: Allows reading data from a table or view.
    • INSERT: Allows adding new rows to a table.
    • UPDATE: Allows modifying data in a table.
    • DELETE: Allows deleting data from a table.
    • TRUNCATE: Allows removing all rows from a table.
    • REFERENCES: Allows creating foreign keys that reference the table.
    • ALL: Grants all available privileges for the given object.
  • object_name: The name of the database object (e.g., a table, view, function) on which privileges are being granted.
  • role_name: The name of the role (user or group of users) to which you are granting the privileges.

Why Use the GRANT Statement?

PostgreSQL’s role-based access control (RBAC) system is designed to support a wide range of security needs, from basic single-user databases to large-scale multi-user enterprise systems. By using the GRANT statement, you can:

  • Enhance Security: Limit access to sensitive data or critical database functions.
  • Implement Principle of Least Privilege: Only grant the minimum necessary privileges to roles to reduce the risk of unauthorized access or accidental data corruption.
  • Simplify Database Management: Granting privileges at the role level makes managing permissions easier as you scale your database with more users and complex use cases.

PostgreSQL GRANT Statement Examples

Let’s explore a real-world example, step-by-step, to understand how the GRANT statement works in PostgreSQL.

Step 1: Connect to PostgreSQL

Start by logging into your PostgreSQL server using a tool like psql:

psql -U postgres

Step 2: Create a New User Role

To create a new role (user) called joe who can log into the PostgreSQL server, run:

CREATE ROLE joe
LOGIN
PASSWORD 'YourPassword';

Replace ‘YourPassword’ with a password of your choice.

Step 3: Create a Table

Next, create a table called candidates:

CREATE TABLE candidates (
    candidate_id INT GENERATED ALWAYS AS IDENTITY,
    first_name VARCHAR(100) NOT NULL,
    last_name VARCHAR(100) NOT NULL,
    email VARCHAR(255) NOT NULL UNIQUE,
    phone VARCHAR(25) NOT NULL,
    PRIMARY KEY (candidate_id)
);

This table stores information about candidates, including their first_name, last_name, email, and phone.

Step 4: Attempt to Access the Table as joe

Now, log in as joe in a separate session:

psql -U joe

Attempting to select data from the candidates table results in an error:

SELECT * FROM candidates;

The error message will be:

ERROR:  permission denied for table candidates

This happens because joe does not yet have any privileges on the candidates table.

Step 5: Grant SELECT Privilege

To allow joe to select data from the candidates table, run the following GRANT statement in the postgres session:

GRANT SELECT
ON candidates
TO joe;

Now, joe can execute the SELECT statement without errors:

SELECT * FROM candidates;

If there is no data in the table, it will return an empty result set.

Step 6: Grant More Privileges

Let’s say you want joe to also insert, update, and delete records in the candidates table. You can grant these privileges as follows:

GRANT INSERT, UPDATE, DELETE
ON candidates
TO joe;

Now, joe can insert a new candidate:

INSERT INTO candidates (first_name, last_name, email, phone)
VALUES ('Joe', 'Com', '[email protected]', '408-111-2222');

Step 7: All Privileges

If you want to grant all available privileges on the candidates table to joe, you can use the ALL keyword:

GRANT ALL
ON candidates
TO joe;

This will allow joe to perform any operation on the candidates table, including SELECT, INSERT, UPDATE, DELETE, and others.

Step 8: Grant Privileges on All Tables in a Schema

In some cases, you might want to grant a role privileges on all tables within a specific schema. For example, to grant all privileges on all tables in the public schema:

GRANT ALL
ON ALL TABLES IN SCHEMA public
TO joe;

This will grant joe the ability to perform any operation on all current and future tables within the public schema.

Step 9: Grant Privileges to a Read-Only Role

If you want to create a read-only role that can only execute SELECT queries on all tables within a schema, you can do so with the following command:

GRANT SELECT
ON ALL TABLES IN SCHEMA public
TO reader;

This grants the reader role the ability to only query data from all tables in the public schema without modifying any data.

Basic Examples of Using the GRANT Statement

Example 1: Granting SELECT Privilege

The most common use of the GRANT statement is to allow a user to read data from a table. For example, if you have a table named employees and you want to allow a user, alice, to select data from it, you would execute the following SQL statement:

GRANT SELECT
ON employees
TO alice;

Example 2: Granting Multiple Privileges

You can grant multiple privileges in a single GRANT statement. For example, to allow a user bob to read, insert, and update data in the orders table, you can run the following:

GRANT SELECT, INSERT, UPDATE
ON orders
TO bob;

Example 3: Granting All Privileges

If you want to grant a role complete access to a table (all privileges), you can use the ALL keyword. For instance, to grant all privileges on the products table to a user charlie:

GRANT ALL
ON products
TO charlie;

Example 4: Granting Privileges on All Tables in a Schema

In PostgreSQL, you may want to grant privileges on all tables within a specific schema. For example, to grant all privileges on all tables in the public schema to the admin role, you would run:

GRANT ALL
ON ALL TABLES IN SCHEMA public
TO admin;

Advanced Use Cases for GRANT

Example 5: Creating a Read-Only Role

A common pattern is creating a read-only role that can query tables but cannot modify data. This is ideal for reporting or data analysis purposes. To create such a role, you would use the following command:

GRANT SELECT
ON ALL TABLES IN SCHEMA public
TO readonly_user;

Example 6: Granting EXECUTE Privileges on Functions

In addition to tables, you can also grant privileges on other database objects like functions. For example, to allow a user dave to execute a function called get_employee_salary, you would run:

GRANT EXECUTE
ON FUNCTION get_employee_salary()
TO dave;

Example 7: Granting Privileges on Sequences

If your database uses sequences for auto-incrementing fields or other purposes, you can also grant privileges on sequences. For example, to grant alice the ability to use the candidate_id_seq sequence (typically used for auto-incrementing the candidate_id column):

GRANT USAGE, SELECT
ON SEQUENCE candidate_id_seq
TO alice;

Example 8: Granting Privileges on a Database or Schema

In some scenarios, you may need to grant privileges on a broader level, such as an entire schema or even an entire database. For example, to grant a user eve the ability to create tables and other objects in the sales schema:

GRANT CREATE
ON SCHEMA sales
TO eve;

Alternatively, you can grant a role the ability to connect to a specific database:

GRANT CONNECT
ON DATABASE company_db
TO eve;

Best Practices for Using GRANT

  • Principle of Least Privilege: Grant only the necessary privileges to roles. Start with the minimum required privileges and only grant additional rights as needed.
  • Role-Based Access Control: Use roles to group users with similar access needs. For example, create a role admin for users who need full control and a read_only role for users who only need to view data.
  • Grant Privileges to Roles, Not Individual Users: Instead of granting privileges directly to users, grant them to roles. Then, assign users to the appropriate roles. This approach makes privilege management simpler and more scalable.
  • Regularly Review Privileges: Periodically review the privileges granted to users and roles. Remove unnecessary privileges to reduce the attack surface.
  • Use REVOKE When Necessary: If a role no longer needs a certain privilege, use the REVOKE statement to remove it. This ensures that permissions are kept up-to-date.

Revoking Privileges

If you need to revoke privileges previously granted to a role, PostgreSQL provides the REVOKE statement. The syntax for revoking privileges is similar to GRANT:

REVOKE privilege_list
ON object_name
FROM role_name;

For example, to revoke the SELECT privilege on the employees table from the alice role, you would run:

REVOKE SELECT
ON employees
FROM alice;

Revoking privileges ensures that users who no longer require access to certain data or operations cannot perform those actions.

Conclusion

The PostgreSQL GRANT statement is a powerful and flexible tool for managing access to database objects. By using this statement, you can assign specific privileges to roles, ensuring that your database remains secure and that users have the necessary access to perform their tasks.

Whether you’re managing a small database with just a few users or a large-scale system with complex access control requirements, the GRANT statement allows you to implement fine-grained access control to protect your data while enabling efficient workflows.

With the best practices outlined in this guide, you should be well-equipped to leverage PostgreSQL’s access control mechanisms effectively and ensure your database security remains robust as your system scales.