我的书签
添加书签
移除书签Role-based access control (RBAC) model
Roles in YSQL can represent individual users or a group of users. They encapsulate a set of privileges that can be assigned to other roles (or users). Roles are essential to implementing and administering access control on a YugabyteDB cluster. Below are some important points about roles:
Roles inherit the privileges of all other roles granted to them.
YSQL defines a number of specific resources, that represent underlying database objects. A resource can denote one object or a collection of objects. YSQL resources are hierarchical as described below:
- ROLES are hierarchical (they can be assigned to other roles). They follow the hierarchy:
ALL ROLES>ROLE #1> …
Privileges are necessary to execute operations on database objects. Privileges can be granted at any level of the database hierarchy and are inherited downwards. The set of privileges include:
| Privilege | Objects | Operations |
|---|---|---|
| database, table, role | ALTER | |
AUTHORIZE | database, table, role | GRANT privilege, REVOKE privilege |
CREATE | database, table, role, index | CREATE |
DROP | database, table, role, index | DROP |
MODIFY | database, table | INSERT, UPDATE, DELETE, TRUNCATE |
SELECT | database, table | SELECT |
NoteThe privilege on the base table is required in order to CREATE or DROP indexes on it.
