In Redshift/Postgres, when a privilege is granted, it takes affect at the moment the grant is issued, and that’s it; it does not extend into the future, it does not cause any other actions ever to occur.
So if we issue something like
grant select on all tables in schema, the
select privilege is granted on all tables in that schema,
at and only at the moment the command is issued.
If then later more tables are created in that schema, they
do not have the select privilege granted.
All of the syntax in the grant command about “all tables in” and so on, are merely ways to indicate a set of objects - they are not a commandment that the user will in the future have the given privileges on new objects.
There is of course as you can imagine a need for the capability to specify that privileges are granted, in the future, on new objects. That’s where default privileges come in - this is the mechanism by which this is done.
A default privilege is created by a user, and owned by the user, and it says that whenever that user creates a new object (which can be a table, view, function or procedure), that the specified privileges are automatically to be granted to a given user or group, or to the group-like object public.
Additionally, one extra constraint can be specified, which is that the default privilege applies only to objects created in a particular schema.
This page lists all default privileges in the database.
| Name | Type |
|---|---|
| owner_user_id | int4 |
| owner | varchar |
| object:schema_id | int8 |
| object:schema | varchar |
| object:type | varchar |
| recipient:type | varchar |
| recipient:id | int4 |
| recipient:name | varchar |
| privs | varchar |
| privs:function_execute | bool |
| privs:function_grant_execute | bool |
| privs:procedure_execute | bool |
| privs:procedure_grant_execute | bool |
| privs:table_delete | bool |
| privs:table_grant_delete | bool |
| privs:table_drop | bool |
| privs:table_grant_drop | bool |
| privs:table_insert | bool |
| privs:table_grant_insert | bool |
| privs:table_reference | bool |
| privs:table_grant_reference | bool |
| privs:table_select | bool |
| privs:table_grant_select | bool |
| privs:table_update | bool |
| privs:table_grant_update | bool |
The owner user ID. This column is emitted in CSV exports only.
The owner user name.
If the default privilege is restricted to a schema, this is the
schema ID, otherwise NULL.
If the default privilege is restricted to a schema, this is the
schema name, otherwise NULL.
The type of object the default privilege is for. There are three values, and the value is the type of object.
| Value |
|---|
| function |
| procedure |
| table |
Note table includes views (all three types).
The type of the recipient of the privilege. This is one of the following;
| Type | Description |
|---|---|
| group | a group |
| public | the group-like object public |
| user | a user |
If the recipient is a group, this is the group ID.
If the recipient is the group-like object public, this is
NULL.
If the recipient is a user, this is the user ID.
If the recipient is a group, this is the group name.
If the recipient is the group-like object public, this is
NULL.
If the recipient is a user, this is the user name.
This column shows the privileges granted by the default privilege.
When the privilege is IN CAPITALS, it means the privilege to grant is being given (and in Postgres/Redshift, to be able to give the privilege to grant, the underlying privilege itself is inherently also granted, which makes sense, as you could just grant that privilege to yourself).
True if the privilege execute on function is granted,
otherwise false. This column is emitted in CSV exports only.
True if the privilege to grant execute on function is
granted, otherwise false.
In Redshift/Postgres, if the privilege to grant is held, then the underlying privilege itself is also held; granting the privilege to grant also grants the privilege itself.
(Which makes sense, as you could just grant that privilege to yourself.)
This column is emitted in CSV exports only.
True if the privilege execute on procedure is granted,
otherwise false. This column is emitted in CSV exports only.
True if the privilege to grant execute on procedure is
granted, otherwise false.
In Redshift/Postgres, if the privilege to grant is held, then the underlying privilege itself is also held; granting the privilege to grant also grants the privilege itself.
(Which makes sense, as you could just grant that privilege to yourself.)
This column is emitted in CSV exports only.
True if the privilege delete on table is granted,
otherwise false. This column is emitted in CSV exports only.
True if the privilege to grant delete on table is
granted, otherwise false.
In Redshift/Postgres, if the privilege to grant is held, then the underlying privilege itself is also held; granting the privilege to grant also grants the privilege itself.
(Which makes sense, as you could just grant that privilege to yourself.)
This column is emitted in CSV exports only.
True if the privilege drop on table is granted,
otherwise false. This column is emitted in CSV exports only.
True if the privilege to grant drop on table is granted,
otherwise false.
In Redshift/Postgres, if the privilege to grant is held, then the underlying privilege itself is also held; granting the privilege to grant also grants the privilege itself.
(Which makes sense, as you could just grant that privilege to yourself.)
This column is emitted in CSV exports only.
True if the privilege insert on table is granted,
otherwise false. This column is emitted in CSV exports only.
True if the privilege to grant insert on table is
granted, otherwise false.
In Redshift/Postgres, if the privilege to grant is held, then the underlying privilege itself is also held; granting the privilege to grant also grants the privilege itself.
(Which makes sense, as you could just grant that privilege to yourself.)
This column is emitted in CSV exports only.
True if the privilege reference on table is granted,
otherwise false.
This privilege allows a user to create references (foreign keys) on a table, but to do so, this privilege must be held on both the table itself and the foreign key table.
This column is emitted in CSV exports only.
True if the privilege to grant reference on table is
granted, otherwise false.
In Redshift/Postgres, if the privilege to grant is held, then the underlying privilege itself is also held; granting the privilege to grant also grants the privilege itself.
(Which makes sense, as you could just grant that privilege to yourself.)
This column is emitted in CSV exports only.
True if the privilege select on table is granted,
otherwise false. This column is emitted in CSV exports only.
True if the privilege to grant select on table is
granted, otherwise false.
In Redshift/Postgres, if the privilege to grant is held, then the underlying privilege itself is also held; granting the privilege to grant also grants the privilege itself.
(Which makes sense, as you could just grant that privilege to yourself.)
This column is emitted in CSV exports only.
True if the privilege update on table is granted,
otherwise false. This column is emitted in CSV exports only.
True if the privilege to grant update on table is
granted, otherwise false.
In Redshift/Postgres, if the privilege to grant is held, then the underlying privilege itself is also held; granting the privilege to grant also grants the privilege itself.
(Which makes sense, as you could just grant that privilege to yourself.)
This column is emitted in CSV exports only.