- Grants [privileges](#grant-privileges) to ClickHouse user accounts or roles.
- Assigns roles to user accounts or to another roles.
To revoke privileges, use the [REVOKE](revoke.md) statement. Also you can list granted privileges by the [SHOW GRANTS](show.md#show-grants-statement) statement.
GRANT [ON CLUSTER cluster_name] privilege[(column_name [,...])] [,...] ON {db.table|db.*|*.*|table|*} TO {user | role | CURRENT_USER} [,...] [WITH GRANT OPTION]
The `WITH GRANT OPTION` clause grants `user` or `role` with permission to perform the `GRANT` query. User can grant privileges only inside the scope of their account privileges.
## Assigning Role Syntax {#assign-role-syntax}
```sql
GRANT [ON CLUSTER cluster_name] role [,...] TO {user | another_role | CURRENT_USER} [,...] [WITH ADMIN OPTION]
```
-`role` — ClickHouse user role.
-`user` — ClickHouse user account.
The `WITH ADMIN OPTION` clause sets [ADMIN OPTION](#admin-option-privilege) privilege for `user` or `role`.
## Usage {#grant-usage}
To use `GRANT`, your account must have the `GRANT OPTION` privilege. You can grant privileges only inside the scope of your account privileges.
For example, administrator has granted privileges to the `john` account by the query:
```sql
GRANT SELECT(x,y) ON db.table TO john WITH GRANT OPTION
```
It means that `john` has the permission to perform:
-`SELECT x,y FROM db.table`.
-`SELECT x FROM db.table`.
-`SELECT y FROM db.table`.
`john` can't perform `SELECT z FROM db.table`. The `SELECT * FROM db.table` also is not available. ClickHouse doesn't return any data, even `x` and `y`.
Also `john` has the `GRANT OPTION` privilege, so it can grant other users with privileges of the same or the smaller scope.
Specifying privileges you can use asterisk (`*`) instead of a table or a database name. For example, the `GRANT SELECT ON db.* TO john` query allows `john` to perform the `SELECT` query over all the tables in `db` database. Also, you can omit database name. In this case privileges are granted for current database, for example: `GRANT SELECT ON * TO john` grants the privilege on all the tables in the current database, `GRANT SELECT ON mytable TO john` grants the privilege on the `mytable` table in the current database.
You can grant multiple privileges to multiple accounts in one query. The query `GRANT SELECT, INSERT ON *.* TO john, petya` allows accounts `john` and `petya` to perform the `INSERT` and `SELECT` queries over all the tables in all the databases on the server.
## Privileges {#grant-privileges}
Privilege is a permission to perform specific kind of queries.
Privileges have an hierarchic structure. A set of permitted queries depends on the privilege scope.
Top scope privileges:
- [SELECT](#grant-select)
- [INSERT](#grant-insert)
- [ALTER](#grant-alter)
- [CREATE](#grant-create)
- [DROP](#grant-drop)
- [TRUNCATE](#grant-truncate)
- [OPTIMIZE](#grant-optimize)
- [SHOW](#grant-show)
- [EXISTS](#grant-exists)
- [KILL QUERY](#grant-kill-query)
- [CREATE USER](#grant-create-user)
- [ACCESS MANAGEMENT](#grant-access-management)
- [SYSTEM](#grant-system)
- [INTROSPECTION](#grant-introspection)
- [SOURCES](#grant-SOURCES)
- [dictGet](#grant-dictget)
The special privilege [ALL](#grant-all) grants all the privileges to a user account or a role.
By default, a user account or a role has no privileges.
If a user or role have no privileges it displayed as [NONE](#grant-none) privilege.
Some queries by their implementation require a set of privileges. For example, to perform the [RENAME](misc.md#misc_operations-rename) query you need the following privileges: `SELECT`, `CREATE TABLE`, `INSERT` and `DROP TABLE`.
### SELECT {#grant-select}
Allows to perform [SELECT](select.md) queries.
**Description**
User granted with this privilege can perform `SELECT` queries over a specified list of columns in the specified table and database. If user includes other columns then specified a query returns no data.
Consider the following privilege:
```sql
GRANT SELECT(x,y) ON db.table TO john
```
This privilege allows `john` to perform any `SELECT` query that involves data from the `x` and/or `y` columns in `db.table`. For example, `SELECT x FROM db.table`. `john` can't perform `SELECT z FROM db.table`. The `SELECT * FROM db.table` also is not available. ClickHouse doesn't return any data, even `x` and `y`.
### INSERT {#grant-insert}
Allows to perform [INSERT](insert_into.md) queries.
**Description**
User granted with this privilege can perform `INSERT` queries over a specified list of columns in the specified table and database. If user includes other columns then specified a query doesn't insert any data.
- The `ALTER` privilege includes all other privileges.
-`ALTER CONSTRAINT` includes `ADD CONSTRAINT` and `DROP CONSTRAINT` privileges.
**Notes**
- The `MODIFY SETTING` privilege allows to modify table engine settings. In doesn't affect settings or server configuration parameters.
- The `ATTACH` operation needs the [CREATE](#grant-create) privilege.
- The `DETACH` operation needs the [DROP](#grant-drop) privilege.
- To stop mutation by the [KILL MUTATION](misc.md#kill-mutation-statement) query, you need to have a privilege to start this mutation. For example, if you want to stop
### CREATE {#grant-create}
Allows to perform [CREATE](create.md) and [ATTACH](misc.md#attach) DDL-queries corresponding to the following hierarchy of privileges:
-`CREATE`
-`CREATE DATABASE`
-`CREATE TABLE`
-`CREATE VIEW`
-`CREATE DICTIONARY`
-`CREATE TEMPORARY TABLE`
**Notes**
- The `CREATE` privilege doesn't allow a grantee to delete the created table. A user needs [DROP](#grant-drop).
### DROP {#grant-drop}
Allows to perform [DROP](misc.md#drop-statement) queries corresponding to the following hierarchy of privileges:
-`DROP`
-`DROP DATABASE`
-`DROP TABLE`
-`DROP VIEW`
-`DROP DICTIONARY`
### TRUNCATE {#grant-truncate}
Allows to perform [TRUNCATE](misc.md#truncate-statement) queries.
### OPTIMIZE {#grant-optimize}
Allows to perform the [OPTIMIZE TABLE](misc.md#misc_operations-optimize) queries.
### SHOW {#grant-show}
Allows to perform `SHOW`, `DESCRIBE`, `USE`, and `EXISTS` queries, corresponding to the following hierarchy of privileges:
Allows using external data sources. Applies to [table engines](../../engines/table_engines/index.md) and [table functions](../table_functions/index.md).
-`SOURCES`
-`FILE`
-`URL`
-`REMOTE`
-`YSQL`
-`ODBC`
-`JDBC`
-`HDFS`
-`S3`
The `SOURCES` privilege enables use of all the sources. Also you can grant a privilege for each source individually.
Table functions create temporary tables. Another way of creating a temporary table is the [CREATE TEMPORARY TABLE](create.md#temporary-tables) statement. Privileges for these ways of creating a table are granted independently and don't affect each other.
Allows a user to execute [dictGet](../functions/ext_dict_functions.md#dictget), [dictHas](../functions/ext_dict_functions.md#dicthas), [dictGetHierarchy](../functions/ext_dict_functions.md#dictgethierarchy), [dictIsIn](../functions/ext_dict_functions.md#dictisin) functions.
Some kinds of ClickHouse [dictionaries](../dictionaries/index.md) are not stored in a database. Use the `'no_database'` placeholder to grant a privilege to use `dictGet` with such dictionaries.
**Examples**
-`GRANT dictGet ON mydb.mydictionary TO john`
-`GRANT dictGet ON mydictionary TO john`
-`GRANT dictGet ON 'no_database'.mydictionary TO john`