2020-04-09 14:02:39 +00:00
---
2022-08-28 14:53:34 +00:00
slug: /en/sql-reference/statements/grant
2022-04-09 13:29:05 +00:00
sidebar_position: 38
sidebar_label: GRANT
2020-04-09 14:02:39 +00:00
---
2022-06-02 10:55:18 +00:00
# GRANT Statement
2020-04-09 14:02:39 +00:00
2024-05-02 07:00:40 +00:00
- Grants [privileges ](#privileges ) to ClickHouse user accounts or roles.
2023-04-19 15:55:29 +00:00
- Assigns roles to user accounts or to the other roles.
2020-04-09 14:02:39 +00:00
2023-05-19 20:53:26 +00:00
To revoke privileges, use the [REVOKE ](../../sql-reference/statements/revoke.md ) statement. Also you can list granted privileges with the [SHOW GRANTS ](../../sql-reference/statements/show.md#show-grants ) statement.
2020-04-09 14:02:39 +00:00
2022-06-02 10:55:18 +00:00
## Granting Privilege Syntax
2020-04-09 14:02:39 +00:00
2020-06-18 08:24:31 +00:00
``` sql
2024-07-20 00:32:37 +00:00
GRANT [ON CLUSTER cluster_name] privilege[(column_name [,...])] [,...] ON {db.table[*]|db[*].*|*.*|table[*]|*} TO {user | role | CURRENT_USER} [,...] [WITH GRANT OPTION] [WITH REPLACE OPTION]
2020-04-09 14:02:39 +00:00
```
2020-04-14 10:14:19 +00:00
2023-04-19 15:55:29 +00:00
- `privilege` — Type of privilege.
- `role` — ClickHouse user role.
- `user` — ClickHouse user account.
2020-04-09 14:02:39 +00:00
2020-05-15 20:30:51 +00:00
The `WITH GRANT OPTION` clause grants `user` or `role` with permission to execute the `GRANT` query. Users can grant privileges of the same scope they have and less.
2021-12-28 18:13:41 +00:00
The `WITH REPLACE OPTION` clause replace old privileges by new privileges for the `user` or `role` , if is not specified it appends privileges.
2020-04-09 14:02:39 +00:00
2022-06-02 10:55:18 +00:00
## Assigning Role Syntax
2020-04-09 14:02:39 +00:00
2020-06-18 08:24:31 +00:00
``` sql
2021-07-21 15:08:38 +00:00
GRANT [ON CLUSTER cluster_name] role [,...] TO {user | another_role | CURRENT_USER} [,...] [WITH ADMIN OPTION] [WITH REPLACE OPTION]
2020-04-09 14:02:39 +00:00
```
2023-04-19 15:55:29 +00:00
- `role` — ClickHouse user role.
- `user` — ClickHouse user account.
2020-04-09 14:02:39 +00:00
2024-06-12 12:09:37 +00:00
The `WITH ADMIN OPTION` clause grants [ADMIN OPTION ](#admin-option ) privilege to `user` or `role` .
2021-12-28 18:13:41 +00:00
The `WITH REPLACE OPTION` clause replace old roles by new role for the `user` or `role` , if is not specified it appends roles.
2020-04-09 14:02:39 +00:00
2023-04-05 00:43:15 +00:00
## Grant Current Grants Syntax
``` sql
2023-04-13 16:57:21 +00:00
GRANT CURRENT GRANTS{(privilege[(column_name [,...])] [,...] ON {db.table|db.*|*.*|table|*}) | ON {db.table|db.*|*.*|table|*}} TO {user | role | CURRENT_USER} [,...] [WITH GRANT OPTION] [WITH REPLACE OPTION]
2023-04-05 00:43:15 +00:00
```
- `privilege` — Type of privilege.
- `role` — ClickHouse user role.
- `user` — ClickHouse user account.
Using the `CURRENT GRANTS` statement allows you to give all specified privileges to the given user or role.
If none of the privileges were specified, then the given user or role will receive all available privileges for `CURRENT_USER` .
2022-06-02 10:55:18 +00:00
## Usage
2020-04-09 14:02:39 +00:00
To use `GRANT` , your account must have the `GRANT OPTION` privilege. You can grant privileges only inside the scope of your account privileges.
For example, administrator has granted privileges to the `john` account by the query:
2020-06-18 08:24:31 +00:00
``` sql
2020-04-09 14:02:39 +00:00
GRANT SELECT(x,y) ON db.table TO john WITH GRANT OPTION
```
2020-05-15 20:30:51 +00:00
It means that `john` has the permission to execute:
2020-04-09 14:02:39 +00:00
2023-04-19 15:55:29 +00:00
- `SELECT x,y FROM db.table` .
- `SELECT x FROM db.table` .
- `SELECT y FROM db.table` .
2020-04-09 14:02:39 +00:00
2021-05-27 19:44:11 +00:00
`john` can’ t execute `SELECT z FROM db.table` . The `SELECT * FROM db.table` also is not available. Processing this query, ClickHouse does not return any data, even `x` and `y` . The only exception is if a table contains only `x` and `y` columns. In this case ClickHouse returns all the data.
2020-04-09 14:02:39 +00:00
2020-05-15 20:30:51 +00:00
Also `john` has the `GRANT OPTION` privilege, so it can grant other users with privileges of the same or smaller scope.
2020-04-09 14:02:39 +00:00
2020-04-14 10:14:19 +00:00
Access to the `system` database is always allowed (since this database is used for processing queries).
2020-05-15 20:30:51 +00:00
You can grant multiple privileges to multiple accounts in one query. The query `GRANT SELECT, INSERT ON *.* TO john, robin` allows accounts `john` and `robin` to execute the `INSERT` and `SELECT` queries over all the tables in all the databases on the server.
2020-04-09 14:02:39 +00:00
2024-07-20 00:32:37 +00:00
## Wildcard grants
Specifying privileges you can use asterisk (`*`) instead of a table or a database name. For example, the `GRANT SELECT ON db.* TO john` query allows `john` to execute the `SELECT` query over all the tables in `db` database.
Also, you can omit database name. In this case privileges are granted for current database.
For example, `GRANT SELECT ON * TO john` grants the privilege on all the tables in the current database, `GRANT SELECT ON mytable TO john` grants the privilege on the `mytable` table in the current database.
You can also put asterisks at the end of a table or a database name. This feature allows you to grant privileges on an abstract prefix of the table's path.
Example: `GRANT SELECT ON db.my_tables* TO john` . This query allows `john` to execute the `SELECT` query over all the `db` database tables with the prefix `my_tables*` .
More examples:
`GRANT SELECT ON db.my_tables* TO john`
```sql
SELECT * FROM db.my_tables -- granted
SELECT * FROM db.my_tables_0 -- granted
SELECT * FROM db.my_tables_1 -- granted
SELECT * FROM db.other_table -- not_granted
SELECT * FROM db2.my_tables -- not_granted
```
`GRANT SELECT ON db*.* TO john`
```sql
SELECT * FROM db.my_tables -- granted
SELECT * FROM db.my_tables_0 -- granted
SELECT * FROM db.my_tables_1 -- granted
SELECT * FROM db.other_table -- granted
SELECT * FROM db2.my_tables -- granted
```
All newly created tables within granted paths will automatically inherit all grants from their parents.
For example, if you run the `GRANT SELECT ON db.* TO john` query and then create a new table `db.new_table` , the user `john` will be able to run the `SELECT * FROM db.new_table` query.
You can specify asterisk **only** for the prefixes:
```sql
GRANT SELECT ON db.* TO john -- correct
GRANT SELECT ON db*.* TO john -- correct
GRANT SELECT ON *.my_table TO john -- wrong
GRANT SELECT ON foo*bar TO john -- wrong
GRANT SELECT ON *suffix TO john -- wrong
```
2022-06-02 10:55:18 +00:00
## Privileges
2020-04-09 14:02:39 +00:00
2020-05-15 20:30:51 +00:00
Privilege is a permission to execute specific kind of queries.
2020-04-09 14:02:39 +00:00
2020-05-15 20:30:51 +00:00
Privileges have a hierarchical structure. A set of permitted queries depends on the privilege scope.
2020-04-09 14:02:39 +00:00
2020-04-15 14:57:49 +00:00
Hierarchy of privileges:
2020-04-09 14:02:39 +00:00
2024-05-02 07:00:40 +00:00
- [SELECT ](#select )
- [INSERT ](#insert )
- [ALTER ](#alter )
2023-04-19 15:55:29 +00:00
- `ALTER TABLE`
- `ALTER UPDATE`
- `ALTER DELETE`
- `ALTER COLUMN`
- `ALTER ADD COLUMN`
- `ALTER DROP COLUMN`
- `ALTER MODIFY COLUMN`
- `ALTER COMMENT COLUMN`
- `ALTER CLEAR COLUMN`
- `ALTER RENAME COLUMN`
- `ALTER INDEX`
- `ALTER ORDER BY`
- `ALTER SAMPLE BY`
- `ALTER ADD INDEX`
- `ALTER DROP INDEX`
- `ALTER MATERIALIZE INDEX`
- `ALTER CLEAR INDEX`
- `ALTER CONSTRAINT`
- `ALTER ADD CONSTRAINT`
- `ALTER DROP CONSTRAINT`
- `ALTER TTL`
- `ALTER MATERIALIZE TTL`
- `ALTER SETTINGS`
- `ALTER MOVE PARTITION`
- `ALTER FETCH PARTITION`
- `ALTER FREEZE PARTITION`
- `ALTER VIEW`
- `ALTER VIEW REFRESH`
- `ALTER VIEW MODIFY QUERY`
2024-02-28 00:00:17 +00:00
- `ALTER VIEW MODIFY SQL SECURITY`
2024-05-02 07:00:40 +00:00
- [CREATE ](#create )
2023-04-19 15:55:29 +00:00
- `CREATE DATABASE`
- `CREATE TABLE`
- `CREATE ARBITRARY TEMPORARY TABLE`
- `CREATE TEMPORARY TABLE`
- `CREATE VIEW`
- `CREATE DICTIONARY`
- `CREATE FUNCTION`
2024-05-02 07:00:40 +00:00
- [DROP ](#drop )
2023-04-19 15:55:29 +00:00
- `DROP DATABASE`
- `DROP TABLE`
- `DROP VIEW`
- `DROP DICTIONARY`
- `DROP FUNCTION`
2024-05-02 07:00:40 +00:00
- [TRUNCATE ](#truncate )
- [OPTIMIZE ](#optimize )
- [SHOW ](#show )
2023-04-19 15:55:29 +00:00
- `SHOW DATABASES`
- `SHOW TABLES`
- `SHOW COLUMNS`
- `SHOW DICTIONARIES`
2024-05-02 07:00:40 +00:00
- [KILL QUERY ](#kill-query )
- [ACCESS MANAGEMENT ](#access-management )
2023-04-19 15:55:29 +00:00
- `CREATE USER`
- `ALTER USER`
- `DROP USER`
- `CREATE ROLE`
- `ALTER ROLE`
- `DROP ROLE`
- `CREATE ROW POLICY`
- `ALTER ROW POLICY`
- `DROP ROW POLICY`
- `CREATE QUOTA`
- `ALTER QUOTA`
- `DROP QUOTA`
- `CREATE SETTINGS PROFILE`
- `ALTER SETTINGS PROFILE`
- `DROP SETTINGS PROFILE`
- `SHOW ACCESS`
- `SHOW_USERS`
- `SHOW_ROLES`
- `SHOW_ROW_POLICIES`
- `SHOW_QUOTAS`
- `SHOW_SETTINGS_PROFILES`
- `ROLE ADMIN`
2024-05-02 07:00:40 +00:00
- [SYSTEM ](#system )
2023-04-19 15:55:29 +00:00
- `SYSTEM SHUTDOWN`
- `SYSTEM DROP CACHE`
- `SYSTEM DROP DNS CACHE`
- `SYSTEM DROP MARK CACHE`
- `SYSTEM DROP UNCOMPRESSED CACHE`
- `SYSTEM RELOAD`
- `SYSTEM RELOAD CONFIG`
- `SYSTEM RELOAD DICTIONARY`
- `SYSTEM RELOAD EMBEDDED DICTIONARIES`
- `SYSTEM RELOAD FUNCTION`
- `SYSTEM RELOAD FUNCTIONS`
- `SYSTEM MERGES`
- `SYSTEM TTL MERGES`
- `SYSTEM FETCHES`
- `SYSTEM MOVES`
- `SYSTEM SENDS`
- `SYSTEM DISTRIBUTED SENDS`
- `SYSTEM REPLICATED SENDS`
- `SYSTEM REPLICATION QUEUES`
- `SYSTEM SYNC REPLICA`
- `SYSTEM RESTART REPLICA`
- `SYSTEM FLUSH`
- `SYSTEM FLUSH DISTRIBUTED`
- `SYSTEM FLUSH LOGS`
- `CLUSTER` (see also `access_control_improvements.on_cluster_queries_require_cluster_grant` configuration directive)
2024-05-02 07:00:40 +00:00
- [INTROSPECTION ](#introspection )
2023-04-19 15:55:29 +00:00
- `addressToLine`
- `addressToLineWithInlines`
- `addressToSymbol`
- `demangle`
2024-05-02 07:00:40 +00:00
- [SOURCES ](#sources )
2024-10-04 09:13:35 +00:00
- `AZURE`
2023-04-19 15:55:29 +00:00
- `FILE`
- `HDFS`
2024-10-04 09:13:35 +00:00
- `HIVE`
- `JDBC`
- `MONGO`
- `MYSQL`
- `ODBC`
2024-08-16 17:02:44 +00:00
- `POSTGRES`
2024-10-04 09:13:35 +00:00
- `REDIS`
- `REMOTE`
- `S3`
- `SQLITE`
- `URL`
2024-05-02 07:00:40 +00:00
- [dictGet ](#dictget )
2024-06-12 12:09:37 +00:00
- [displaySecretsInShowAndSelect ](#displaysecretsinshowandselect )
2024-05-02 07:00:40 +00:00
- [NAMED COLLECTION ADMIN ](#named-collection-admin )
2024-03-06 02:31:21 +00:00
- `CREATE NAMED COLLECTION`
- `DROP NAMED COLLECTION`
- `ALTER NAMED COLLECTION`
- `SHOW NAMED COLLECTIONS`
- `SHOW NAMED COLLECTIONS SECRETS`
- `NAMED COLLECTION`
2024-05-02 07:00:40 +00:00
- [TABLE ENGINE ](#table-engine )
2020-04-09 14:02:39 +00:00
2020-04-15 14:57:49 +00:00
Examples of how this hierarchy is treated:
2023-04-19 15:55:29 +00:00
- The `ALTER` privilege includes all other `ALTER*` privileges.
- `ALTER CONSTRAINT` includes `ALTER ADD CONSTRAINT` and `ALTER DROP CONSTRAINT` privileges.
2020-04-15 14:57:49 +00:00
Privileges are applied at different levels. Knowing of a level suggests syntax available for privilege.
Levels (from lower to higher):
2023-04-19 15:55:29 +00:00
- `COLUMN` — Privilege can be granted for column, table, database, or globally.
- `TABLE` — Privilege can be granted for table, database, or globally.
- `VIEW` — Privilege can be granted for view, database, or globally.
- `DICTIONARY` — Privilege can be granted for dictionary, database, or globally.
- `DATABASE` — Privilege can be granted for database or globally.
- `GLOBAL` — Privilege can be granted only globally.
- `GROUP` — Groups privileges of different levels. When `GROUP` -level privilege is granted, only that privileges from the group are granted which correspond to the used syntax.
2020-04-15 14:57:49 +00:00
Examples of allowed syntax:
2023-04-19 15:55:29 +00:00
- `GRANT SELECT(x) ON db.table TO user`
- `GRANT SELECT ON db.* TO user`
2020-04-15 14:57:49 +00:00
Examples of disallowed syntax:
2023-04-19 15:55:29 +00:00
- `GRANT CREATE USER(x) ON db.table TO user`
- `GRANT CREATE USER ON db.* TO user`
2020-04-15 14:57:49 +00:00
2024-05-02 07:00:40 +00:00
The special privilege [ALL ](#all ) grants all the privileges to a user account or a role.
2020-04-09 14:02:39 +00:00
By default, a user account or a role has no privileges.
2024-05-02 07:00:40 +00:00
If a user or a role has no privileges, it is displayed as [NONE ](#none ) privilege.
2020-04-09 14:02:39 +00:00
2022-10-07 13:22:40 +00:00
Some queries by their implementation require a set of privileges. For example, to execute the [RENAME ](../../sql-reference/statements/optimize.md ) query you need the following privileges: `SELECT` , `CREATE TABLE` , `INSERT` and `DROP TABLE` .
2020-04-09 14:02:39 +00:00
2022-06-02 10:55:18 +00:00
### SELECT
2020-04-09 14:02:39 +00:00
2020-06-18 08:24:31 +00:00
Allows executing [SELECT ](../../sql-reference/statements/select/index.md ) queries.
2020-04-09 14:02:39 +00:00
2020-04-15 14:57:49 +00:00
Privilege level: `COLUMN` .
2020-04-09 14:02:39 +00:00
**Description**
2020-06-18 08:24:31 +00:00
User granted with this privilege can execute `SELECT` queries over a specified list of columns in the specified table and database. If user includes other columns then specified a query returns no data.
2020-04-09 14:02:39 +00:00
Consider the following privilege:
2020-06-18 08:24:31 +00:00
``` sql
2020-04-09 14:02:39 +00:00
GRANT SELECT(x,y) ON db.table TO john
```
2021-05-27 19:44:11 +00:00
This privilege allows `john` to execute any `SELECT` query that involves data from the `x` and/or `y` columns in `db.table` , for example, `SELECT x FROM db.table` . `john` can’ t execute `SELECT z FROM db.table` . The `SELECT * FROM db.table` also is not available. Processing this query, ClickHouse does not return any data, even `x` and `y` . The only exception is if a table contains only `x` and `y` columns, in this case ClickHouse returns all the data.
2020-04-09 14:02:39 +00:00
2022-06-02 10:55:18 +00:00
### INSERT
2020-04-09 14:02:39 +00:00
2020-06-18 08:24:31 +00:00
Allows executing [INSERT ](../../sql-reference/statements/insert-into.md ) queries.
2020-04-15 14:57:49 +00:00
Privilege level: `COLUMN` .
2020-04-09 14:02:39 +00:00
**Description**
2021-05-27 19:44:11 +00:00
User granted with this privilege can execute `INSERT` queries over a specified list of columns in the specified table and database. If user includes other columns then specified a query does not insert any data.
2020-04-15 14:57:49 +00:00
**Example**
2020-06-18 08:24:31 +00:00
``` sql
2020-04-15 14:57:49 +00:00
GRANT INSERT(x,y) ON db.table TO john
```
The granted privilege allows `john` to insert data to the `x` and/or `y` columns in `db.table` .
2022-06-02 10:55:18 +00:00
### ALTER
2020-04-15 14:57:49 +00:00
2022-11-09 01:21:26 +00:00
Allows executing [ALTER ](../../sql-reference/statements/alter/index.md ) queries according to the following hierarchy of privileges:
2020-06-18 08:24:31 +00:00
2023-04-19 15:55:29 +00:00
- `ALTER` . Level: `COLUMN` .
- `ALTER TABLE` . Level: `GROUP`
- `ALTER UPDATE` . Level: `COLUMN` . Aliases: `UPDATE`
- `ALTER DELETE` . Level: `COLUMN` . Aliases: `DELETE`
- `ALTER COLUMN` . Level: `GROUP`
- `ALTER ADD COLUMN` . Level: `COLUMN` . Aliases: `ADD COLUMN`
- `ALTER DROP COLUMN` . Level: `COLUMN` . Aliases: `DROP COLUMN`
- `ALTER MODIFY COLUMN` . Level: `COLUMN` . Aliases: `MODIFY COLUMN`
- `ALTER COMMENT COLUMN` . Level: `COLUMN` . Aliases: `COMMENT COLUMN`
- `ALTER CLEAR COLUMN` . Level: `COLUMN` . Aliases: `CLEAR COLUMN`
- `ALTER RENAME COLUMN` . Level: `COLUMN` . Aliases: `RENAME COLUMN`
- `ALTER INDEX` . Level: `GROUP` . Aliases: `INDEX`
- `ALTER ORDER BY` . Level: `TABLE` . Aliases: `ALTER MODIFY ORDER BY` , `MODIFY ORDER BY`
- `ALTER SAMPLE BY` . Level: `TABLE` . Aliases: `ALTER MODIFY SAMPLE BY` , `MODIFY SAMPLE BY`
- `ALTER ADD INDEX` . Level: `TABLE` . Aliases: `ADD INDEX`
- `ALTER DROP INDEX` . Level: `TABLE` . Aliases: `DROP INDEX`
- `ALTER MATERIALIZE INDEX` . Level: `TABLE` . Aliases: `MATERIALIZE INDEX`
- `ALTER CLEAR INDEX` . Level: `TABLE` . Aliases: `CLEAR INDEX`
- `ALTER CONSTRAINT` . Level: `GROUP` . Aliases: `CONSTRAINT`
- `ALTER ADD CONSTRAINT` . Level: `TABLE` . Aliases: `ADD CONSTRAINT`
- `ALTER DROP CONSTRAINT` . Level: `TABLE` . Aliases: `DROP CONSTRAINT`
- `ALTER TTL` . Level: `TABLE` . Aliases: `ALTER MODIFY TTL` , `MODIFY TTL`
- `ALTER MATERIALIZE TTL` . Level: `TABLE` . Aliases: `MATERIALIZE TTL`
- `ALTER SETTINGS` . Level: `TABLE` . Aliases: `ALTER SETTING` , `ALTER MODIFY SETTING` , `MODIFY SETTING`
- `ALTER MOVE PARTITION` . Level: `TABLE` . Aliases: `ALTER MOVE PART` , `MOVE PARTITION` , `MOVE PART`
- `ALTER FETCH PARTITION` . Level: `TABLE` . Aliases: `ALTER FETCH PART` , `FETCH PARTITION` , `FETCH PART`
- `ALTER FREEZE PARTITION` . Level: `TABLE` . Aliases: `FREEZE PARTITION`
- `ALTER VIEW` Level: `GROUP`
- `ALTER VIEW REFRESH` . Level: `VIEW` . Aliases: `ALTER LIVE VIEW REFRESH` , `REFRESH VIEW`
- `ALTER VIEW MODIFY QUERY` . Level: `VIEW` . Aliases: `ALTER TABLE MODIFY QUERY`
2024-02-28 00:00:17 +00:00
- `ALTER VIEW MODIFY SQL SECURITY` . Level: `VIEW` . Aliases: `ALTER TABLE MODIFY SQL SECURITY`
2020-04-09 14:02:39 +00:00
Examples of how this hierarchy is treated:
2023-04-19 15:55:29 +00:00
- The `ALTER` privilege includes all other `ALTER*` privileges.
- `ALTER CONSTRAINT` includes `ALTER ADD CONSTRAINT` and `ALTER DROP CONSTRAINT` privileges.
2020-04-09 14:02:39 +00:00
**Notes**
2023-04-19 15:55:29 +00:00
- The `MODIFY SETTING` privilege allows modifying table engine settings. It does not affect settings or server configuration parameters.
2024-05-02 07:00:40 +00:00
- The `ATTACH` operation needs the [CREATE ](#create ) privilege.
- The `DETACH` operation needs the [DROP ](#drop ) privilege.
2023-04-19 15:55:29 +00:00
- To stop mutation by the [KILL MUTATION ](../../sql-reference/statements/kill.md#kill-mutation ) query, you need to have a privilege to start this mutation. For example, if you want to stop the `ALTER UPDATE` query, you need the `ALTER UPDATE` , `ALTER TABLE` , or `ALTER` privilege.
2020-04-09 14:02:39 +00:00
2022-06-02 10:55:18 +00:00
### CREATE
2020-04-09 14:02:39 +00:00
2022-10-07 13:22:40 +00:00
Allows executing [CREATE ](../../sql-reference/statements/create/index.md ) and [ATTACH ](../../sql-reference/statements/attach.md ) DDL-queries according to the following hierarchy of privileges:
2020-04-09 14:02:39 +00:00
2023-04-19 15:55:29 +00:00
- `CREATE` . Level: `GROUP`
- `CREATE DATABASE` . Level: `DATABASE`
- `CREATE TABLE` . Level: `TABLE`
- `CREATE ARBITRARY TEMPORARY TABLE` . Level: `GLOBAL`
- `CREATE TEMPORARY TABLE` . Level: `GLOBAL`
- `CREATE VIEW` . Level: `VIEW`
- `CREATE DICTIONARY` . Level: `DICTIONARY`
2020-04-09 14:02:39 +00:00
**Notes**
2024-05-02 07:00:40 +00:00
- To delete the created table, a user needs [DROP ](#drop ).
2020-04-09 14:02:39 +00:00
2022-06-02 10:55:18 +00:00
### DROP
2020-04-09 14:02:39 +00:00
2022-10-07 13:22:40 +00:00
Allows executing [DROP ](../../sql-reference/statements/drop.md ) and [DETACH ](../../sql-reference/statements/detach.md ) queries according to the following hierarchy of privileges:
2020-04-09 14:02:39 +00:00
2023-04-19 15:55:29 +00:00
- `DROP` . Level: `GROUP`
- `DROP DATABASE` . Level: `DATABASE`
- `DROP TABLE` . Level: `TABLE`
- `DROP VIEW` . Level: `VIEW`
- `DROP DICTIONARY` . Level: `DICTIONARY`
2020-04-09 14:02:39 +00:00
2022-06-02 10:55:18 +00:00
### TRUNCATE
2020-04-09 14:02:39 +00:00
2022-10-07 13:22:40 +00:00
Allows executing [TRUNCATE ](../../sql-reference/statements/truncate.md ) queries.
2020-04-09 14:02:39 +00:00
2020-04-15 14:57:49 +00:00
Privilege level: `TABLE` .
2022-06-02 10:55:18 +00:00
### OPTIMIZE
2020-04-09 14:02:39 +00:00
2022-10-07 13:22:40 +00:00
Allows executing [OPTIMIZE TABLE ](../../sql-reference/statements/optimize.md ) queries.
2020-04-09 14:02:39 +00:00
2020-04-15 14:57:49 +00:00
Privilege level: `TABLE` .
2020-04-09 14:02:39 +00:00
2022-06-02 10:55:18 +00:00
### SHOW
2020-04-09 14:02:39 +00:00
2020-05-15 20:30:51 +00:00
Allows executing `SHOW` , `DESCRIBE` , `USE` , and `EXISTS` queries according to the following hierarchy of privileges:
2020-04-09 14:02:39 +00:00
2023-04-19 15:55:29 +00:00
- `SHOW` . Level: `GROUP`
- `SHOW DATABASES` . Level: `DATABASE` . Allows to execute `SHOW DATABASES` , `SHOW CREATE DATABASE` , `USE <database>` queries.
- `SHOW TABLES` . Level: `TABLE` . Allows to execute `SHOW TABLES` , `EXISTS <table>` , `CHECK <table>` queries.
- `SHOW COLUMNS` . Level: `COLUMN` . Allows to execute `SHOW CREATE TABLE` , `DESCRIBE` queries.
- `SHOW DICTIONARIES` . Level: `DICTIONARY` . Allows to execute `SHOW DICTIONARIES` , `SHOW CREATE DICTIONARY` , `EXISTS <dictionary>` queries.
2020-04-09 14:02:39 +00:00
**Notes**
2020-05-15 20:30:51 +00:00
A user has the `SHOW` privilege if it has any other privilege concerning the specified table, dictionary or database.
2020-04-09 14:02:39 +00:00
2022-06-02 10:55:18 +00:00
### KILL QUERY
2020-04-09 14:02:39 +00:00
2022-10-07 13:22:40 +00:00
Allows executing [KILL ](../../sql-reference/statements/kill.md#kill-query ) queries according to the following hierarchy of privileges:
2020-04-09 14:02:39 +00:00
2020-04-15 14:57:49 +00:00
Privilege level: `GLOBAL` .
2020-04-09 14:02:39 +00:00
**Notes**
`KILL QUERY` privilege allows one user to kill queries of other users.
2022-06-02 10:55:18 +00:00
### ACCESS MANAGEMENT
2020-04-09 14:02:39 +00:00
2020-05-15 20:30:51 +00:00
Allows a user to execute queries that manage users, roles and row policies.
2020-04-09 14:02:39 +00:00
2023-04-19 15:55:29 +00:00
- `ACCESS MANAGEMENT` . Level: `GROUP`
- `CREATE USER` . Level: `GLOBAL`
- `ALTER USER` . Level: `GLOBAL`
- `DROP USER` . Level: `GLOBAL`
- `CREATE ROLE` . Level: `GLOBAL`
- `ALTER ROLE` . Level: `GLOBAL`
- `DROP ROLE` . Level: `GLOBAL`
- `ROLE ADMIN` . Level: `GLOBAL`
- `CREATE ROW POLICY` . Level: `GLOBAL` . Aliases: `CREATE POLICY`
- `ALTER ROW POLICY` . Level: `GLOBAL` . Aliases: `ALTER POLICY`
- `DROP ROW POLICY` . Level: `GLOBAL` . Aliases: `DROP POLICY`
- `CREATE QUOTA` . Level: `GLOBAL`
- `ALTER QUOTA` . Level: `GLOBAL`
- `DROP QUOTA` . Level: `GLOBAL`
- `CREATE SETTINGS PROFILE` . Level: `GLOBAL` . Aliases: `CREATE PROFILE`
- `ALTER SETTINGS PROFILE` . Level: `GLOBAL` . Aliases: `ALTER PROFILE`
- `DROP SETTINGS PROFILE` . Level: `GLOBAL` . Aliases: `DROP PROFILE`
- `SHOW ACCESS` . Level: `GROUP`
- `SHOW_USERS` . Level: `GLOBAL` . Aliases: `SHOW CREATE USER`
- `SHOW_ROLES` . Level: `GLOBAL` . Aliases: `SHOW CREATE ROLE`
- `SHOW_ROW_POLICIES` . Level: `GLOBAL` . Aliases: `SHOW POLICIES` , `SHOW CREATE ROW POLICY` , `SHOW CREATE POLICY`
- `SHOW_QUOTAS` . Level: `GLOBAL` . Aliases: `SHOW CREATE QUOTA`
- `SHOW_SETTINGS_PROFILES` . Level: `GLOBAL` . Aliases: `SHOW PROFILES` , `SHOW CREATE SETTINGS PROFILE` , `SHOW CREATE PROFILE`
2024-02-28 00:00:17 +00:00
- `ALLOW SQL SECURITY NONE` . Level: `GLOBAL` . Aliases: `CREATE SQL SECURITY NONE` , `SQL SECURITY NONE` , `SECURITY NONE`
2020-04-09 14:02:39 +00:00
2020-05-15 20:30:51 +00:00
The `ROLE ADMIN` privilege allows a user to assign and revoke any roles including those which are not assigned to the user with the admin option.
2020-04-09 14:02:39 +00:00
2022-06-02 10:55:18 +00:00
### SYSTEM
2020-04-09 14:02:39 +00:00
2020-06-18 08:24:31 +00:00
Allows a user to execute [SYSTEM ](../../sql-reference/statements/system.md ) queries according to the following hierarchy of privileges.
2023-04-19 15:55:29 +00:00
- `SYSTEM` . Level: `GROUP`
- `SYSTEM SHUTDOWN` . Level: `GLOBAL` . Aliases: `SYSTEM KILL` , `SHUTDOWN`
- `SYSTEM DROP CACHE` . Aliases: `DROP CACHE`
- `SYSTEM DROP DNS CACHE` . Level: `GLOBAL` . Aliases: `SYSTEM DROP DNS` , `DROP DNS CACHE` , `DROP DNS`
- `SYSTEM DROP MARK CACHE` . Level: `GLOBAL` . Aliases: `SYSTEM DROP MARK` , `DROP MARK CACHE` , `DROP MARKS`
- `SYSTEM DROP UNCOMPRESSED CACHE` . Level: `GLOBAL` . Aliases: `SYSTEM DROP UNCOMPRESSED` , `DROP UNCOMPRESSED CACHE` , `DROP UNCOMPRESSED`
- `SYSTEM RELOAD` . Level: `GROUP`
- `SYSTEM RELOAD CONFIG` . Level: `GLOBAL` . Aliases: `RELOAD CONFIG`
- `SYSTEM RELOAD DICTIONARY` . Level: `GLOBAL` . Aliases: `SYSTEM RELOAD DICTIONARIES` , `RELOAD DICTIONARY` , `RELOAD DICTIONARIES`
- `SYSTEM RELOAD EMBEDDED DICTIONARIES` . Level: `GLOBAL` . Aliases: `RELOAD EMBEDDED DICTIONARIES`
- `SYSTEM MERGES` . Level: `TABLE` . Aliases: `SYSTEM STOP MERGES` , `SYSTEM START MERGES` , `STOP MERGES` , `START MERGES`
- `SYSTEM TTL MERGES` . Level: `TABLE` . Aliases: `SYSTEM STOP TTL MERGES` , `SYSTEM START TTL MERGES` , `STOP TTL MERGES` , `START TTL MERGES`
- `SYSTEM FETCHES` . Level: `TABLE` . Aliases: `SYSTEM STOP FETCHES` , `SYSTEM START FETCHES` , `STOP FETCHES` , `START FETCHES`
- `SYSTEM MOVES` . Level: `TABLE` . Aliases: `SYSTEM STOP MOVES` , `SYSTEM START MOVES` , `STOP MOVES` , `START MOVES`
- `SYSTEM SENDS` . Level: `GROUP` . Aliases: `SYSTEM STOP SENDS` , `SYSTEM START SENDS` , `STOP SENDS` , `START SENDS`
- `SYSTEM DISTRIBUTED SENDS` . Level: `TABLE` . Aliases: `SYSTEM STOP DISTRIBUTED SENDS` , `SYSTEM START DISTRIBUTED SENDS` , `STOP DISTRIBUTED SENDS` , `START DISTRIBUTED SENDS`
- `SYSTEM REPLICATED SENDS` . Level: `TABLE` . Aliases: `SYSTEM STOP REPLICATED SENDS` , `SYSTEM START REPLICATED SENDS` , `STOP REPLICATED SENDS` , `START REPLICATED SENDS`
- `SYSTEM REPLICATION QUEUES` . Level: `TABLE` . Aliases: `SYSTEM STOP REPLICATION QUEUES` , `SYSTEM START REPLICATION QUEUES` , `STOP REPLICATION QUEUES` , `START REPLICATION QUEUES`
- `SYSTEM SYNC REPLICA` . Level: `TABLE` . Aliases: `SYNC REPLICA`
- `SYSTEM RESTART REPLICA` . Level: `TABLE` . Aliases: `RESTART REPLICA`
- `SYSTEM FLUSH` . Level: `GROUP`
- `SYSTEM FLUSH DISTRIBUTED` . Level: `TABLE` . Aliases: `FLUSH DISTRIBUTED`
- `SYSTEM FLUSH LOGS` . Level: `GLOBAL` . Aliases: `FLUSH LOGS`
2020-04-09 14:02:39 +00:00
The `SYSTEM RELOAD EMBEDDED DICTIONARIES` privilege implicitly granted by the `SYSTEM RELOAD DICTIONARY ON *.*` privilege.
2022-06-02 10:55:18 +00:00
### INTROSPECTION
2020-04-09 14:02:39 +00:00
2020-05-01 14:48:16 +00:00
Allows using [introspection ](../../operations/optimizing-performance/sampling-query-profiler.md ) functions.
2020-04-09 14:02:39 +00:00
2023-04-19 15:55:29 +00:00
- `INTROSPECTION` . Level: `GROUP` . Aliases: `INTROSPECTION FUNCTIONS`
- `addressToLine` . Level: `GLOBAL`
- `addressToLineWithInlines` . Level: `GLOBAL`
- `addressToSymbol` . Level: `GLOBAL`
- `demangle` . Level: `GLOBAL`
2020-04-09 14:02:39 +00:00
2022-06-02 10:55:18 +00:00
### SOURCES
2020-04-09 14:02:39 +00:00
2020-06-18 08:24:31 +00:00
Allows using external data sources. Applies to [table engines ](../../engines/table-engines/index.md ) and [table functions ](../../sql-reference/table-functions/index.md#table-functions ).
2020-04-09 14:02:39 +00:00
2023-04-19 15:55:29 +00:00
- `SOURCES` . Level: `GROUP`
2024-10-04 09:59:28 +00:00
- `AZURE` . Level: `GLOBAL`
2023-04-19 15:55:29 +00:00
- `FILE` . Level: `GLOBAL`
- `HDFS` . Level: `GLOBAL`
2024-10-04 09:59:28 +00:00
- `HIVE` . Level: `GLOBAL`
- `JDBC` . Level: `GLOBAL`
- `MONGO` . Level: `GLOBAL`
- `MYSQL` . Level: `GLOBAL`
- `ODBC` . Level: `GLOBAL`
2024-08-16 17:02:44 +00:00
- `POSTGRES` . Level: `GLOBAL`
2024-10-04 09:59:28 +00:00
- `REDIS` . Level: `GLOBAL`
- `REMOTE` . Level: `GLOBAL`
- `S3` . Level: `GLOBAL`
- `SQLITE` . Level: `GLOBAL`
- `URL` . Level: `GLOBAL`
2020-04-09 14:02:39 +00:00
2020-04-15 14:57:49 +00:00
The `SOURCES` privilege enables use of all the sources. Also you can grant a privilege for each source individually. To use sources, you need additional privileges.
2020-04-09 14:02:39 +00:00
2020-04-15 14:57:49 +00:00
Examples:
2020-04-09 14:02:39 +00:00
2023-04-19 15:55:29 +00:00
- To create a table with the [MySQL table engine ](../../engines/table-engines/integrations/mysql.md ), you need `CREATE TABLE (ON db.table_name)` and `MYSQL` privileges.
- To use the [mysql table function ](../../sql-reference/table-functions/mysql.md ), you need `CREATE TEMPORARY TABLE` and `MYSQL` privileges.
2020-04-09 14:02:39 +00:00
2022-06-02 10:55:18 +00:00
### dictGet
2020-04-09 14:02:39 +00:00
2023-04-19 15:55:29 +00:00
- `dictGet` . Aliases: `dictHas` , `dictGetHierarchy` , `dictIsIn`
2020-04-09 14:02:39 +00:00
2020-06-18 08:24:31 +00:00
Allows a user to execute [dictGet ](../../sql-reference/functions/ext-dict-functions.md#dictget ), [dictHas ](../../sql-reference/functions/ext-dict-functions.md#dicthas ), [dictGetHierarchy ](../../sql-reference/functions/ext-dict-functions.md#dictgethierarchy ), [dictIsIn ](../../sql-reference/functions/ext-dict-functions.md#dictisin ) functions.
2020-04-09 14:02:39 +00:00
2020-05-15 20:30:51 +00:00
Privilege level: `DICTIONARY` .
2020-04-15 14:57:49 +00:00
2020-04-09 14:02:39 +00:00
**Examples**
2023-04-19 15:55:29 +00:00
- `GRANT dictGet ON mydb.mydictionary TO john`
- `GRANT dictGet ON mydictionary TO john`
2020-04-09 14:02:39 +00:00
2023-02-17 10:36:58 +00:00
2024-06-12 12:09:37 +00:00
### displaySecretsInShowAndSelect
2023-02-17 10:36:58 +00:00
2023-04-28 12:42:23 +00:00
Allows a user to view secrets in `SHOW` and `SELECT` queries if both
[`display_secrets_in_show_and_select` server setting ](../../operations/server-configuration-parameters/settings#display_secrets_in_show_and_select )
and
2023-04-28 13:39:38 +00:00
[`format_display_secrets_in_show_and_select` format setting ](../../operations/settings/formats#format_display_secrets_in_show_and_select )
2023-04-28 12:42:23 +00:00
are turned on.
2023-02-17 10:36:58 +00:00
2024-03-14 00:36:29 +00:00
2024-03-06 02:31:21 +00:00
### NAMED COLLECTION ADMIN
2024-03-07 05:55:22 +00:00
Allows a certain operation on a specified named collection. Before version 23.7 it was called NAMED COLLECTION CONTROL, and after 23.7 NAMED COLLECTION ADMIN was added and NAMED COLLECTION CONTROL is preserved as an alias.
2024-03-06 02:31:21 +00:00
- `NAMED COLLECTION ADMIN` . Level: `NAMED_COLLECTION` . Aliases: `NAMED COLLECTION CONTROL`
- `CREATE NAMED COLLECTION` . Level: `NAMED_COLLECTION`
- `DROP NAMED COLLECTION` . Level: `NAMED_COLLECTION`
- `ALTER NAMED COLLECTION` . Level: `NAMED_COLLECTION`
- `SHOW NAMED COLLECTIONS` . Level: `NAMED_COLLECTION` . Aliases: `SHOW NAMED COLLECTIONS`
- `SHOW NAMED COLLECTIONS SECRETS` . Level: `NAMED_COLLECTION` . Aliases: `SHOW NAMED COLLECTIONS SECRETS`
- `NAMED COLLECTION` . Level: `NAMED_COLLECTION` . Aliases: `NAMED COLLECTION USAGE, USE NAMED COLLECTION`
2024-03-07 01:09:18 +00:00
Unlike all other grants (CREATE, DROP, ALTER, SHOW) grant NAMED COLLECTION was added only in 23.7, while all others were added earlier - in 22.12.
2024-03-06 02:31:21 +00:00
**Examples**
2024-03-07 01:09:18 +00:00
Assuming a named collection is called abc, we grant privilege CREATE NAMED COLLECTION to user john.
2024-03-06 02:31:21 +00:00
- `GRANT CREATE NAMED COLLECTION ON abc TO john`
2024-03-14 00:36:29 +00:00
2024-02-20 02:11:31 +00:00
### TABLE ENGINE
Allows using a specified table engine when creating a table. Applies to [table engines ](../../engines/table-engines/index.md ).
**Examples**
- `GRANT TABLE ENGINE ON * TO john`
- `GRANT TABLE ENGINE ON TinyLog TO john`
2024-03-14 00:36:29 +00:00
2022-06-02 10:55:18 +00:00
### ALL
2020-04-09 14:02:39 +00:00
2020-04-14 10:14:19 +00:00
Grants all the privileges on regulated entity to a user account or a role.
2022-06-02 10:55:18 +00:00
### NONE
2020-04-09 14:02:39 +00:00
2020-06-18 08:24:31 +00:00
Doesn’ t grant any privileges.
2020-04-09 14:02:39 +00:00
2022-06-02 10:55:18 +00:00
### ADMIN OPTION
2020-04-09 14:02:39 +00:00
2020-05-15 20:30:51 +00:00
The `ADMIN OPTION` privilege allows a user to grant their role to another user.