Checking User Permissions
Separation of Permissions
- This check item is displayed only when the target database type is GaussDB, separation of permissions is enabled, and the migration is performed by a sysadmin user.
- After separation of permissions is enabled, if a user with SYSADMIN permissions still has the security administrator (CREATEROLE) permissions and audit administrator permissions, this means that permission model is switched repeatedly. If you need to switch model from non-separation of permissions to separation of permissions, review the permissions of existing users and tailor some permissions as needed.
Permission of Creating Schemas
This check item is displayed when the target database type is GaussDB and the migration user is granted the sysadmin permission. It is used to check whether the migration user has the permission to create schemas in the target database. Database objects must be created in schemas.
GRANT CREATE ON DATABASE <db_name> TO <user>;
When separation of permissions is enabled, initial user is used to grant permissions. When separation of permissions is disabled, SYSADMIN user is used to grant permissions.
This check item is mandatory.
Permissions of Creating and Modifying Users and Roles
This check item is displayed when the target database type is GaussDB, the migration user is not granted the sysadmin permission, and the USER, ROLE, and GRANT objects are migrated. It is used to check whether the migration user has the permissions to create or modify users and roles in the target DB instance.
ALTER USER <user> WITH CREATEROLE;
- When separation of permissions is enabled, initial user is used to grant permissions. When separation of permissions is disabled, SYSADMIN user is used to grant permissions.
- This check item is mandatory.
Permission of Creating Objects Using PUBLIC SCHEMA
This check item is displayed when the target database type is GaussDB and the migration user is a common or sysadmin user (separation of permissions enabled). This check item involves complex permission combination.
In GaussDB 2.7 or earlier, CREATE permissions on public schemas are required to create objects such as tables, views, indexes, sequences, packages, types, and triggers.
In GaussDB 3.1 or later, the user SYSADMIN (used when separation of permission is enabled) must have the CREATE permissions on public schemas to create objects such as tables, views, indexes, sequences, packages, types, and triggers.
In GaussDB 3.1 or later, a common user must have the CREATE permissions on public schemas and the ANY permissions of objects, to create objects such as tables, views, indexes, sequences, packages, types, and triggers.
In separation of permissions, only initial users have the permissions to create functions, stored procedures, and synonyms on public schemas.
In non-separation of permissions, initial and sysadmin users have the permissions to create functions, stored procedures, and synonyms on public schemas.
CREATE permissions: GRANT CREATE ON SCHEMA public TO <user>;
ANY permissions:
GRANT CREATE ANY TABLE TO <user>;//Users can create tables or views in public and user schemas.
GRANT CREATE ANY SEQUENCE TO <user>;//Users can create sequences in public and user schemas.
GRANT CREATE ANY INDEX TO <user>;//Users can create indexes in public and user schemas.
GRANT CREATE ANY PACKAGE TO <user>;//Users can create packages in public and user schemas.
GRANT CREATE ANY TYPE TO <user>;//Users can create types in public and user schemas.
GRANT CREATE ANY TRIGGER TO <user>;//Users can create triggers in public and user schemas.
- A DB instance contains multiple databases. Each database has its own public schema. Permission assignment must be performed in the corresponding database.
- When separation of permissions is enabled, initial user is used to grant permissions. When separation of permissions is disabled, SYSADMIN user is used to grant permissions.
- This check item is not mandatory. Based on the GaussDB permission design, the check result is always Warning.
Permissions of Existing Schemas
This check item is displayed when the target database type is GaussDB and the migration user is a common or sysadmin user (separation of permissions enabled).
It is used to check whether the migration user has the permissions to grant the owner of the existing schemas to the migration user.
GRANT <schema_owner> TO <user>
When separation of permissions is enabled, initial user is used to grant permissions. When separation of permissions is disabled, SYSADMIN user or schema owner is used to grant permissions.
If the migration user does not have sufficient permissions, the schema owner cannot be queried.
Granting Tablespace Permissions
This check item is only displayed when the target database type is GaussDB, the migration user is not granted the sysadmin permission, and GRANT objects are migrated.
Statements:
GRANT <privilege> ON TABLESPACE <tablespace_name> TO <user>;
GRANT <privilege> ON TABLESPACE <tablespace_name> TO <user> WITH GRANT OPTION;
If WITH GRANT OPTION is specified, a grantee can grant this permission to others.
Permissions include CREATE, ALTER, DROP, COMMENT, CREATE WITH GRANT OPTION, ALTER WITH GRANT OPTION, DROP WITH GRANT OPTION and COMMENT WITH GRANT OPTION.
When separation of permissions is enabled, initial user is used to grant permissions. When separation of permissions is disabled, SYSADMIN user is used to grant permissions.
Granting Database Permissions
This check item is only displayed when the target database type is GaussDB, the migration user is not granted the sysadmin permission, and GRANT objects are migrated.
Statements:
GRANT <privilege> ON DATABASE <db_name> TO <user>;
GRANT <privilege> ON DATABASE <db_name> TO <user> WITH GRANT OPTION;
If WITH GRANT OPTION is specified, a grantee can grant this permission to others.
Permissions include CREATE, CONNECT, TEMPORARY, ALTER, DROP, COMMENT, CREATE WITH GRANT OPTION, CONNECT WITH GRANT OPTION, ALTER WITH GRANT OPTION, TEMPORARY WITH GRANT OPTION, DROP WITH GRANT OPTION and COMMENT WITH GRANT OPTION.
When separation of permissions is enabled, initial user is used to grant permissions. When separation of permissions is disabled, SYSADMIN user is used to grant permissions.
Granting ANY Permissions
This check item is displayed when the target database type is GaussDB, the migration user is not granted the sysadmin permission, and GRANT objects are migrated. It checks whether the migration user can grant ANY permissions on the target database to other users.
GRANT <privilege> TO <user> WITH ADMIN OPTION;
If WITH ADMIN OPTION is specified, the granted user can grant the permission to other roles or users.
Permissions include CREATE ANY TABLE, ALTER ANY TABLE, DROP ANY TABLE, SELECT ANY TABLE, UPDATE ANY TABLE, INSERT ANY TABLE, DELETE ANY TABLE, CREATE ANY SEQUENCE, ALTER ANY SEQUENCE, DROP ANY SEQUENCE, SELECT ANY SEQUENCE, CREATE ANY INDEX, ALTER ANY INDEX, DROP ANY INDEX, CREATE ANY FUNCTION, EXECUTE ANY FUNCTION, CREATE ANY PACKAGE, EXECUTE ANY PACKAGE, CREATE ANY TYPE, ALTER ANY TYPE, DROP ANY TYPE, CREATE ANY SYNONYM, DROP ANY SYNONYM, CREATE ANY TRIGGER, ALTER ANY TRIGGER and DROP ANY TRIGGER.
A DB instance contains multiple databases. The ANY permissions are bound to databases. You need to grant the ANY permissions in the corresponding database.
When separation of permissions is enabled, initial user is used to grant permissions. When separation of permissions is disabled, SYSADMIN user is used to grant permissions.
Granting Permissions on the pg_catalog Schema
This check item is displayed when the target database type is GaussDB, the migration user is not granted the sysadmin permission, and GRANT objects are migrated. It checks whether the migration user can grant the query permission on all tables in the pg_catalog schema in the target database to other users.
GRANT <privilege> TO <user> WITH ADMIN OPTION;
A DB instance contains multiple databases. Each database has its own pg_catalog schema. Permission assignment must be performed in the corresponding database.
When separation of permissions is enabled, initial user is used to grant permissions. When separation of permissions is disabled, SYSADMIN user is used to grant permissions.
Granting the Database Link Permission
This check item is displayed when the target database type is GaussDB, the migration user is not granted the sysadmin permission, and GRANT objects are migrated. It checks whether the migration user can grant the permission on creating database connections in the target database to other users.
GRANT CREATE PUBLIC DATABASE LINK TO <user> WITH GRANT OPTION;
A DB instance contains multiple databases. You need to grant permissions in the corresponding database.
When separation of permissions is enabled, initial user is used to grant permissions. When separation of permissions is disabled, SYSADMIN user is used to grant permissions.
Granting Permissions to Check Role and User Authorization
If a sysadmin user is created after separation of permissions is disabled, you can execute migration tasks as the user.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
