Privileges to execute ALTER TABLE

From: Erki Eessaar <erki(dot)eessaar(at)taltech(dot)ee>
To: "pgsql-docs(at)lists(dot)postgresql(dot)org" <pgsql-docs(at)lists(dot)postgresql(dot)org>
Subject: Privileges to execute ALTER TABLE
Date: 2024-07-18 08:13:44
Message-ID: AS8PR01MB7511F0B16534517C62942769FEA72@AS8PR01MB7511.eurprd01.prod.exchangelabs.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-docs

Hello

ALTER TABLE documentation writes: "You must own the table to use ALTER TABLE. To change the schema or tablespace of a table, you must also have CREATE privilege on the new schema or tablespace. To add the table as a new child of a parent table, you must own the parent table as well. Also, to attach a table as a new partition of the table, you must own the table being attached. To alter the owner, you must be able to SET ROLE to the new owning role, and that role must have CREATE privilege on the table's schema. (These restrictions enforce that altering the owner doesn't do anything you couldn't do by dropping and recreating the table. However, a superuser can alter ownership of any table anyway.) To add a column or alter a column type or use the OF clause, you must also have USAGE privilege on the data type."
https://www.postgresql.org/docs/current/sql-altertable.html

This description is a bit incomplete. Adding a uniqueness constraint automatically creates an index. Specifying that a column is an identity column means that the system automatically creates an internal sequence generator. Thus, to execute such ALTER TABLE statements one also needs CREATE and USAGE privileges of the schema.

Perhaps to add a statement: "If a statement causes internally the creation of another database object (index, sequence generator), then you must also have CREATE and USAGE privilege of the schema that contains the table."

Best regards
Erki Eessaar

*************************
An example

--as a superuser
CREATE USER test_user;
CREATE DATABASE test_database;
GRANT CONNECT ON DATABASE test_database TO test_user;

--in the database
CREATE TABLE Test(test_id INTEGER PRIMARY KEY,
a INTEGER NOT NULL,
b INTEGER NOT NULL);
ALTER TABLE Test OWNER TO test_user;

--as the test_user
ALTER TABLE Test ADD CONSTRAINT ak_test UNIQUE (a);
/*ERROR: permission denied for schema public*/

ALTER TABLE Test ALTER COLUMN test_id ADD GENERATED ALWAYS AS IDENTITY;
/*ERROR: permission denied for schema public*/

ALTER TABLE Test DROP COLUMN b;
/*OK*/

--as a superuser
GRANT CREATE, USAGE ON SCHEMA public TO test_user;

--as the test_user
ALTER TABLE Test ADD CONSTRAINT ak_test UNIQUE (a);
/*OK*/

ALTER TABLE Test ALTER COLUMN test_id ADD GENERATED ALWAYS AS IDENTITY;
/*OK*/

Browse pgsql-docs by date

  From Date Subject
Next Message David Rowley 2024-07-18 09:16:08 Re: A minor bug in doc. Hovering over heading shows # besides it.
Previous Message Daniel Gustafsson 2024-07-18 07:46:32 Re: A minor bug in doc. Hovering over heading shows # besides it.