ON SYSTEM

Syntax

GRANT { { CREATE ROLE | ALTER ANY ROLE | DROP ANY ROLE | VIEW ROLE |
      CREATE DATABASE | ALTER ANY DATABASE | DROP ANY DATABASE | BACKUP ANY DATABASE | RESTORE ANY DATABASE | 
      TRACE QUERY | VIEW QUERY TEXT | EXPLAIN QUERY |
      CONTROL ANY SESSION | CONTROL LDAP } 
      [, ...] | ALL [ PRIVILEGES ] }
      ON SYSTEM
      TO { role_specification } [, ...] [ WITH GRANT OPTION ]

Parameters

ON SYSTEM

Grant privileges system-wide, not on specific databases or objects.

CREATE ROLE

Privilege to create roles.

ALTER ANY ROLE

Privilege to alter any role.

DROP ANY ROLE

Privilege to drop any role.

VIEW ROLE

Privilege to see all rows in the sys.user and sys.role views.

CREATE DATABASE

Privilege to create databases.

ALTER ANY DATABASE

Privilege to run ALTER DATABASE commands on any database in the system.

Note: This privilege does not include permission to add, drop, or alter replicas for database replication.

DROP ANY DATABASE

Privilege to drop any database in the system (except yellowbrick and other system databases).

BACKUP ANY DATABASE

Privilege to back up any database in the system (using ybbackup).

RESTORE ANY DATABASE

Privilege to restore any database (in the system (using ybrestore).

TRACE QUERY

Privilege to query a set of system views for the purpose of tracing execution details for queries that the named users and roles did not run themselves. TRACE QUERY privilege is implied for users' own queries and does not need to be granted.

TRACE
                                QUERY

privilege provides access to the following system views:

sys.query
sys.log_query
sys.session
sys.log_session
sys.query_explain
sys.query_analyze

VIEW QUERY TEXT

Privilege to query the following system views:

sys.query
sys.log_query

EXPLAIN QUERY

Privilege to run EXPLAIN for queries that contain tables and views on which the role does not have existing privileges. Roles with existing privileges on those objects do not need this privilege.

CONTROL ANY SESSION

Privilege to terminate user connections by running the yb_terminate_session function. This privilege also includes permission to view everything in the sys.session and sys.log_session views.

CONTROL LDAP

Privilege to run the function sys.ldap_sync function, which synchronizes LDAP users and roles. Unauthorized users will see this message:

premdb=> select sys.ldap_sync();
                                   ldap_sync                                   
-------------------------------------------------------------------------------
 permission denied to query sys.ldap_sync(). CONTROL LDAP privilege is needed.
(1 row)

Examples

Grant system-wide role privileges to user yb100:

premdb=# grant create role, alter any role, drop any role on system to yb100;
GRANT

Grant the privilege to back up or restore any database on the system to two users:

premdb=# grant backup any database, restore any database on system to restore1, restore2;
GRANT

Grant CONTROL LDAP to user control1:

premdb=# grant control ldap on system to control1;
GRANT
premdb=# \c premdb control1
Password for user control1: 
SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384, bits: 256, compression: off)
You are now connected to database "premdb" as user "control1".
premdb=> select sys.ldap_sync();
                ldap_sync                 
------------------------------------------
 LDAP authorization data was synchronized+
 
(1 row)