Scoped permissions - Amazon Redshift
Considerations for using scoped permissions
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Scoped permissions

Scoped permissions let you grant permissions to a user or role on all objects of a type within a database or schema. Users and roles with scoped permissions have the specified permissions on all current and future objects within the database or schema.

For more information on applying scoped permissions, see GRANT and REVOKE.

Considerations for using scoped permissions

When using scoped permissions, consider the following:

  • You can use scoped permissions to grant or revoke permissions on a database or schema scope to or from a specified user or role.

  • You can't grant scoped permissions to user groups.

  • Granting or revoking scoped permissions changes permissions for all current and future objects in the scope.

  • Scoped permissions and object-level permissions operate independently of each other. For example, a user will maintain permissions on a table in both of the following cases.

    • The user is granted SELECT on the table schema1.table1 and SELECT scoped permission on schema1. The user then has SELECT revoked for all tables in schema schema1. The user retains SELECT on schema1.table1.

    • The user is granted SELECT on the table schema1.table1 and SELECT scoped permission on schema1. The user then has SELECT revoked for schema1.table1. The user retains SELECT on schema1.table1.

  • To grant or revoke scoped permissions, you must meet one of the following criteria:

    • Superusers.

    • Users with the grant option for that permission. For more information on grant options, go to the WITH GRANT OPTION parameter in GRANT.

  • Scoped permissions can only be granted to or revoked from objects for the connected database, or from databases imported from a datashare.

  • You can use scoped permissions to set the default permissions on a database created from a datashare. A consumer-side datashare user who is granted scoped permissions on a shared database will automatically gain those permissions for any new object added to the datashare on the producer side.

  • Producers can grant scoped permissions on objects within a schema to a datashare. (preview)