Privilege Control Types

The privilege control of a MatrixOne is classified into System Permission and Object Permission. You can refer to the permissions granted to roles.

System Permission

System permissions are the permissions of the initial system account. The system account is the cluster system administrator root, also called the cluster administrator. The system root can create and delete other accounts, and manage accounts. A system root cannot manage other resources of other accounts.

PermissionsDescription
CREATE ACCOUNTCreate an account. It belongs only to the SYS account.
DROP ACCOUNTDelete an account. It belongs only to the SYS account.
ALTER ACCOUNTManage accounts. It belongs only to the SYS account.

Object Permission

Object permission can be classified into Account Permission, User Permission, Role Permission, Database Permission, and Table Permission.

Account Permission

Objects with Account Permission can have the following permissions:

PermissionsDescription
CREATE USERCreate a user
DROP USERDelete a user
ALTER USERModify users
CREATE ROLECreate a role
DROP ROLEDelete a role
CREATE DATABASECreate a database
DROP DATABASEDelete a database
SHOW DATABASESView all databases in the current account
CONNECTUse use [database | role], execute SELECT which does not involve concrete object
MANAGE GRANTSPermission management. You can authorize roles and inherit permission from roles
ALL [PRIVILEGES]All permissions of the Account
OWNERSHIPAll permissions of the Account. The account can be set using WITH GRANT OPTION
SHOW GRANTView the permission list of a role or user under the current account

User Permission

Objects with User Permission can have the following permissions:

PermissionsDescription
OwnershipYou can manage all user permission, including modifying user information, passwords, and deleting users, and transfer these permissions to other roles.

Role Permission

Objects with Role Permission can have the following permissions:

PermissionsDescription
OwnershipYou can manage all rights of a role, including modifying the name, description, and deletion of a role, and transfer these rights to other roles.

Database Permission

Objects with Database Permission can have the following permissions:

PermissionsDescription
SHOW TABLESView all tables in the current database
CREATE TABLECreate a table
DROP TABLEDelete a table
CREATE VIEWCreate a view,A view created without the corresponding table permission cannot be queried
DROP VIEWDelete a view
ALTER TABLEModify a table
ALTER VIEWModify a view. A view created without the corresponding table permission cannot be queried.
ALL [PRIVILEGES]All permission of database
OWNERSHIPAll permission of database. The database can be set using WITH GRANT OPTION

Table Permission

Objects with Table Permission can have the following permissions:

PermissionsDescription
SELECTExecute the SELECT statement
INSERTExecute the INSERT statement
UPDATEExecute the UPDATE statement
TRUNCATEExecute the TRUNCATE TABLE statement
DELETEExecute the DELETE statement
REFERENCEAllows a table to be referenced as a unique/primary key table for external constraints. View the structure of the table with the DESCRIBE or SHOW command
INDEXCreate or drop INDEX
ALLSpecifies all permissions for the table
OWNERSHIPSpecifies all permissions for the table, append WITH GRANT OPTION

Table Routine Level Permission

Objects with Table Routine Level Permission can have the following permissions:

PermissionsDescription
EXECUTEPermission to execute a function or stored procedure

Publish and subscribe permission

In MatrixOne, publish-subscribe is data-sharing access to the specified database.

Note: Currently, only moadmin and accountadmin roles are supported in MatrixOne to perform publish and subscribe operations.

  • publisher

The publisher is the party that publishes the data that needs to be shared and synchronized.

PermissionsDescription
CREATE PUBLICATIONCreate Publication
ALTER PUBLICATIONModify Publication
DROP PUBLICATIONDelete a publication
SHOW PUBLICATIONView Publication
SHOW CREATE PUBLICATIONView create publication statement
  • Subscriber

The subscriber is the party that obtains the shared and synchronized data.

PermissionsDescription
CREATE DATABASE db_name FROM account_name PUBLICATIONCREATE SUBSCRIPTION
SHOW SUBSCRIPTIONSView Subscriptions