Skip to content

Commit 42f6e20

Browse files
tobyhedetobyhede
committed
docs: database permissions
1 parent e2a16c8 commit 42f6e20

File tree

1 file changed

+70
-0
lines changed

1 file changed

+70
-0
lines changed

README.md

Lines changed: 70 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -90,6 +90,76 @@ Dropping the `public.eql_v2_encrypted` type will remove any associated columns f
9090
Uninstalling EQL will not drop the `public.eql_v2_encrypted` type to avoid risk of data loss.
9191

9292

93+
## Database Permissions
94+
95+
EQL requires specific database privileges to install and operate correctly. The permissions needed depend on your deployment pattern.
96+
97+
### Default Permissions (Recommended)
98+
99+
For most use cases, grant the following permissions to the database user that will install and use EQL:
100+
101+
```sql
102+
-- Database-level permissions
103+
GRANT CREATE ON DATABASE your_database TO your_eql_user;
104+
105+
-- Schema permissions
106+
GRANT USAGE ON SCHEMA public TO your_eql_user;
107+
GRANT CREATE ON SCHEMA public TO your_eql_user;
108+
109+
-- Configuration table permissions
110+
GRANT SELECT, INSERT, UPDATE, DELETE ON TABLE public.eql_v2_configuration TO your_eql_user;
111+
112+
-- User table permissions (for encrypted column constraints)
113+
GRANT ALTER ON ALL TABLES IN SCHEMA public TO your_eql_user;
114+
-- Or grant ALTER on specific tables that will have encrypted columns:
115+
-- GRANT ALTER ON TABLE your_table TO your_eql_user;
116+
```
117+
118+
**Why these permissions are needed:**
119+
120+
- **CREATE ON DATABASE**: Required to create the `eql_v2` schema, types, and functions during installation
121+
- **CREATE ON SCHEMA public**: Required to create types and tables in the public schema
122+
- **Configuration table access**: EQL manages searchable encryption configuration in `public.eql_v2_configuration`
123+
- **ALTER on user tables**: EQL adds check constraints to encrypted columns for data validation
124+
125+
### Splitting Read and Write Access
126+
127+
A common production pattern separates setup/migration permissions from runtime permissions:
128+
129+
#### Setup/Migration User (Write Access)
130+
131+
Use during database migrations and EQL installation:
132+
133+
```sql
134+
-- All default permissions above, plus:
135+
GRANT CREATE ON DATABASE your_database TO your_migration_user;
136+
GRANT CREATE ON SCHEMA public TO your_migration_user;
137+
GRANT SELECT, INSERT, UPDATE, DELETE ON TABLE public.eql_v2_configuration TO your_migration_user;
138+
GRANT ALTER ON ALL TABLES IN SCHEMA public TO your_migration_user;
139+
```
140+
141+
#### Runtime User (Read Access)
142+
143+
Use for application queries in production:
144+
145+
```sql
146+
-- Configuration read access
147+
GRANT SELECT ON TABLE public.eql_v2_configuration TO your_app_user;
148+
149+
-- EQL schema usage
150+
GRANT USAGE ON SCHEMA eql_v2 TO your_app_user;
151+
GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA eql_v2 TO your_app_user;
152+
153+
-- User table access (normal application permissions)
154+
GRANT SELECT, INSERT, UPDATE, DELETE ON TABLE your_tables TO your_app_user;
155+
```
156+
157+
**Migration Workflow:**
158+
1. Use the migration user to install EQL and configure encrypted columns
159+
2. Use the runtime user for normal application operations
160+
3. Configuration changes (adding/removing encrypted columns) require the migration user
161+
162+
93163
### dbdev
94164

95165
> [!WARNING]

0 commit comments

Comments
 (0)