/
How To: Generate Auto Permissions for PostgreSQL

How To: Generate Auto Permissions for PostgreSQL

Overview

There are situations where grants may need to be created for all objects that meet a particular criteria such as belonging to a specific schema. This can be accomplished by creating a changeset that is executed at the end of every deployment to apply the appropriate grants.

Step 1 – Create a Script to Perform Grant Operations

Create a script that will generate the desired grant or alias statements. The script can utilize change log properties (Setting Properties in the Project Changelog ) to customize values for different steps in the pipeline. The following is an example of a script to grant privileges to an Application User for all tables in a specified schema. The criteria for APPUSER will be specified by properties from the project changelog.

Save the script to a location outside the SQL SCM for the Datical Project since we will manually add the changeset to the changelog.

Option 1: Version with RAISE NOTICE (preferred)

Adding RAISE NOTICE to the script will allow for logging the output to the Execution Output

DO $$ DECLARE t record; table_count integer := 0; BEGIN RAISE NOTICE 'Starting permission grant process...'; FOR t IN SELECT table_schema, table_name FROM information_schema.tables WHERE table_schema NOT IN ('pg_catalog','information_schema') LOOP -- Log each table being processed RAISE NOTICE 'Granting permissions on %.% to ${APPUSER}', t.table_schema, t.table_name; EXECUTE format('GRANT INSERT, SELECT, UPDATE, DELETE ON TABLE %I.%I TO postgres', t.table_schema, t.table_name); table_count := table_count + 1; END LOOP; RAISE NOTICE 'Permission grant process completed. Processed % tables.', table_count; END; $$;

 

Options 2: Version without RAISE NOTICE

DO $$ declare t record; BEGIN FOR t IN SELECT table_schema, table_name from information_schema.tables where table_schema not in ('pg_catalog','information_schema') LOOP execute format('GRANT INSERT, SELJ

 

Step 2 – Create Changelog Properties for Replacement Variables

If the script requires different values based upon context or labels, create the required properties. Go the Project Settings in the Datical GUI and select Manage Properties.

Setting up Property Substitution

Add the properties to be used by the script along with the Context or Label where the property value should be applied. Within the script specify the Property Key using the syntax ${property_key}.

Step 3 – Add the ChangeSet to the ChangeLog

From the Datical GUI, Select “Add a Change Set”.

Add a Change Set

 

Option 1: Using psql (preferred)

This option allows the RAISE NOTICE Execution Output to display.

  1. Scroll down and select the “Execute with psql for Postgres Databases” change type.

image-20250808-143401.png
psql Change Type

  1. Browse to select the file.

image-20250808-143551.png

  1. On the next screen select Finalize

  2. On the Create Change Set screen:

  3. Enter the ChangeSet ID (any text string) and the Author.

  4. Set the Execution Settings to:

“Redeploy this Change Set every time the contents are modified” – Allows modification of the SQL file saved to the resources directory. Without this there will be “checksum” errors if the file is modified.

“Deploy this Change Set every time a deployment is performed” – Changeset will be run for every Deployment.

  1. Set Deploy Order to “After Other Change Sets”.

  1. Save changes by selecting: File >> Save.

  2. Add, Commit, and Push the changes to the SCM.

 

Option 2: Using JDBC

Note: You will not receive the RAISE NOTICE Execution Output using this method.

  1. Scroll down and select the “Execute a SQL script file using JDBC”/“Custom SQL (External File)” change type. Note that “Execute a SQL script file using JDBC” is the newer name, and “Custom SQL (External File)” is the older name for the same change type.

JDBC Change Type

 

  1. Browse to select the file. Deselect Split Statements.

  1. On the next screen select Finalize

  2. On the Create Change Set screen:

  3. Enter the ChangeSet ID (any text string) and the Author.

  4. Set the Execution Settings to:

“Redeploy this Change Set every time the contents are modified” – Allows modification of the SQL file saved to the resources directory. Without this there will be “checksum” errors if the file is modified.

“Deploy this Change Set every time a deployment is performed” – Changeset will be run for every Deployment.

  1. Set Deploy Order to “After Other Change Sets”.

  1. Save changes by selecting: File >> Save.

  2. Add, Commit, and Push the changes to the SCM.

Step 5 – Test the New Change Set

Package and deploy a simple “CREATE TABLE” script. Verify that the grants are applied to the new table.

 

Sample Execution Output

Using RAISE NOTICE with a psql execution should result in Execution Output such as

stdout: \set ON_ERROR_STOP on SET SEARCH_PATH TO 'public'; SET DO $$ DECLARE t record; table_count integer := 0; BEGIN RAISE NOTICE 'Starting permission grant process...'; FOR t IN SELECT table_schema, table_name FROM information_schema.tables WHERE table_schema NOT IN ('pg_catalog','information_schema') LOOP -- Log each table being processed RAISE NOTICE 'Granting permissions on %.% to postgres', t.table_schema, t.table_name; EXECUTE format('GRANT INSERT, SELECT, UPDATE, DELETE ON TABLE %I.%I TO postgres', t.table_schema, t.table_name); table_count := table_count + 1; END LOOP; RAISE NOTICE 'Permission grant process completed. Processed % tables.', table_count; END; $$; psql:C:/Users/AmySmith/AppData/Local/Temp/liquibase-psql-14470032470474213604.sql:51: NOTICE: Starting permission grant process... psql:C:/Users/AmySmith/AppData/Local/Temp/liquibase-psql-14470032470474213604.sql:51: NOTICE: Granting permissions on abc.transact_table_11 to postgres psql:C:/Users/AmySmith/AppData/Local/Temp/liquibase-psql-14470032470474213604.sql:51: NOTICE: Granting permissions on abc.comedies_05 to postgres psql:C:/Users/AmySmith/AppData/Local/Temp/liquibase-psql-14470032470474213604.sql:51: NOTICE: Granting permissions on abc.comedies_06 to postgres psql:C:/Users/AmySmith/AppData/Local/Temp/liquibase-psql-14470032470474213604.sql:51: NOTICE: Granting permissions on abc.comedies_10 to postgres psql:C:/Users/AmySmith/AppData/Local/Temp/liquibase-psql-14470032470474213604.sql:51: NOTICE: Granting permissions on abc.films_04 to postgres psql:C:/Users/AmySmith/AppData/Local/Temp/liquibase-psql-14470032470474213604.sql:51: NOTICE: Granting permissions on abc.cust_archived_02 to postgres psql:C:/Users/AmySmith/AppData/Local/Temp/liquibase-psql-14470032470474213604.sql:51: NOTICE: Granting permissions on liquibase.databasechangeloglock to postgres psql:C:/Users/AmySmith/AppData/Local/Temp/liquibase-psql-14470032470474213604.sql:51: NOTICE: Granting permissions on abc.comedies_03 to postgres psql:C:/Users/AmySmith/AppData/Local/Temp/liquibase-psql-14470032470474213604.sql:51: NOTICE: Granting permissions on abc.comedies_04 to postgres psql:C:/Users/AmySmith/AppData/Local/Temp/liquibase-psql-14470032470474213604.sql:51: NOTICE: Granting permissions on abc.emp_0010 to postgres psql:C:/Users/AmySmith/AppData/Local/Temp/liquibase-psql-14470032470474213604.sql:51: NOTICE: Granting permissions on abc.comedies_11 to postgres psql:C:/Users/AmySmith/AppData/Local/Temp/liquibase-psql-14470032470474213604.sql:51: NOTICE: Granting permissions on abc.comedies_12 to postgres psql:C:/Users/AmySmith/AppData/Local/Temp/liquibase-psql-14470032470474213604.sql:51: NOTICE: Granting permissions on abc.emp_0015 to postgres psql:C:/Users/AmySmith/AppData/Local/Temp/liquibase-psql-14470032470474213604.sql:51: NOTICE: Granting permissions on abc.emp_0016 to postgres psql:C:/Users/AmySmith/AppData/Local/Temp/liquibase-psql-14470032470474213604.sql:51: NOTICE: Granting permissions on abc.emp_0017 to postgres psql:C:/Users/AmySmith/AppData/Local/Temp/liquibase-psql-14470032470474213604.sql:51: NOTICE: Granting permissions on abc.emp_0018 to postgres psql:C:/Users/AmySmith/AppData/Local/Temp/liquibase-psql-14470032470474213604.sql:51: NOTICE: Granting permissions on abc.emp_0019 to postgres psql:C:/Users/AmySmith/AppData/Local/Temp/liquibase-psql-14470032470474213604.sql:51: NOTICE: Granting permissions on abc.emp_0020 to postgres psql:C:/Users/AmySmith/AppData/Local/Temp/liquibase-psql-14470032470474213604.sql:51: NOTICE: Granting permissions on abc.emp_0021 to postgres psql:C:/Users/AmySmith/AppData/Local/Temp/liquibase-psql-14470032470474213604.sql:51: NOTICE: Granting permissions on abc.emp_0022 to postgres psql:C:/Users/AmySmith/AppData/Local/Temp/liquibase-psql-14470032470474213604.sql:51: NOTICE: Granting permissions on abc.emp_0023 to postgres psql:C:/Users/AmySmith/AppData/Local/Temp/liquibase-psql-14470032470474213604.sql:51: NOTICE: Granting permissions on abc.emp_0025 to postgres psql:C:/Users/AmySmith/AppData/Local/Temp/liquibase-psql-14470032470474213604.sql:51: NOTICE: Granting permissions on abc.bank_01 to postgres psql:C:/Users/AmySmith/AppData/Local/Temp/liquibase-psql-14470032470474213604.sql:51: NOTICE: Granting permissions on abc.cust_others to postgres psql:C:/Users/AmySmith/AppData/Local/Temp/liquibase-psql-14470032470474213604.sql:51: NOTICE: Granting permissions on abc.cust_others_02 to postgres psql:C:/Users/AmySmith/AppData/Local/Temp/liquibase-psql-14470032470474213604.sql:51: NOTICE: Granting permissions on abc.branch_01 to postgres psql:C:/Users/AmySmith/AppData/Local/Temp/liquibase-psql-14470032470474213604.sql:51: NOTICE: Granting permissions on abc.customers to postgres psql:C:/Users/AmySmith/AppData/Local/Temp/liquibase-psql-14470032470474213604.sql:51: NOTICE: Granting permissions on abc.customers_02 to postgres psql:C:/Users/AmySmith/AppData/Local/Temp/liquibase-psql-14470032470474213604.sql:51: NOTICE: Granting permissions on abc.contactmaster_01 to postgres psql:C:/Users/AmySmith/AppData/Local/Temp/liquibase-psql-14470032470474213604.sql:51: NOTICE: Granting permissions on party_master.films_05 to postgres psql:C:/Users/AmySmith/AppData/Local/Temp/liquibase-psql-14470032470474213604.sql:51: NOTICE: Granting permissions on abc.customers_03 to postgres psql:C:/Users/AmySmith/AppData/Local/Temp/liquibase-psql-14470032470474213604.sql:51: NOTICE: Granting permissions on abc.cust_active_03 to postgres psql:C:/Users/AmySmith/AppData/Local/Temp/liquibase-psql-14470032470474213604.sql:51: NOTICE: Granting permissions on abc.cust_archived_03 to postgres psql:C:/Users/AmySmith/AppData/Local/Temp/liquibase-psql-14470032470474213604.sql:51: NOTICE: Granting permissions on abc.tbl_01 to postgres psql:C:/Users/AmySmith/AppData/Local/Temp/liquibase-psql-14470032470474213604.sql:51: NOTICE: Granting permissions on abc.tg_test_01 to postgres psql:C:/Users/AmySmith/AppData/Local/Temp/liquibase-psql-14470032470474213604.sql:51: NOTICE: Granting permissions on abc.cust_active to postgres psql:C:/Users/AmySmith/AppData/Local/Temp/liquibase-psql-14470032470474213604.sql:51: NOTICE: Granting permissions on abc.cust_active_02 to postgres psql:C:/Users/AmySmith/AppData/Local/Temp/liquibase-psql-14470032470474213604.sql:51: NOTICE: Granting permissions on abc.cust_others_03 to postgres psql:C:/Users/AmySmith/AppData/Local/Temp/liquibase-psql-14470032470474213604.sql:51: NOTICE: Granting permissions on abc.cust_archived to postgres psql:C:/Users/AmySmith/AppData/Local/Temp/liquibase-psql-14470032470474213604.sql:51: NOTICE: Granting permissions on abc.emp_0011 to postgres psql:C:/Users/AmySmith/AppData/Local/Temp/liquibase-psql-14470032470474213604.sql:51: NOTICE: Granting permissions on abc.emp_0014 to postgres psql:C:/Users/AmySmith/AppData/Local/Temp/liquibase-psql-14470032470474213604.sql:51: NOTICE: Granting permissions on abc.emp_0024 to postgres psql:C:/Users/AmySmith/AppData/Local/Temp/liquibase-psql-14470032470474213604.sql:51: NOTICE: Granting permissions on abc.emp_0026 to postgres psql:C:/Users/AmySmith/AppData/Local/Temp/liquibase-psql-14470032470474213604.sql:51: NOTICE: Granting permissions on abc.emp_010 to postgres psql:C:/Users/AmySmith/AppData/Local/Temp/liquibase-psql-14470032470474213604.sql:51: NOTICE: Granting permissions on abc.emp_011 to postgres psql:C:/Users/AmySmith/AppData/Local/Temp/liquibase-psql-14470032470474213604.sql:51: NOTICE: Granting permissions on abc.emp_012 to postgres psql:C:/Users/AmySmith/AppData/Local/Temp/liquibase-psql-14470032470474213604.sql:51: NOTICE: Granting permissions on abc.comedies_02 to postgres psql:C:/Users/AmySmith/AppData/Local/Temp/liquibase-psql-14470032470474213604.sql:51: NOTICE: Granting permissions on abc.emp_013 to postgres psql:C:/Users/AmySmith/AppData/Local/Temp/liquibase-psql-14470032470474213604.sql:51: NOTICE: Granting permissions on abc.emp_015 to postgres psql:C:/Users/AmySmith/AppData/Local/Temp/liquibase-psql-14470032470474213604.sql:51: NOTICE: Granting permissions on abc.emp_016 to postgres psql:C:/Users/AmySmith/AppData/Local/Temp/liquibase-psql-14470032470474213604.sql:51: NOTICE: Granting permissions on abc.emp_017 to postgres psql:C:/Users/AmySmith/AppData/Local/Temp/liquibase-psql-14470032470474213604.sql:51: NOTICE: Granting permissions on abc.existing_view_01 to postgres psql:C:/Users/AmySmith/AppData/Local/Temp/liquibase-psql-14470032470474213604.sql:51: NOTICE: Granting permissions on abc.existing_view_02 to postgres psql:C:/Users/AmySmith/AppData/Local/Temp/liquibase-psql-14470032470474213604.sql:51: NOTICE: Granting permissions on abc.existing_view_03 to postgres psql:C:/Users/AmySmith/AppData/Local/Temp/liquibase-psql-14470032470474213604.sql:51: NOTICE: Granting permissions on abc.films_01 to postgres psql:C:/Users/AmySmith/AppData/Local/Temp/liquibase-psql-14470032470474213604.sql:51: NOTICE: Granting permissions on abc.films_03 to postgres psql:C:/Users/AmySmith/AppData/Local/Temp/liquibase-psql-14470032470474213604.sql:51: NOTICE: Granting permissions on abc.films_05 to postgres psql:C:/Users/AmySmith/AppData/Local/Temp/liquibase-psql-14470032470474213604.sql:51: NOTICE: Granting permissions on abc.films_06 to postgres psql:C:/Users/AmySmith/AppData/Local/Temp/liquibase-psql-14470032470474213604.sql:51: NOTICE: Granting permissions on abc.films_07 to postgres psql:C:/Users/AmySmith/AppData/Local/Temp/liquibase-psql-14470032470474213604.sql:51: NOTICE: Granting permissions on abc.holdingcompany_01 to postgres psql:C:/Users/AmySmith/AppData/Local/Temp/liquibase-psql-14470032470474213604.sql:51: NOTICE: Granting permissions on party_master.party_02 to postgres psql:C:/Users/AmySmith/AppData/Local/Temp/liquibase-psql-14470032470474213604.sql:51: NOTICE: Granting permissions on abc.md_sourcesystem_01 to postgres psql:C:/Users/AmySmith/AppData/Local/Temp/liquibase-psql-14470032470474213604.sql:51: NOTICE: Granting permissions on abc.emp_018 to postgres psql:C:/Users/AmySmith/AppData/Local/Temp/liquibase-psql-14470032470474213604.sql:51: NOTICE: Granting permissions on abc.films_02 to postgres psql:C:/Users/AmySmith/AppData/Local/Temp/liquibase-psql-14470032470474213604.sql:51: NOTICE: Granting permissions on abc.emp_0012 to postgres psql:C:/Users/AmySmith/AppData/Local/Temp/liquibase-psql-14470032470474213604.sql:51: NOTICE: Granting permissions on abc.emp_0013 to postgres psql:C:/Users/AmySmith/AppData/Local/Temp/liquibase-psql-14470032470474213604.sql:51: NOTICE: Granting permissions on abc.transact_table_01 to postgres psql:C:/Users/AmySmith/AppData/Local/Temp/liquibase-psql-14470032470474213604.sql:51: NOTICE: Granting permissions on liquibase.databasechangelog to postgres psql:C:/Users/AmySmith/AppData/Local/Temp/liquibase-psql-14470032470474213604.sql:51: NOTICE: Permission grant process completed. Processed 68 tables. DO

Copyright © Datical 2012-2020 - Proprietary and Confidential