# Appendix --- ## Appendix: Built-in roles ## `Public` role All roles in Materialize are automatically members of [`PUBLIC`](/security/appendix/appendix-built-in-roles/#public-role). As such, every role includes inherited privileges from `PUBLIC`. By default, the `PUBLIC` role has the following privileges: **Baseline privileges via PUBLIC role:** | Privilege | Description | On database object(s) | | --- | --- | --- | | USAGE | Permission to use or reference an object. | | **Default privileges on future objects set up for PUBLIC:** | Object(s) | Object owner | Default Privilege | Granted to | Description | | --- | --- | --- | --- | --- | | TYPE | PUBLIC | USAGE | PUBLIC | When a data type is created (regardless of the owner), all roles are granted the USAGE privilege. However, to use a data type, the role must also have USAGE privilege on the schema containing the type. | Default privileges apply only to objects created after these privileges are defined. They do not affect objects that were created before the default privileges were set. You can modify the privileges of your organization's `PUBLIC` role as well as the define default privileges for `PUBLIC`. ## System catalog roles Certain internal objects may only be queried by superusers or by users belonging to a particular builtin role, which superusers may [grant](/sql/grant-role). These include the following: | Name | Description | |-----------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | `mz_monitor` | Grants access to objects that reveal actions taken by other users, in particular, SQL statements they have issued. Includes [`mz_recent_activity_log`](/reference/system-catalog/mz_internal#mz_recent_activity_log) and [`mz_notices`](/reference/system-catalog/mz_internal#mz_notices). | | `mz_monitor_redacted` | Grants access to objects that reveal less sensitive information about actions taken by other users, for example, SQL statements they have issued with constant values redacted. Includes `mz_recent_activity_log_redacted`, [`mz_notices_redacted`](/reference/system-catalog/mz_internal#mz_notices_redacted), and [`mz_statement_lifecycle_history`](/reference/system-catalog/mz_internal#mz_statement_lifecycle_history). | --- ## Appendix: Privileges > **Note:** Various SQL operations require additional privileges on related objects, such > as: > - For objects that use compute resources (e.g., indexes, materialized views, > replicas, sources, sinks), access is also required for the associated cluster. > - For objects in a schema, access is also required for the schema. > For details on SQL operations and needed privileges, see [Appendix: Privileges > by command](/security/appendix/appendix-command-privileges/). The following privileges are available in Materialize: **By Privilege:** | Privilege | Description | Abbreviation | Applies to | | --- | --- | --- | --- | | SELECT | Permission to read rows from an object. | r | | | INSERT | Permission to insert rows into an object. | a | | | UPDATE |

Permission to modify rows in an object.

Modifying rows may also require SELECT if a read is needed to determine which rows to update.

| w | | | DELETE |

Permission to delete rows from an object.

Deleting rows may also require SELECT if a read is needed to determine which rows to delete.

| d | | | CREATE | Permission to create a new objects within the specified object. | C | | | USAGE | Permission to use or reference an object (e.g., schema/type lookup). | U | | | CREATEROLE |

Permission to create/modify/delete roles and manage role memberships for any role in the system.

> **Warning:** Roles with the `CREATEROLE` privilege can obtain the privileges of any other > role in the system by granting themselves that role. Avoid granting > `CREATEROLE` unnecessarily. | R | | | CREATEDB | Permission to create new databases. | B | | | CREATECLUSTER | Permission to create new clusters. | N | | | CREATENETWORKPOLICY | Permission to create network policies to control access at the network layer. | P | | **By Object:** | Object | Privileges | | --- | --- | | CLUSTER | | | CONNECTION | | | DATABASE | | | MATERIALIZED VIEW | | | SCHEMA | | | SECRET | | | SOURCE | | | SYSTEM | | | TABLE | | | TYPE | | | VIEW | | --- ## Appendix: Privileges by commands | Command | Privileges | | --- | --- | | ALTER CLUSTER | | | ALTER CLUSTER REPLICA | | | ALTER CONNECTION | | | ALTER DATABASE | | | ALTER DEFAULT PRIVILEGES | | | ALTER INDEX | | | ALTER MATERIALIZED VIEW | | | ALTER NETWORK POLICY | | | ALTER ROLE | | | ALTER SCHEMA | | | ALTER SECRET | | | ALTER SINK | | | ALTER SOURCE | | | ALTER SYSTEM RESET | | | ALTER SYSTEM SET | | | ALTER TABLE | | | ALTER TYPE | | | ALTER VIEW | | | COMMENT ON | | | COPY FROM | | | COPY TO | | | CREATE CLUSTER | | | CREATE CLUSTER REPLICA | | | CREATE CONNECTION | | | CREATE DATABASE | | | CREATE INDEX | | | CREATE MATERIALIZED VIEW | | | CREATE NETWORK POLICY | | | CREATE ROLE | | | CREATE SCHEMA | | | CREATE SECRET | | | CREATE SINK | | | CREATE SOURCE | | | CREATE TABLE | | | CREATE TYPE | | | CREATE VIEW | | | DELETE | | | DROP CLUSTER REPLICA | | | DROP CLUSTER | | | DROP CONNECTION | | | DROP DATABASE | | | DROP INDEX | | | DROP MATERIALIZED VIEW | | | DROP NETWORK POLICY | | | DROP OWNED | | | DROP ROLE | | | DROP SCHEMA | | | DROP SECRET | | | DROP SINK | | | DROP SOURCE | | | DROP TABLE | | | DROP TYPE | | | DROP USER | | | DROP VIEW | | | EXPLAIN ANALYZE | | | EXPLAIN FILTER PUSHDOWN | | | EXPLAIN PLAN | | | EXPLAIN SCHEMA | | | EXPLAIN TIMESTAMP | | | GRANT PRIVILEGE | | | GRANT ROLE | | | INSERT | | | REASSIGN OWNED | | | REVOKE PRIVILEGE | | | REVOKE ROLE | | | SELECT | | | SHOW COLUMNS | | | SHOW CREATE CLUSTER | There are no privileges required to execute this statement. | | SHOW CREATE CONNECTION | | | SHOW CREATE INDEX | | | SHOW CREATE MATERIALIZED VIEW | | | SHOW CREATE TYPE | | | SHOW CREATE SINK | | | SHOW CREATE SOURCE | | | SHOW CREATE TABLE | | | SHOW CREATE VIEW | | | SUBSCRIBE | | | UPDATE | | | VALIDATE CONNECTION | |