Movatterモバイル変換

Table 8.2 Permissible Static Privileges for GRANT and REVOKE

Table 8.3 Permissible Dynamic Privileges for GRANT and REVOKE

• ALL,ALL PRIVILEGES

  These privilege specifiers are shorthand for“all privileges available at a given privilege level” (exceptGRANT OPTION). For example, grantingALL at the global or table level grants all global privileges or all table-level privileges, respectively.

• ALTER

  Enables use of theALTER TABLE statement to change the structure of tables.ALTER TABLE also requires theCREATE andINSERT privileges. Renaming a table requiresALTER andDROP on the old table,CREATE, andINSERT on the new table.

• ALTER ROUTINE

  Enables use of statements that alter or drop stored routines (stored procedures and functions). For routines that fall within the scope at which the privilege is granted and for which the user is not the user named as the routineDEFINER, also enables access to routine properties other than the routine definition.

• CREATE

  Enables use of statements that create new databases and tables.

• CREATE ROLE

  Enables use of theCREATE ROLE statement. (TheCREATE USER privilege also enables use of theCREATE ROLE statement.) SeeSection 8.2.10, “Using Roles”.

  TheCREATE ROLE andDROP ROLE privileges are not as powerful asCREATE USER because they can be used only to create and drop accounts. They cannot be used asCREATE USER can be modify account attributes or rename accounts. SeeUser and Role Interchangeability.

• CREATE ROUTINE

  Enables use of statements that create stored routines (stored procedures and functions). For routines that fall within the scope at which the privilege is granted and for which the user is not the user named as the routineDEFINER, also enables access to routine properties other than the routine definition.

• CREATE TABLESPACE

  Enables use of statements that create, alter, or drop tablespaces and log file groups.

• CREATE TEMPORARY TABLES

  Enables the creation of temporary tables using theCREATE TEMPORARY TABLE statement.

  After a session has created a temporary table, the server performs no further privilege checks on the table. The creating session can perform any operation on the table, such asDROP TABLE,INSERT,UPDATE, orSELECT. For more information, seeSection 15.1.24.2, “CREATE TEMPORARY TABLE Statement”.

• CREATE USER

  Enables use of theALTER USER,CREATE ROLE,CREATE USER,DROP ROLE,DROP USER,RENAME USER, andREVOKE ALL PRIVILEGES statements.

• CREATE VIEW

  Enables use of theCREATE VIEW statement.

• DELETE

  Enables rows to be deleted from tables in a database.

• DROP

  Enables use of statements that drop (remove) existing databases, tables, and views. TheDROP privilege is required to use theALTER TABLE ... DROP PARTITION statement on a partitioned table. TheDROP privilege is also required forTRUNCATE TABLE.

• DROP ROLE

  Enables use of theDROP ROLE statement. (TheCREATE USER privilege also enables use of theDROP ROLE statement.) SeeSection 8.2.10, “Using Roles”.

  TheCREATE ROLE andDROP ROLE privileges are not as powerful asCREATE USER because they can be used only to create and drop accounts. They cannot be used asCREATE USER can be modify account attributes or rename accounts. SeeUser and Role Interchangeability.

• EVENT

  Enables use of statements that create, alter, drop, or display events for the Event Scheduler.

• EXECUTE

  Enables use of statements that execute stored routines (stored procedures and functions). For routines that fall within the scope at which the privilege is granted and for which the user is not the user named as the routineDEFINER, also enables access to routine properties other than the routine definition.

• FILE

  Affects the following operations and server behaviors:

  • Enables reading and writing files on the server host using theLOAD DATA andSELECT ... INTO OUTFILE statements and theLOAD_FILE() function. A user who has theFILE privilege can read any file on the server host that is either world-readable or readable by the MySQL server. (This implies the user can read any file in any database directory, because the server can access any of those files.)

  • Enables creating new files in any directory where the MySQL server has write access. This includes the server's data directory containing the files that implement the privilege tables.

  • Enables use of theDATA DIRECTORY orINDEX DIRECTORY table option for theCREATE TABLE statement.

  As a security measure, the server does not overwrite existing files.

  To limit the location in which files can be read and written, set thesecure_file_priv system variable to a specific directory. SeeSection 7.1.8, “Server System Variables”.

• GRANT OPTION

  Enables you to grant to or revoke from other users those privileges that you yourself possess.

• INDEX

  Enables use of statements that create or drop (remove) indexes.INDEX applies to existing tables. If you have theCREATE privilege for a table, you can include index definitions in theCREATE TABLE statement.

• INSERT

  Enables rows to be inserted into tables in a database.INSERT is also required for theANALYZE TABLE,OPTIMIZE TABLE, andREPAIR TABLE table-maintenance statements.

• LOCK TABLES

  Enables use of explicitLOCK TABLES statements to lock tables for which you have theSELECT privilege. This includes use of write locks, which prevents other sessions from reading the locked table.

• PROCESS

  ThePROCESS privilege controls access to information about threads executing within the server (that is, information about statements being executed by sessions). Thread information available using theSHOW PROCESSLIST statement, themysqladmin processlist command, the Information SchemaPROCESSLIST table, and the Performance Schemaprocesslist table is accessible as follows:

  • With thePROCESS privilege, a user has access to information about all threads, even those belonging to other users.

  • Without thePROCESS privilege, nonanonymous users have access to information about their own threads but not threads for other users, and anonymous users have no access to thread information.

  Note

  The Performance Schemathreads table also provides thread information, but table access uses a different privilege model. SeeSection 29.12.22.10, “The threads Table”.

  ThePROCESS privilege also enables use of theSHOW ENGINE statement, access to theINFORMATION_SCHEMAInnoDB tables (tables with names that begin withINNODB_), and access to theINFORMATION_SCHEMAFILES table.

• PROXY

  Enables one user to impersonate or become known as another user. SeeSection 8.2.19, “Proxy Users”.

• REFERENCES

  Creation of a foreign key constraint requires theREFERENCES privilege for the parent table.

• RELOAD

  TheRELOAD enables the following operations:

  • Use of theFLUSH statement.

  • Use ofmysqladmin commands that are equivalent toFLUSH operations:flush-hosts,flush-logs,flush-privileges,flush-status,flush-tables,refresh, andreload.

    Thereload command tells the server to reload the grant tables into memory.flush-privileges is a synonym forreload. Therefresh command closes and reopens the log files and flushes all tables. The otherflush-xxx commands perform functions similar torefresh, but are more specific and may be preferable in some instances. For example, if you want to flush just the log files,flush-logs is a better choice thanrefresh.

  • Use ofmysqldump options that perform variousFLUSH operations:--flush-logs and--source-data.

  • Use of theRESET BINARY LOGS AND GTIDS andRESET REPLICA statements.

• REPLICATION CLIENT

  Enables use of theSHOW BINARY LOG STATUS,SHOW REPLICA STATUS, andSHOW BINARY LOGS statements.

• REPLICATION SLAVE

  Enables the account to request updates that have been made to databases on the replication source server, using theSHOW REPLICAS,SHOW RELAYLOG EVENTS, andSHOW BINLOG EVENTS statements. This privilege is also required to use themysqlbinlog options--read-from-remote-server (-R) and--read-from-remote-source. Grant this privilege to accounts that are used by replicas to connect to the current server as their replication source server.

• SELECT

  Enables rows to be selected from tables in a database.SELECT statements require theSELECT privilege only if they actually access tables. SomeSELECT statements do not access tables and can be executed without permission for any database. For example, you can useSELECT as a simple calculator to evaluate expressions that make no reference to tables:

  SELECT 1+1;SELECT PI()*2;

  TheSELECT privilege is also needed for other statements that read column values. For example,SELECT is needed for columns referenced on the right hand side ofcol_name=expr assignment inUPDATE statements or for columns named in theWHERE clause ofDELETE orUPDATE statements.

  TheSELECT privilege is needed for tables or views used withEXPLAIN, including any underlying tables in view definitions.

• SHOW DATABASES

  Enables the account to see database names by issuing theSHOW DATABASE statement. Accounts that do not have this privilege see only databases for which they have some privileges, and cannot use the statement at all if the server was started with the--skip-show-database option.

  Caution

  Because any static global privilege is considered a privilege for all databases, any static global privilege enables a user to see all database names withSHOW DATABASES or by examining theSCHEMATA table ofINFORMATION_SCHEMA, except databases that have been restricted at the database level by partial revokes.

• SHOW VIEW

  Enables use of theSHOW CREATE VIEW statement. This privilege is also needed for views used withEXPLAIN.

• SHUTDOWN

  Enables use of theSHUTDOWN andRESTART statements, themysqladmin shutdown command, and themysql_shutdown() C API function.

• SUPER

  SUPER is a powerful and far-reaching privilege and should not be granted lightly. If an account needs to perform only a subset ofSUPER operations, it may be possible to achieve the desired privilege set by instead granting one or more dynamic privileges, each of which confers more limited capabilities. SeeDynamic Privilege Descriptions.

  Note

  SUPER is deprecated, and you should expect it to be removed in a future version of MySQL. SeeMigrating Accounts from SUPER to Dynamic Privileges.

  SUPER affects the following operations and server behaviors:

  • Enables system variable changes at runtime:

    • Enables server configuration changes to global system variables withSET GLOBAL andSET PERSIST.

      The corresponding dynamic privilege isSYSTEM_VARIABLES_ADMIN.

    • Enables setting restricted session system variables that require a special privilege.

      The corresponding dynamic privilege isSESSION_VARIABLES_ADMIN.

    See alsoSection 7.1.9.1, “System Variable Privileges”.

  • Enables changes to global transaction characteristics (seeSection 15.3.7, “SET TRANSACTION Statement”).

    The corresponding dynamic privilege isSYSTEM_VARIABLES_ADMIN.

  • Enables the account to start and stop replication, including Group Replication.

    The corresponding dynamic privilege isREPLICATION_SLAVE_ADMIN for regular replication,GROUP_REPLICATION_ADMIN for Group Replication.

  • Enables use ofCHANGE REPLICATION SOURCE TO andCHANGE REPLICATION FILTER statements.

    The corresponding dynamic privilege isREPLICATION_SLAVE_ADMIN.

  • Enables binary log control by means of thePURGE BINARY LOGS andBINLOG statements.

    The corresponding dynamic privilege isBINLOG_ADMIN.

  • Enables setting the effective authorization ID when executing a view or stored program. A user with this privilege can specify any account in theDEFINER attribute of a view or stored program.

    The corresponding dynamic privileges areSET_ANY_DEFINER andALLOW_NONEXISTENT_DEFINER.

  • Enables use of theCREATE SERVER,ALTER SERVER, andDROP SERVER statements.

  • Enables use of themysqladmin debug command.

  • EnablesInnoDB encryption key rotation.

    The corresponding dynamic privilege isENCRYPTION_KEY_ADMIN.

  • Enables execution of deprecated Version Tokens functions.

    The corresponding dynamic privilege isVERSION_TOKEN_ADMIN, which is deprecated.

  • Enables granting and revoking roles, use of theWITH ADMIN OPTION clause of theGRANT statement, and nonempty<graphml> element content in the result from theROLES_GRAPHML() function.

    The corresponding dynamic privilege isROLE_ADMIN.

  • Enables control over client connections not permitted to non-SUPER accounts:

    • Enables use of theKILL statement ormysqladmin kill command to kill threads belonging to other accounts. (An account can always kill its own threads.)

    • The server does not executeinit_connect system variable content whenSUPER clients connect.

    • The server accepts one connection from aSUPER client even if the connection limit configured by themax_connections system variable is reached.

    • A server in offline mode (offline_mode enabled) does not terminateSUPER client connections at the next client request, and accepts new connections fromSUPER clients.

    • Updates can be performed even when theread_only system variable is enabled. This applies to explicit table updates, and to use of account-management statements such asGRANT andREVOKE that update tables implicitly.

    The corresponding dynamic privilege for the preceding connection control operations isCONNECTION_ADMIN.

  You may also need theSUPER privilege to create or alter stored functions if binary logging is enabled, as described inSection 27.9, “Stored Program Binary Logging”.

• TRIGGER

  Enables trigger operations. You must have this privilege for a table to create, drop, execute, or display triggers for that table.

  When a trigger is activated (by a user who has privileges to executeINSERT,UPDATE, orDELETE statements for the table associated with the trigger), trigger execution requires that the user who defined the trigger still have theTRIGGER privilege for the table.

• UPDATE

  Enables rows to be updated in tables in a database.

• USAGE

  This privilege specifier stands for“no privileges.” It is used at the global level withGRANT to specify clauses such asWITH GRANT OPTION without naming specific account privileges in the privilege list.SHOW GRANTS displaysUSAGE to indicate that an account has no privileges at a privilege level.

• ALLOW_NONEXISTENT_DEFINER

  Enables overriding security checks designed to prevent operations that (perhaps inadvertently) cause stored objects to become orphaned or that cause adoption of stored objects that are currently orphaned. Without this privilege, any attempt to produce an orphaned SQL procedure, function, or view results in an error. An attempt to produce orphaned objects usingCREATE PROCEDURE,CREATE FUNCTION,CREATE TRIGGER,CREATE EVENT, orCREATE VIEW also requiresSET_ANY_DEFINER in addition toALLOW_NONEXISTENT_DEFINER, so that a definer different from the current user is permissible.

  For details, seeOrphan Stored Objects.

• APPLICATION_PASSWORD_ADMIN

  For dual-password capability, this privilege enables use of theRETAIN CURRENT PASSWORD andDISCARD OLD PASSWORD clauses forALTER USER andSET PASSWORD statements that apply to your own account. This privilege is required to manipulate your own secondary password because most users require only one password.

  If an account is to be permitted to manipulate secondary passwords for all accounts, it should be granted theCREATE USER privilege rather thanAPPLICATION_PASSWORD_ADMIN.

  For more information about use of dual passwords, seeSection 8.2.15, “Password Management”.

• AUDIT_ABORT_EXEMPT

  Allows queries blocked by an“abort” item in the audit log filter. This privilege is defined by theaudit_log plugin; seeSection 8.4.6, “MySQL Enterprise Audit”.

  Accounts created with theSYSTEM_USER privilege have theAUDIT_ABORT_EXEMPT privilege assigned automatically when they are created. TheAUDIT_ABORT_EXEMPT privilege is also assigned to existing accounts with theSYSTEM_USER privilege when you carry out an upgrade procedure, if no existing accounts have that privilege assigned. Accounts with theSYSTEM_USER privilege can therefore be used to regain access to a system following an audit misconfiguration.

• AUDIT_ADMIN

  Enables audit log configuration. This privilege is defined by theaudit_log plugin; seeSection 8.4.6, “MySQL Enterprise Audit”.

• BACKUP_ADMIN

  Enables execution of theLOCK INSTANCE FOR BACKUP statement and access to the Performance Schemalog_status table.

  Note

  BesidesBACKUP_ADMIN, theSELECT privilege on thelog_status table is also needed for its access.

  TheBACKUP_ADMIN privilege is automatically granted to users with theRELOAD privilege when performing an in-place upgrade to MySQL 9.4 from an earlier version.

• AUTHENTICATION_POLICY_ADMIN

  Theauthentication_policy system variable places certain constraints on how the authentication-related clauses ofCREATE USER andALTER USER statements may be used. A user who has theAUTHENTICATION_POLICY_ADMIN privilege is not subject to these constraints. (A warning does occur for statements that otherwise would not be permitted.)

  For details about the constraints imposed byauthentication_policy, see the description of that variable.

• BINLOG_ADMIN

  Enables binary log control by means of thePURGE BINARY LOGS andBINLOG statements.

• BINLOG_ENCRYPTION_ADMIN

  Enables setting the system variablebinlog_encryption, which activates or deactivates encryption for binary log files and relay log files. This ability is not provided by theBINLOG_ADMIN,SYSTEM_VARIABLES_ADMIN, orSESSION_VARIABLES_ADMIN privileges. The related system variablebinlog_rotate_encryption_master_key_at_startup, which rotates the binary log master key automatically when the server is restarted, does not require this privilege.

• CLONE_ADMIN

  Enables execution of theCLONE statements. IncludesBACKUP_ADMIN andSHUTDOWN privileges.

• CONNECTION_ADMIN

  Enables use of theKILL statement ormysqladmin kill command to kill threads belonging to other accounts. (An account can always kill its own threads.)

  Enables setting system variables related to client connections, or circumventing restrictions related to client connections.CONNECTION_ADMIN is required to activate MySQL Server’s offline mode, which is done by changing the value of theoffline_mode system variable toON.

  TheCONNECTION_ADMIN privilege enables administrators with it to bypass effects of these system variables:

  • init_connect: The server does not executeinit_connect system variable content whenCONNECTION_ADMIN clients connect.

  • max_connections: The server accepts one connection from aCONNECTION_ADMIN client even if the connection limit configured by themax_connections system variable is reached.

  • offline_mode: A server in offline mode (offline_mode enabled) does not terminateCONNECTION_ADMIN client connections at the next client request, and accepts new connections fromCONNECTION_ADMIN clients.

  • read_only: Updates fromCONNECTION_ADMIN clients can be performed even when theread_only system variable is enabled. This applies to explicit table updates, and to account management statements such asGRANT andREVOKE that update tables implicitly.

  Group Replication group members need theCONNECTION_ADMIN privilege so that Group Replication connections are not terminated if one of the servers involved is placed in offline mode. If the MySQL communication stack is in use (group_replication_communication_stack = MYSQL), without this privilege, a member that is placed in offline mode is expelled from the group.

• CREATE_SPATIAL_REFERENCE_SYSTEM

  Enables use of the statementsCREATE SPATIAL REFERENCE SYSTEM,CREATE OR REPLACE SPATIAL REFERENCE SYSTEM, andDROP SPATIAL REFERENCE SYSTEM. Trying to execute any of these statements without having this privilege (or theSUPER privilege) now raises the errorER_CMD_NEED_SUPER_OR_CREATE_SPATIAL_REFERENCE_SYSTEM.

  Use of this privilege is intended to supersede the use ofSUPER for this purpose, which should be considered deprecated.

• ENCRYPTION_KEY_ADMIN

  EnablesInnoDB encryption key rotation.

• EXPORT_QUERY_RESULTS

  Allows the user to export query results to an OCI or AWS object store.

  Applies to MySQL HeatWave only.

• FIREWALL_ADMIN

  Enables a user to administer firewall rules for any user. This privilege is defined by theMYSQL_FIREWALL plugin; seeSection 8.4.8, “MySQL Enterprise Firewall”.

• FIREWALL_EXEMPT

  A user with this privilege is exempt from firewall restrictions. This privilege is defined by theMYSQL_FIREWALL plugin; seeSection 8.4.8, “MySQL Enterprise Firewall”.

• FIREWALL_USER

  Enables users to update their own firewall rules. This privilege is defined by the MySQL Enterprise Firewall plugin (seeSection 8.4.8.1, “The MySQL Enterprise Firewall Plugin”).

  Like the firewall plugin, this privilege is deprecated in MySQL 9.4.0, and is subject to removal in a future version.FIREWALL_USER is not supported by the MySQL Enterprise Firewall component (seeSection 8.4.8.2, “The MySQL Enterprise Firewall Component”), which replaces the plugin.

• FLUSH_OPTIMIZER_COSTS

  Enables use of theFLUSH OPTIMIZER_COSTS statement.

• FLUSH_PRIVILEGES

  Enables use of theFLUSH PRIVILEGES statement.

  Deprecated, along with theFLUSH PRIVILEGES statement; expect this privilege to be removed in a future version of MySQL. Granting theFLUSH_PRIVILEGES privilege triggers a deprecation warning.

• FLUSH_STATUS

  Enables use of theFLUSH STATUS statement.

• FLUSH_TABLES

  Enables use of theFLUSH TABLES statement.

• FLUSH_USER_RESOURCES

  Enables use of theFLUSH USER_RESOURCES statement.

• GROUP_REPLICATION_ADMIN

  Enables the account to start and stop Group Replication using theSTART GROUP REPLICATION andSTOP GROUP REPLICATION statements, to change the global setting for thegroup_replication_consistency system variable, and to use thegroup_replication_set_write_concurrency() andgroup_replication_set_communication_protocol() functions. Grant this privilege to accounts that are used to administer servers that are members of a replication group.

• GROUP_REPLICATION_STREAM

  Allows a user account to be used for establishing Group Replication's group communication connections. It must be granted to a recovery user when the MySQL communication stack is used for Group Replication (group_replication_communication_stack=MYSQL).

• INNODB_REDO_LOG_ARCHIVE

  Enables the account to activate and deactivate redo log archiving.

• INNODB_REDO_LOG_ENABLE

  Enables use of theALTER INSTANCE {ENABLE|DISABLE} INNODB REDO_LOG statement to enable or disable redo logging.

  SeeDisabling Redo Logging.

• MASKING_DICTIONARIES_ADMIN

  Enables the account to add and remove dictionary terms using themasking_dictionary_term_add() andmasking_dictionary_term_remove() component functions. Accounts also require this dynamic privilege to remove a full dictionary using themasking_dictionary_remove() function, which removes all of the terms associated with the named dictionary currently in themysql.masking_dictionaries table.

  SeeSection 8.5, “MySQL Enterprise Data Masking”.

• NDB_STORED_USER

  Enables the user or role and its privileges to be shared and synchronized between allNDB-enabled MySQL servers as soon as they join a given NDB Cluster. This privilege is available only if theNDB storage engine is enabled.

  Any changes to or revocations of privileges made for the given user or role are synchronized immediately with all connected MySQL servers (SQL nodes). You should be aware that there is no guarantee that multiple statements affecting privileges originating from different SQL nodes are executed on all SQL nodes in the same order. For this reason, it is highly recommended that all user administration be done from a single designated SQL node.

  NDB_STORED_USER is a global privilege and must be granted or revoked usingON *.*. Trying to set any other scope for this privilege results in an error. This privilege can be given to most application and administrative users, but it cannot be granted to system reserved accounts such asmysql.session@localhost ormysql.infoschema@localhost.

  A user that has been granted theNDB_STORED_USER privilege is stored inNDB (and thus shared by all SQL nodes), as is a role with this privilege. A user that is merely granted a role that hasNDB_STORED_USER isnot stored inNDB; eachNDB stored user must be granted the privilege explicitly.

  For more detailed information about how this works inNDB, seeSection 25.6.13, “Privilege Synchronization and NDB_STORED_USER”.

• OPTIMIZE_LOCAL_TABLE

  Enables use ofOPTIMIZE LOCAL TABLE andOPTIMIZE NO_WRITE_TO_BINLOG TABLE statements.

• OPTION_TRACKER_OBSERVER

  This privilege provides write access to themysql_option.option_usage table; both the privilege and the table are supplied by the Option Tracker component. For more information, seeSection 7.5.8, “Option Tracker Component”.

• OPTION_TRACKER_UPDATER

  This privilege is required for write access to themysql_option.option_usage table; both the privilege and the table are supplied by the Option Tracker component. For more information, seeSection 7.5.8, “Option Tracker Component”.

• PASSWORDLESS_USER_ADMIN

  This privilege applies to passwordless user accounts:

  • For account creation, a user who executesCREATE USER to create a passwordless account must possess thePASSWORDLESS_USER_ADMIN privilege.

  • In replication context, thePASSWORDLESS_USER_ADMIN privilege applies to replication users and enables replication ofALTER USER ... MODIFY statements for user accounts that are configured for passwordless authentication.

  For information about passwordless authentication, seeWebAuthn Passwordless Authentication.

• PERSIST_RO_VARIABLES_ADMIN

  For users who also haveSYSTEM_VARIABLES_ADMIN,PERSIST_RO_VARIABLES_ADMIN enables use ofSET PERSIST_ONLY to persist global system variables to themysqld-auto.cnf option file in the data directory. This statement is similar toSET PERSIST but does not modify the runtime global system variable value. This makesSET PERSIST_ONLY suitable for configuring read-only system variables that can be set only at server startup.

  See alsoSection 7.1.9.1, “System Variable Privileges”.

• REPLICATION_APPLIER

  Enables the account to act as thePRIVILEGE_CHECKS_USER for a replication channel, and to executeBINLOG statements inmysqlbinlog output. Grant this privilege to accounts that are assigned usingCHANGE REPLICATION SOURCE TO to provide a security context for replication channels, and to handle replication errors on those channels. As well as theREPLICATION_APPLIER privilege, you must also give the account the required privileges to execute the transactions received by the replication channel or contained in themysqlbinlog output, for example to update the affected tables. For more information, seeSection 19.3.3, “Replication Privilege Checks”.

• REPLICATION_SLAVE_ADMIN

  Enables the account to connect to the replication source server, start and stop replication using theSTART REPLICA andSTOP REPLICA statements, and use theCHANGE REPLICATION SOURCE TO andCHANGE REPLICATION FILTER statements. Grant this privilege to accounts that are used by replicas to connect to the current server as their replication source server. This privilege does not apply to Group Replication; useGROUP_REPLICATION_ADMIN for that.

• RESOURCE_GROUP_ADMIN

  Enables resource group management, consisting of creating, altering, and dropping resource groups, and assignment of threads and statements to resource groups. A user with this privilege can perform any operation relating to resource groups.

• RESOURCE_GROUP_USER

  Enables assigning threads and statements to resource groups. A user with this privilege can use theSET RESOURCE GROUP statement and theRESOURCE_GROUP optimizer hint.

• ROLE_ADMIN

  Enables granting and revoking roles, use of theWITH ADMIN OPTION clause of theGRANT statement, and nonempty<graphml> element content in the result from theROLES_GRAPHML() function. Required to set the value of themandatory_roles system variable.

• SENSITIVE_VARIABLES_OBSERVER

  Enables a holder to view the values of sensitive system variables in the Performance Schema tablesglobal_variables,session_variables,variables_by_thread, andpersisted_variables, to issueSELECT statements to return their values, and to track changes to them in session trackers for connections. Users without this privilege cannot view or track those system variable values. SeePersisting Sensitive System Variables.

• SERVICE_CONNECTION_ADMIN

  Enables connections to the network interface that permits only administrative connections (seeSection 7.1.12.1, “Connection Interfaces”).

• SESSION_VARIABLES_ADMIN

  For most system variables, setting the session value requires no special privileges and can be done by any user to affect the current session. For some system variables, setting the session value can have effects outside the current session and thus is a restricted operation. For these, theSESSION_VARIABLES_ADMIN privilege enables the user to set the session value.

  If a system variable is restricted and requires a special privilege to set the session value, the variable description indicates that restriction. Examples includebinlog_format,sql_log_bin, andsql_log_off.

  TheSESSION_VARIABLES_ADMIN privilege is a subset of theSYSTEM_VARIABLES_ADMIN andSUPER privileges. A user who has either of those privileges is also permitted to set restricted session variables and effectively hasSESSION_VARIABLES_ADMIN by implication and need not be grantedSESSION_VARIABLES_ADMIN explicitly.

  See alsoSection 7.1.9.1, “System Variable Privileges”.

• SET_ANY_DEFINER

  Enables setting the effective authorization ID when executing a view or stored program. A user with this privilege can specify any account as theDEFINER attribute forCREATE PROCEDURE,CREATE FUNCTION,CREATE TRIGGER,CREATE EVENT,ALTER EVENT,CREATE VIEW, andALTER VIEW. Without this privilege, only the effective authentication ID can be specified.

  Stored programs execute with the privileges of the specified account, so ensure that you follow the risk minimization guidelines listed inSection 27.8, “Stored Object Access Control”.

• SHOW_ROUTINE

  Enables a user to access definitions and properties of all stored routines (stored procedures and functions), even those for which the user is not named as the routineDEFINER. This access includes:

  • The contents of the Information SchemaROUTINES table.

  • TheSHOW CREATE FUNCTION andSHOW CREATE PROCEDURE statements.

  • TheSHOW FUNCTION CODE andSHOW PROCEDURE CODE statements.

  • TheSHOW FUNCTION STATUS andSHOW PROCEDURE STATUS statements.

  SHOW_ROUTINE may be granted instead as a privilege with a more restricted scope that permits access to routine definitions. (That is, an administrator can rescind globalSELECT from users that do not otherwise require it and grantSHOW_ROUTINE instead.) This enables an account to back up stored routines without requiring a broad privilege.

• SKIP_QUERY_REWRITE

  Queries issued by a user with this privilege are not subject to being rewritten by theRewriter plugin (seeSection 7.6.4, “The Rewriter Query Rewrite Plugin”).

  This privilege should be granted to users issuing administrative or control statements that should not be rewritten, as well as toPRIVILEGE_CHECKS_USER accounts (seeSection 19.3.3, “Replication Privilege Checks”) used to apply statements from a replication source.

• SYSTEM_USER

  TheSYSTEM_USER privilege distinguishes system users from regular users:

  • A user with theSYSTEM_USER privilege is a system user.

  • A user without theSYSTEM_USER privilege is a regular user.

  TheSYSTEM_USER privilege has an effect on the accounts to which a given user can apply its other privileges, as well as whether the user is protected from other accounts:

  • A system user can modify both system and regular accounts. That is, a user who has the appropriate privileges to perform a given operation on regular accounts is enabled by possession ofSYSTEM_USER to also perform the operation on system accounts. A system account can be modified only by system users with appropriate privileges, not by regular users.

  • A regular user with appropriate privileges can modify regular accounts, but not system accounts. A regular account can be modified by both system and regular users with appropriate privileges.

  This also means that database objects created by users with theSYSTEM_USER privilege cannot be modified or dropped by users without the privilege. This also applies to routines for which the definer has this privilege.

  For more information, seeSection 8.2.11, “Account Categories”.

  The protection against modification by regular accounts that is afforded to system accounts by theSYSTEM_USER privilege does not apply to regular accounts that have privileges on themysql system schema and thus can directly modify the grant tables in that schema. For full protection, do not grantmysql schema privileges to regular accounts. SeeProtecting System Accounts Against Manipulation by Regular Accounts.

  If theaudit_log plugin is in use (seeSection 8.4.6, “MySQL Enterprise Audit”), accounts with theSYSTEM_USER privilege are automatically assigned theAUDIT_ABORT_EXEMPT privilege, which permits their queries to be executed even if an“abort” item configured in the filter would block them. Accounts with theSYSTEM_USER privilege can therefore be used to regain access to a system following an audit misconfiguration.

• SYSTEM_VARIABLES_ADMIN

  Affects the following operations and server behaviors:

  • Enables system variable changes at runtime:

    • Enables server configuration changes to global system variables withSET GLOBAL andSET PERSIST.

    • Enables server configuration changes to global system variables withSET PERSIST_ONLY, if the user also hasPERSIST_RO_VARIABLES_ADMIN.

    • Enables setting restricted session system variables that require a special privilege. In effect,SYSTEM_VARIABLES_ADMIN impliesSESSION_VARIABLES_ADMIN without explicitly grantingSESSION_VARIABLES_ADMIN.

    See alsoSection 7.1.9.1, “System Variable Privileges”.

  • Enables changes to global transaction characteristics (seeSection 15.3.7, “SET TRANSACTION Statement”).

• TABLE_ENCRYPTION_ADMIN

  Enables a user to override default encryption settings whentable_encryption_privilege_check is enabled; seeDefining an Encryption Default for Schemas and General Tablespaces.

• TELEMETRY_LOG_ADMIN

  Enables telemetry log configuration. This privilege is defined by thetelemetry_log plugin, which is deployed through MySQL HeatWave on AWS.

• TP_CONNECTION_ADMIN

  Enables connecting to the server with a privileged connection. When the limit defined bythread_pool_max_transactions_limit has been reached, new connections are not permitted, unless overridden bythread_pool_longrun_trx_limit. A privileged connection ignores the transaction limit and permits connecting to the server to increase the transaction limit, remove the limit, or kill running transactions. This privilege is not granted to any user by default. To establish a privileged connection, the user initiating a connection must have theTP_CONNECTION_ADMIN privilege.

  A privileged connection can execute statements and start transactions when the limit defined bythread_pool_max_transactions_limit has been reached. A privileged connection is placed in theAdmin thread group. SeePrivileged Connections.

• TRANSACTION_GTID_TAG

  Required for setting thegtid_next system variable toAUTOMATIC:TAG orUUID:TAG:NUMBER on a replication source server. In addition, at least one ofSYSTEM_VARIABLES_ADMIN,SESSION_VARIABLES_ADMIN, orREPLICATION_APPLIER is also required to setgtid_next to one of these values on the source.

  TheREPLICATION_CHECKS_APPLIER must also have this privilege as well as theREPLICATION_APPLIER privilege to setgtid_next toAUTOMATIC:TAG. This is checked when starting the replication applier thread.

  This privilege is also required to set thegtid_purged server system variable.

  For more information about using tagged GTIDs, see the description ofgtid_next, as well asSection 19.1.4, “Changing GTID Mode on Online Servers”.

• VERSION_TOKEN_ADMIN

  Enables execution of Version Tokens functions. This privilege is deprecated. It is defined by theversion_tokens plugin (also deprecated); seeVersion Tokens.

• XA_RECOVER_ADMIN

  Enables execution of theXA RECOVER statement; seeSection 15.3.8.1, “XA Transaction SQL Statements”.

  Prior to MySQL 9.4, any user could execute theXA RECOVER statement to discover the XID values for outstanding prepared XA transactions, possibly leading to commit or rollback of an XA transaction by a user other than the one who started it. In MySQL 9.4,XA RECOVER is permitted only to users who have theXA_RECOVER_ADMIN privilege, which is expected to be granted only to administrative users who have need for it. This might be the case, for example, for administrators of an XA application if it has crashed and it is necessary to find outstanding transactions started by the application so they can be rolled back. This privilege requirement prevents users from discovering the XID values for outstanding prepared XA transactions other than their own. It does not affect normal commit or rollback of an XA transaction because the user who started it knows its XID.

• FILE can be abused to read into a database table any files that the MySQL server can read on the server host. This includes all world-readable files and files in the server's data directory. The table can then be accessed usingSELECT to transfer its contents to the client host.

• GRANT OPTION enables users to give their privileges to other users. Two users that have different privileges and with theGRANT OPTION privilege are able to combine privileges.

• ALTER may be used to subvert the privilege system by renaming tables.

• SHUTDOWN can be abused to deny service to other users entirely by terminating the server.

• PROCESS can be used to view the plain text of currently executing statements, including statements that set or change passwords.

• SUPER can be used to terminate other sessions or change how the server operates.

• Privileges granted for themysql system database itself can be used to change passwords and other access privilege information:

  • Passwords are stored encrypted, so a malicious user cannot simply read them to know the plain text password. However, a user with write access to themysql.user system tableauthentication_string column can change an account's password, and then connect to the MySQL server using that account.

  • INSERT orUPDATE granted for themysql system database enable a user to add privileges or modify existing privileges, respectively.

  • DROP for themysql system database enables a user to remote privilege tables, or even the database itself.

• Static privileges are built in to the server. They are always available to be granted to user accounts and cannot be unregistered.

• Dynamic privileges can be registered and unregistered at runtime. This affects their availability: A dynamic privilege that has not been registered cannot be granted.

Server administrators should be aware of which server components define dynamic privileges. For MySQL distributions, documentation of components that define dynamic privileges describes those privileges.

Third-party components may also define dynamic privileges; an administrator should understand those privileges and not install components that might conflict or compromise server operation. For example, one component conflicts with another if both define a privilege with the same name. Component developers can reduce the likelihood of this occurrence by choosing privilege names having a prefix based on the component name.

• The server automatically registers privileges named inglobal_grants during server startup (unless the--skip-grant-tables option is given).

• TheGRANT andREVOKE statements modify the contents ofglobal_grants.

• Dynamic privilege assignments listed inglobal_grants are persistent. They are not removed at server shutdown.

• GRANT ALL at the global level grants all static global privileges and all currently registered dynamic privileges. A dynamic privilege registered subsequent to execution of theGRANT statement is not granted retroactively to any account.

• REVOKE ALL at the global level revokes all granted static global privileges and all granted dynamic privileges.

1. Execute this query to identify accounts that are grantedSUPER:

   SELECT GRANTEE FROM INFORMATION_SCHEMA.USER_PRIVILEGESWHERE PRIVILEGE_TYPE = 'SUPER';

2. For each account identified by the preceding query, determine the operations for which it needsSUPER. Then grant the dynamic privileges corresponding to those operations, and revokeSUPER.

   For example, if'u1'@'localhost' requiresSUPER for binary log purging and system variable modification, these statements make the required changes to the account:

   GRANT BINLOG_ADMIN, SYSTEM_VARIABLES_ADMIN ON *.* TO 'u1'@'localhost';REVOKE SUPER ON *.* FROM 'u1'@'localhost';

   After you have modified all applicable accounts, theINFORMATION_SCHEMA query in the first step should produce an empty result set.