Manage data security in your service

When you create a service, Tiger Cloud assigns you the tsdmadmin role. This role has full permissions to modify data in your service. However, Tiger Cloud does not provide superuser access. tsdmadmin is not a superuser.

As tsdmadmin, you can use standard PostgreSQL means to create other roles or assign individual permissions. This page shows you how to create a read-only role for your database. Adding a read-only role does not provide resource isolation. To restrict the access of a read-only user, as well as isolate resources, create a read replica instead.

The database-level roles for the individual services in your project do not overlap with the Tiger Cloud project user roles. This page describes the database-level roles. For user roles available in Console, see Control user access to Tiger Cloud projects.

Create a read-only user

You can create a read-only user to provide limited access to your database.

1. Connect to your service as the tsdbadmin user
2. Create the new role

   CREATE ROLE readaccess;

3. Grant usage on the schema to allow access to objects within it

   GRANT USAGE ON SCHEMA <SCHEMA_NAME> TO readaccess;

4. Grant the appropriate permissions for the role, as required

   For example, to grant SELECT permissions to a specific table, use:

   GRANT SELECT ON <TABLE_NAME> TO readaccess;

   To grant SELECT permissions to all tables in a specific schema, use:

   GRANT SELECT ON ALL TABLES IN SCHEMA <SCHEMA_NAME> TO readaccess;

5. Create a new user

   CREATE USER read_user WITH PASSWORD 'read_password';

6. Assign the role to the new user

   GRANT readaccess TO read_user;