Necessity of granting usage on other schemas (#839)

citusdata · Jan 8, 2019 · 0084437 · 0084437
1 parent dc390cb
commit 0084437
Showing 1 changed file with 15 additions and 4 deletions.
diff --git a/cloud/security.rst b/cloud/security.rst
@@ -62,6 +62,8 @@ The new :code:`reports` role starts with no privileges, except "usage" on the pu
 
   GRANT SELECT ON mytable TO reports;
 
+If ``mytable`` is in the public schema this will suffice. However if the table is in another schema, there is one more step. See :ref:`grant_usage` below.
+
 You can confirm the privileges by consulting the information schema:
 
 .. code-block:: postgresql
@@ -104,11 +106,20 @@ Citus propagates single-table GRANT statements through the entire cluster, makin
     'GRANT SELECT ON ALL TABLES IN SCHEMA public TO reports;'
   );
 
-.. raw:: html
+.. _grant_usage:
 
-  <script type="text/javascript">
-  analytics.track('Doc', {page: 'overview', section: 'cloud'});
-  </script>
+Granting Access to Other Schemas
+--------------------------------
+
+By default, users cannot access objects in schemas they do not own. Note that by default, everyone has CREATE and USAGE privileges on the ``public`` schema. This allows all users that are able to connect to a given database to create objects in its ``public`` schema.
+
+To allow object access in any other schema, the owner of the schema must grant the USAGE privilege on the schema.
+
+.. code-block:: postgresql
+
+  GRANT USAGE ON SCHEMA other_schema TO reports;
+
+Even if the ``reports`` user has SELECT access on a table like ``other_schema.foo``, the user will not be able to select rows until they also have USAGE access on ``other_schema``.
 
 Encryption at Rest
 ==================