Tarantool CE/EE Documentation portal logo
Support
Updated at July 17, 2026   02:08 PM

box.schema.user.grant()

box.schema.user.grant(username, permissions, object-type, object-name[,

{options} ]) box.schema.user.grant(username, permissions, 'universe'[, nil, {options} ]) box.schema.user.grant(username, role-name[, nil, nil, {options} ])

Grant privileges to a user or to another role.

Parameters:

  • username (string) — the name of a user to grant privileges to

  • permissions (string) — one or more permissions to grant to the user (for example, read or read,write)

  • object-type (string) — a database object type to grant permissions to (for example, space, role, or function)

  • object-name (string) — the name of a database object to grant permissions to

  • role-name (string) — the name of a role to grant to the user

  • options (table) — grantor, if_not_exists

If 'function','{object-name}' is specified, then a [func]{#func} tuple with that object-name must exist.

Variation: instead of object-type, object-name say universe which means 'all object-types and all objects'. In this case, object name is omitted.

Variation: instead of permissions, object-type, object-name say role-name (see section Roles).

Variation: instead of box.schema.user.grant('{username}','usage,session','universe',nil, {if_not_exists=true}) say box.schema.user.enable('{username}') (see section box.schema.user.enable).

The possible options are:

  • grantor = grantor_name_or_id – string or number, for custom grantor,
  • if_not_exists = true|false (default = false) - boolean; true means there should be no error if the user already has the privilege.

Example:

box.schema.user.grant('testuser', 'read', 'space', 'writers')        box.schema.user.grant('testuser', 'read,write', 'space', 'books')        box.session.su('testuser')        local _, delete_writer_error = pcall(function()            box.space.writers:delete(3)        end)        t.assert_equals(delete_writer_error:unpack().message, "Write access to space 'writers' is denied for user 'testuser'")        box.session.su('admin')        -- Revoke space reading --        box.schema.user.revoke('testuser', 'write', 'space', 'books')        -- End: Revoke space reading --        box.session.su('testuser')        local _, delete_book_error = pcall(function()            box.space.books:delete(10)        end)        t.assert_equals(delete_book_error:unpack().message, "Write access to space 'books' is denied for user 'testuser'")        box.session.su('admin')        -- Revoke session --        box.schema.user.revoke('testuser', 'session', 'universe')        -- End: Revoke session --        local _, change_user_error = pcall(function()            box.session.su('testuser')        end)        t.assert_equals(change_user_error:unpack().message, "Session access to universe '' is denied for user 'testuser'")    end)endg.test_user_dropped = function(cg)    cg.server:exec(function()        box.schema.user.create('testuser')        -- Drop a user --        box.schema.user.drop('testuser')        -- End: Drop a user --        t.assert_equals(box.schema.user.exists('testuser'), false)    end)end

See also: access_control_users.