According to AWS docs, a user with column permission on a table/view should still be able to perform "SELECT *" and retrieve the column that they have access to.
From Usage notes for column-level:
If you don’t have the SELECT privilege on all columns in a table, performing a SELECT * operation returns only those columns that you have access to.
I am getting denied when I try that.
-- test user
create user test password disable;
-- Column permissions
GRANT USAGE ON SCHEMA source,processed,curated TO test;
grant select (PERNR,TRFGR,BEGDA,ENDDA) on processed.PA0008 to test;
-- Test
set session authorization "test";
select current_user;
-- Test on permitted columns only
select begda,endda,pernr,trfgr from processed.pa0008 limit 100; -- Success
-- Test on "*"
select * from processed.pa0008 limit 100; -- ERROR: permission denied for relation pa0008
So explicitly stating columns works, but using "*" fails.
ERROR: permission denied for relation
Does anyone know why?
2
Answers
From AWS support.. When you specify column-level privileges for a user on a view, you HAVE to enumerate each permitted column's name. This is not the same case for a table, however, for a view this is regular behavior and we cannot use 'SELECT *' to return only the permitted columns. .... but a result set from a view results in a view, as explained in the document: "You can't create a regular view with only accessible columns using SELECT *" [1]
I can’t recreate the error, so I’m going to assume this is caused by your default privs on the objects being created. It is possible that when you make the test table, the default privs for the user that created the object is restricting permissions behind the scenes.
https://docs.aws.amazon.com/redshift/latest/dg/r_ALTER_DEFAULT_PRIVILEGES.html
Try a couple of these: