v.22.2Improvement

Privileges for Row Policy Management Expanded in ClickHouse

Published: November 25, 2025

Privileges CREATE/ALTER/DROP ROW POLICY now can be granted on a table or on database. as well as globally .*. #34489 (Vitaly Baranov).

Privileges for CREATE, ALTER, and DROP ROW POLICY can now be granted not only globally (.), but also on specific tables or entire databases using database.*.

Why it matters

This feature provides more granular access control by allowing administrators to assign row policy management privileges at different levels of scope. It improves security and flexibility by enabling privilege delegation on particular tables or databases instead of only globally.

How to use it

When granting privileges for row policies, specify the target scope accordingly, for example:

grant CREATE ROW POLICY on database.table to user;
grant ALTER ROW POLICY on database. to user;
grant DROP ROW POLICY on .* to user;

This allows control over who can manage row policies at table, database, or global levels.

Related resources

Pull Request #34489