Database User Roles and Permissions¶
Plesk provides user roles for MySQL/MariaDB and Microsoft SQL Server database users. The roles act as templates that help to assign permissions to a database user. The following database user roles are supported: Read and Write (used by default), Read Only, and Write Only. Each role has a pre-defined set of privileges that are granted to a database user account with this role. You can edit sets of privileges that correspond to different roles.
Additionally, MySQL/MariaDB supports the Custom role that corresponds to a user-defined set of privileges. SQL Server users cannot modify sets of permissions that come with roles.
You can deny a permission and prohibit Plesk users from granting it.
For details on how to select roles for database users in Websites & Domains > Databases > User Management, see Managing Database User Accounts. Note that database users on administrator’s subscriptions can be given global privileges in addition to the rights on database tables.
MySQL/MariaDB Database User Roles¶
In Plesk with MySQL/MariaDB, users can select roles for database users as well as add or remove individual privileges.
The default sets of MySQL/MariaDB privileges for each role are listed below.
Privilege | Read and Write | Read Only | Write Only |
---|---|---|---|
Select | ➕ | ➕ | ➖ |
Insert | ➕ | ➖ | ➕ |
Update | ➕ | ➖ | ➕ |
Delete | ➕ | ➖ | ➕ |
Create | ➕ | ➖ | ➕ |
Drop | ➕ | ➖ | ➕ |
Alter | ➕ | ➖ | ➕ |
Index | ➕ | ➖ | ➕ |
Create Temporary Tables | ➕ | ➖ | ➕ |
Lock Tables | ➕ | ➖ | ➕ |
Create View | ➕ | ➖ | ➕ |
Show View | ➕ | ➕ | ➖ |
To modify the default sets of privileges, edit the panel.ini file and list the privilege names for each role that you want to modify.
Remember that Plesk customers can still select more privileges than you
specified in panel.ini
unless you prohibit certain privileges (see
further on this page).
For example:
[databaseManagement]
features.roles.mysql.readWrite = Select,Update,Insert
features.roles.mysql.readOnly = Select
features.roles.mysql.writeOnly = Update
Note
Changing the set of privileges for a role (for example, the Read and Write role) does not affect the privileges of existing MySQL/MariaDB database users with this role. The role of such database users will automatically change to Custom.
How to Deny a Privilege for all Users
You might need to deny a certain privilege for all database users, for example, the Delete privilege. To deny a privilege, specify the list of MySQL/MariaDB privileges in the panel.ini file, and omit the privilege that you want to deny.
For example:
[databaseManagement]
features.privileges.mysql.dataAccess = Select, Insert, Update, Delete
features.privileges.mysql.structureAccess = Create, Drop, Alter, Index, Create Temporary Tables, Lock Tables, Create View, Show View
The specified privileges are displayed in the Plesk UI (Websites & Domains > Databases > User Management). Users will be able to grant or revoke only the specified privileges. If a privilege is not in this list, Plesk regards it as denied for a database user.
Note
A privilege becomes denied only after a Plesk user saves any changes in the database user settings (Websites & Domains > Databases > User Management > click a user name > click OK).
Microsoft SQL Server Database User Roles¶
In Plesk with Microsoft SQL Server, users can select roles (Read and Write, Read Only, Write Only), but cannot add or remove individual permissions (SQL Server database-level roles). Permissions are not displayed in the Plesk UI.
The default permissions on Microsoft SQL Server for each role are listed below:
Permission | Read and Write | Read Only | Write Only |
---|---|---|---|
db_backupoperator | ➕ | ➕ | ➕ |
db_datareader | ➕ | ➕ | ➖ |
db_datawriter | ➕ | ➖ | ➕ |
db_ddladmin | ➕ | ➖ | ➕ |
To modify the default set of permissions for any role, edit the panel.ini file and list the permission names.
For example:
[databaseManagement]
features.roles.mssql.readWrite = db_datareader,db_backupoperator,db_ddladmin
features.roles.mssql.readOnly = db_datareader,db_backupoperator
features.roles.mssql.writeOnly = db_datawriter
Note
When you modify the set of permissions for a role, the permissions of
existing database users are changed. All existing and newly created
users with this role will have the permissions that you specified in
panel.ini
.
How to Recover Default Permissions for Microsoft SQL Server Users
Each database user role has its default set of permissions (SQL Server database-level user roles). To reset the permissions of existing database users to the default values (according to their role), run the following command:
%plesk_dir%bin\repair.exe --update-mssql-users-permissions [-database-server <name>] [-database-name <name>]
Note
If you modified the permissions for a role (for example, the Read
and Write role) in panel.ini
, the command
--update-mssql-users-permissions
will use the set of permissions
that you specified, rather than the default set (for example, the
default set for Read and Write is
db_datareader,db_datawriter,db_backupoperator,db_ddladmin
).