blob: d58462f8ce43ac965dfe62990c80d76decab9360 [file]
<!doctype html>
<html lang="en-US" data-theme="light">
<head>
<meta charset="utf-8" />
<meta name="viewport" content="width=device-width,initial-scale=1" />
<meta name="generator" content="VuePress 2.0.0-rc.30" />
<meta name="theme" content="VuePress Theme Hope 2.0.0-rc.107" />
<style>
:root {
--vp-c-bg: #fff;
}
[data-theme="dark"] {
--vp-c-bg: #1b1b1f;
}
html,
body {
background: var(--vp-c-bg);
}
</style>
<script>
const userMode = localStorage.getItem("vuepress-theme-hope-scheme");
const systemDarkMode =
window.matchMedia && window.matchMedia("(prefers-color-scheme: dark)").matches;
if (userMode === "dark" || (userMode !== "light" && systemDarkMode)) {
document.documentElement.setAttribute("data-theme", "dark");
}
</script>
<script type="application/ld+json">{"@context":"https://schema.org","@type":"Article","headline":"Authority Management","image":[""],"dateModified":"2026-05-06T01:27:28.000Z","author":[]}</script><meta property="og:url" content="https://iotdb.apache.org/UserGuide/latest/User-Manual/Authority-Management-Upgrade_apache.html"><meta property="og:site_name" content="IoTDB Website"><meta property="og:title" content="Authority Management"><meta property="og:description" content="Authority Management IoTDB provides permission management capabilities for users to control access to data and cluster systems, ensuring data and system security. This article i..."><meta property="og:type" content="article"><meta property="og:locale" content="en-US"><meta property="og:locale:alternate" content="zh-CN"><meta property="og:updated_time" content="2026-05-06T01:27:28.000Z"><meta property="article:modified_time" content="2026-05-06T01:27:28.000Z"><link rel="alternate" hreflang="zh-cn" href="https://iotdb.apache.org/zh/UserGuide/latest/User-Manual/Authority-Management-Upgrade_apache.html"><script async src="https://widget.kapa.ai/kapa-widget.bundle.js" data-website-id="2d37bfdd-8d98-40ba-9223-9d4f81bfb327" data-project-name="Apache IoTDB" data-project-color="#FFFFFF" data-button-z-index="1999" data-button-padding="4px" data-button-border-radius="4px" data-button-image-height="24px" data-button-image-width="20px" data-button-text-color="#9E2878" data-project-logo="https://iotdb.apache.org/img/logo.svg" data-button-position-right="16px" data-button-position-bottom="8px" data-button-height="56px" data-button-width="48px" data-button-text="Ask" data-modal-override-open-selector="#custom-ask-ai-button" data-modal-image-width="150px" data-modal-title="AI Docs" data-modal-title-color="#9E2878" data-deep-thinking-button-active-bg-color="#F6F7F8" data-deep-thinking-button-active-text-color="#9E2878" data-deep-thinking-button-active-hover-text-color="#9E2878" data-modal-disclaimer="This is a custom LLM for Apache IoTDB with access to all [documentation](iotdb.apache.org/docs/), [GitHub Open Issues, PRs and READMEs](github.com/apache/iotdb).&#10;&#10;
If you encounter <Error in verifying browser for feedback submission. Captcha token could not be obtained.> please ensure that you can access Google services." data-user-analytics-fingerprint-enabled="true" data-consent-required="true" data-consent-screen-disclaimer="By clicking <I agree, let's chat>, you consent to the use of the AI assistant in accordance with kapa.ai's [Privacy Policy](https://www.kapa.ai/content/privacy-policy). This service uses reCAPTCHA, which requires your consent to Google's [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms). By proceeding, you explicitly agree to both kapa.ai's and Google's privacy policies."></script><link rel="icon" href="/favicon.ico"><meta name="Description" content="Apache IoTDB: Time Series Database for IoT"><meta name="Keywords" content="TSDB, time series, time series database, IoTDB, IoT database, IoT data management, 时序数据库, 时间序列管理, IoTDB, 物联网数据库, 实时数据库, 物联网数据管理, 物联网数据"><meta name="baidu-site-verification" content="wfKETzB3OT"><meta name="google-site-verification" content="mZWAoRY0yj_HAr-s47zHCGHzx5Ju-RVm5wDbPnwQYFo"><script type="text/javascript">var _paq = window._paq = window._paq || [];
/* tracker methods like "setCustomDimension" should be called before "trackPageView" */
_paq.push(["setDoNotTrack", true]);
_paq.push(["disableCookies"]);
_paq.push(['trackPageView']);
_paq.push(['enableLinkTracking']);
(function() {
var u="https://analytics.apache.org/";
_paq.push(['setTrackerUrl', u+'matomo.php']);
_paq.push(['setSiteId', '56']);
var d=document, g=d.createElement('script'), s=d.getElementsByTagName('script')[0];
g.async=true; g.src=u+'matomo.js'; s.parentNode.insertBefore(g,s);
})();
</script><title>Authority Management | IoTDB Website</title><meta name="description" content="Authority Management IoTDB provides permission management capabilities for users to control access to data and cluster systems, ensuring data and system security. This article i...">
<link rel="preload" href="/assets/style-3MdU3FUX.css" as="style"><link rel="stylesheet" href="/assets/style-3MdU3FUX.css">
<link rel="modulepreload" href="/assets/app-2tVSyqJL.js"><link rel="modulepreload" href="/assets/Authority-Management-Upgrade_apache-DzFEWStM.js">
</head>
<body>
<div id="app"><!--[--><!--[--><!--[--><span tabindex="-1"></span><a href="#main-content" class="vp-skip-link sr-only">Skip to main content</a><!--]--><!--[--><div class="theme-container external-link-icon has-toc" vp-container><!--[--><header id="navbar" class="vp-navbar" vp-navbar><div class="vp-navbar-start"><button type="button" class="vp-toggle-sidebar-button" title="Toggle Sidebar"><span class="icon"></span></button><!--[--><a class="route-link vp-brand" href="/" aria-label="Take me home"><img class="vp-nav-logo" src="/logo.png" alt><!----><!----></a><!--]--></div><div class="vp-navbar-center"><!--[--><!--]--></div><div class="vp-navbar-end"><!--[--><!--[--><div id="docsearch-container" style="display:none;"></div><div class="docsearch-placeholder"><button type="button" aria-label="Search" aria-keyshortcuts="Control+k" class="DocSearch DocSearch-Button"><span class="DocSearch-Button-Container"><svg width="20" height="20" viewBox="0 0 24 24" aria-hidden="true" class="DocSearch-Search-Icon"><circle cx="11" cy="11" r="8" stroke="currentColor" fill="none" stroke-width="1.4"></circle><path d="m21 21-4.3-4.3" stroke="currentColor" fill="none" stroke-linecap="round" stroke-linejoin="round"></path></svg><span class="DocSearch-Button-Placeholder">Search</span></span><span class="DocSearch-Button-Keys"><kbd class="DocSearch-Button-Key DocSearch-Button-Key--ctrl">Ctrl</kbd><kbd class="DocSearch-Button-Key">K</kbd></span></button></div><!--]--><div><button id="custom-ask-ai-button"> ✨ Ask AI </button></div><nav class="vp-nav-links"><div class="vp-nav-item hide-in-mobile"><div class="vp-dropdown-wrapper"><button type="button" class="vp-dropdown-title" aria-label="Documentation"><!--[--><!---->Documentation<!--]--><span class="arrow"></span><ul class="vp-dropdown"><li class="vp-dropdown-item"><a class="route-link auto-link" href="/UserGuide/latest-Table/QuickStart/QuickStart_apache.html" aria-label="v2.0.x"><!---->v2.0.x<!----></a></li><li class="vp-dropdown-item"><a class="route-link auto-link" href="/UserGuide/V1.3.x/QuickStart/QuickStart_apache.html" aria-label="v1.3.x"><!---->v1.3.x<!----></a></li><li class="vp-dropdown-item"><a class="route-link auto-link" href="/UserGuide/V1.2.x/QuickStart/QuickStart.html" aria-label="v1.2.x"><!---->v1.2.x<!----></a></li><li class="vp-dropdown-item"><a class="route-link auto-link" href="/UserGuide/V0.13.x/QuickStart/QuickStart.html" aria-label="v0.13.x"><!---->v0.13.x<!----></a></li></ul></button></div></div><div class="vp-nav-item hide-in-mobile"><a class="route-link auto-link" href="/Download/" aria-label="Download"><!---->Download<!----></a></div><div class="vp-nav-item hide-in-mobile"><div class="vp-dropdown-wrapper"><button type="button" class="vp-dropdown-title" aria-label="Community"><!--[--><!---->Community<!--]--><span class="arrow"></span><ul class="vp-dropdown"><li class="vp-dropdown-item"><a class="route-link auto-link" href="/Community/About-the-Community.html" aria-label="About the Community"><!---->About the Community<!----></a></li><li class="vp-dropdown-item"><a class="route-link auto-link" href="/Community/Development-Guide.html" aria-label="Development Guide"><!---->Development Guide<!----></a></li><li class="vp-dropdown-item"><a class="route-link auto-link" href="/Community/Community-Partners.html" aria-label="Community Partners"><!---->Community Partners<!----></a></li><li class="vp-dropdown-item"><a class="route-link auto-link" href="/Community/Communication-Channels.html" aria-label="Communication Channels"><!---->Communication Channels<!----></a></li><li class="vp-dropdown-item"><a class="route-link auto-link" href="/Community/Events-and-Reports.html" aria-label="Events and Reports"><!---->Events and Reports<!----></a></li><li class="vp-dropdown-item"><a class="route-link auto-link" href="/Community/Committers.html" aria-label="Committers"><!---->Committers<!----></a></li></ul></button></div></div><div class="vp-nav-item hide-in-mobile"><div class="vp-dropdown-wrapper"><button type="button" class="vp-dropdown-title" aria-label="ASF"><!--[--><!---->ASF<!--]--><span class="arrow"></span><ul class="vp-dropdown"><li class="vp-dropdown-item"><a class="auto-link external-link" href="https://www.apache.org/" aria-label="Foundation" rel="noopener noreferrer" target="_blank"><!---->Foundation<!----></a></li><li class="vp-dropdown-item"><a class="auto-link external-link" href="https://www.apache.org/licenses/" aria-label="License" rel="noopener noreferrer" target="_blank"><!---->License<!----></a></li><li class="vp-dropdown-item"><a class="auto-link external-link" href="https://www.apache.org/security/" aria-label="Security" rel="noopener noreferrer" target="_blank"><!---->Security<!----></a></li><li class="vp-dropdown-item"><a class="auto-link external-link" href="https://www.apache.org/foundation/sponsorship.html" aria-label="Sponsorship" rel="noopener noreferrer" target="_blank"><!---->Sponsorship<!----></a></li><li class="vp-dropdown-item"><a class="auto-link external-link" href="https://www.apache.org/foundation/thanks.html" aria-label="Thanks" rel="noopener noreferrer" target="_blank"><!---->Thanks<!----></a></li><li class="vp-dropdown-item"><a class="auto-link external-link" href="https://www.apache.org/events/current-event" aria-label="Current Events" rel="noopener noreferrer" target="_blank"><!---->Current Events<!----></a></li><li class="vp-dropdown-item"><a class="auto-link external-link" href="https://privacy.apache.org/policies/privacy-policy-public.html" aria-label="Privacy" rel="noopener noreferrer" target="_blank"><!---->Privacy<!----></a></li></ul></button></div></div></nav><div class="vp-nav-item"><div class="vp-dropdown-wrapper"><button type="button" class="vp-dropdown-title" aria-label="Select language"><!--[--><svg xmlns="http://www.w3.org/2000/svg" class="icon i18n-icon" viewBox="0 0 1024 1024" fill="currentColor" aria-label="i18n icon" name="i18n" style="width:1rem;height:1rem;vertical-align:middle;"><path d="M379.392 460.8 494.08 575.488l-42.496 102.4L307.2 532.48 138.24 701.44l-71.68-72.704L234.496 460.8l-45.056-45.056c-27.136-27.136-51.2-66.56-66.56-108.544h112.64c7.68 14.336 16.896 27.136 26.112 35.84l45.568 46.08 45.056-45.056C382.976 312.32 409.6 247.808 409.6 204.8H0V102.4h256V0h102.4v102.4h256v102.4H512c0 70.144-37.888 161.28-87.04 210.944L378.88 460.8zM576 870.4 512 1024H409.6l256-614.4H768l256 614.4H921.6l-64-153.6H576zM618.496 768h196.608L716.8 532.48 618.496 768z"></path></svg><!--]--><span class="arrow"></span><ul class="vp-dropdown"><li class="vp-dropdown-item"><a class="route-link route-link-active auto-link" href="/UserGuide/latest/User-Manual/Authority-Management-Upgrade_apache.html" aria-label="English"><!---->English<!----></a></li><li class="vp-dropdown-item"><a class="route-link auto-link" href="/zh/UserGuide/latest/User-Manual/Authority-Management-Upgrade_apache.html" aria-label="简体中文"><!---->简体中文<!----></a></li></ul></button></div></div><div class="vp-nav-item hide-in-mobile"><button type="button" class="vp-color-mode-switch" id="color-mode-switch"><svg xmlns="http://www.w3.org/2000/svg" class="icon auto-icon" viewBox="0 0 1024 1024" fill="currentColor" aria-label="auto icon" name="auto" style="display:none;"><path d="M512 992C246.92 992 32 777.08 32 512S246.92 32 512 32s480 214.92 480 480-214.92 480-480 480zm0-840c-198.78 0-360 161.22-360 360 0 198.84 161.22 360 360 360s360-161.16 360-360c0-198.78-161.22-360-360-360zm0 660V212c165.72 0 300 134.34 300 300 0 165.72-134.28 300-300 300z"></path></svg><svg xmlns="http://www.w3.org/2000/svg" class="icon dark-icon" viewBox="0 0 1024 1024" fill="currentColor" aria-label="dark icon" name="dark" style="display:none;"><path d="M524.8 938.667h-4.267a439.893 439.893 0 0 1-313.173-134.4 446.293 446.293 0 0 1-11.093-597.334A432.213 432.213 0 0 1 366.933 90.027a42.667 42.667 0 0 1 45.227 9.386 42.667 42.667 0 0 1 10.24 42.667 358.4 358.4 0 0 0 82.773 375.893 361.387 361.387 0 0 0 376.747 82.774 42.667 42.667 0 0 1 54.187 55.04 433.493 433.493 0 0 1-99.84 154.88 438.613 438.613 0 0 1-311.467 128z"></path></svg><svg xmlns="http://www.w3.org/2000/svg" class="icon light-icon" viewBox="0 0 1024 1024" fill="currentColor" aria-label="light icon" name="light" style="display:block;"><path d="M952 552h-80a40 40 0 0 1 0-80h80a40 40 0 0 1 0 80zM801.88 280.08a41 41 0 0 1-57.96-57.96l57.96-58a41.04 41.04 0 0 1 58 58l-58 57.96zM512 752a240 240 0 1 1 0-480 240 240 0 0 1 0 480zm0-560a40 40 0 0 1-40-40V72a40 40 0 0 1 80 0v80a40 40 0 0 1-40 40zm-289.88 88.08-58-57.96a41.04 41.04 0 0 1 58-58l57.96 58a41 41 0 0 1-57.96 57.96zM192 512a40 40 0 0 1-40 40H72a40 40 0 0 1 0-80h80a40 40 0 0 1 40 40zm30.12 231.92a41 41 0 0 1 57.96 57.96l-57.96 58a41.04 41.04 0 0 1-58-58l58-57.96zM512 832a40 40 0 0 1 40 40v80a40 40 0 0 1-80 0v-80a40 40 0 0 1 40-40zm289.88-88.08 58 57.96a41.04 41.04 0 0 1-58 58l-57.96-58a41 41 0 0 1 57.96-57.96z"></path></svg></button></div><div class="vp-nav-item vp-action"><a class="vp-action-link" href="https://github.com/apache/iotdb" target="_blank" rel="noopener noreferrer" aria-label="GitHub"><svg xmlns="http://www.w3.org/2000/svg" class="icon github-icon" viewBox="0 0 1024 1024" fill="currentColor" aria-label="github icon" name="github" style="width:1.25rem;height:1.25rem;vertical-align:middle;"><path d="M511.957 21.333C241.024 21.333 21.333 240.981 21.333 512c0 216.832 140.544 400.725 335.574 465.664 24.49 4.395 32.256-10.07 32.256-23.083 0-11.69.256-44.245 0-85.205-136.448 29.61-164.736-64.64-164.736-64.64-22.315-56.704-54.4-71.765-54.4-71.765-44.587-30.464 3.285-29.824 3.285-29.824 49.195 3.413 75.179 50.517 75.179 50.517 43.776 75.008 114.816 53.333 142.762 40.79 4.523-31.66 17.152-53.377 31.19-65.537-108.971-12.458-223.488-54.485-223.488-242.602 0-53.547 19.114-97.323 50.517-131.67-5.035-12.33-21.93-62.293 4.779-129.834 0 0 41.258-13.184 134.912 50.346a469.803 469.803 0 0 1 122.88-16.554c41.642.213 83.626 5.632 122.88 16.554 93.653-63.488 134.784-50.346 134.784-50.346 26.752 67.541 9.898 117.504 4.864 129.834 31.402 34.347 50.474 78.123 50.474 131.67 0 188.586-114.73 230.016-224.042 242.09 17.578 15.232 33.578 44.672 33.578 90.454v135.85c0 13.142 7.936 27.606 32.854 22.87C862.25 912.597 1002.667 728.747 1002.667 512c0-271.019-219.648-490.667-490.71-490.667z"></path></svg></a></div><!--]--><button type="button" class="vp-toggle-navbar-button" aria-label="Toggle Navbar" aria-expanded="false" aria-controls="nav-screen"><span><span class="vp-top"></span><span class="vp-middle"></span><span class="vp-bottom"></span></span></button></div></header><!----><!--]--><!----><div class="toggle-sidebar-wrapper"><span class="arrow start"></span></div><aside id="sidebar" class="vp-sidebar" vp-sidebar><!--[--><p class="vp-sidebar-header iotdb-sidebar-header"><span class="vp-sidebar-title">IoTDB User Guide (V2.0.x)</span></p><div class="sidebar-top-wrapper"><ul class="switch-list"><li class="switch-type switch-active">Tree</li><li class="switch-type">Table</li></ul><div class="help-icon-wrapper"><div class="help-icon"><span>Description</span></div></div></div><!--]--><ul class="vp-sidebar-links"><li><section class="vp-sidebar-group"><p class="vp-sidebar-header"><!----><span class="vp-sidebar-title">IoTDB User Guide (V2.0.x)</span><!----></p><ul class="vp-sidebar-links"></ul></section></li><li><section class="vp-sidebar-group"><button class="vp-sidebar-header clickable" type="button"><!----><span class="vp-sidebar-title">About IoTDB</span><span class="vp-arrow end"></span></button><!----></section></li><li><section class="vp-sidebar-group"><button class="vp-sidebar-header clickable" type="button"><!----><span class="vp-sidebar-title">Background knowledge</span><span class="vp-arrow end"></span></button><!----></section></li><li><a class="route-link auto-link vp-sidebar-link" href="/UserGuide/latest/QuickStart/QuickStart_apache.html" aria-label="Quick Start"><!---->Quick Start<!----></a></li><li><section class="vp-sidebar-group"><button class="vp-sidebar-header clickable" type="button"><!----><span class="vp-sidebar-title">Installation and Deployment</span><span class="vp-arrow end"></span></button><!----></section></li><li><section class="vp-sidebar-group"><button class="vp-sidebar-header clickable" type="button"><!----><span class="vp-sidebar-title">Basic Functions</span><span class="vp-arrow end"></span></button><!----></section></li><li><section class="vp-sidebar-group"><button class="vp-sidebar-header clickable active" type="button"><!----><span class="vp-sidebar-title">Advanced Features</span><span class="vp-arrow down"></span></button><ul class="vp-sidebar-links"><li><a class="route-link auto-link vp-sidebar-link" href="/UserGuide/latest/User-Manual/Data-Sync_apache.html" aria-label="Data Sync"><!---->Data Sync<!----></a></li><li><a class="route-link auto-link vp-sidebar-link" href="/UserGuide/latest/User-Manual/Data-subscription_apache.html" aria-label="Data Subscription"><!---->Data Subscription<!----></a></li><li><section class="vp-sidebar-group"><button class="vp-sidebar-header clickable" type="button"><!----><span class="vp-sidebar-title">Stream Computing</span><span class="vp-arrow end"></span></button><!----></section></li><li><a class="route-link auto-link vp-sidebar-link" href="/UserGuide/latest/User-Manual/User-defined-function_apache.html" aria-label="UDF"><!---->UDF<!----></a></li><li><section class="vp-sidebar-group"><button class="vp-sidebar-header clickable active" type="button"><!----><span class="vp-sidebar-title">Security Management</span><span class="vp-arrow down"></span></button><ul class="vp-sidebar-links"><li><a class="route-link auto-link vp-sidebar-link" href="/UserGuide/latest/User-Manual/Authority-Management_apache.html" aria-label="Authority Management(Before V2.0.7)"><!---->Authority Management(Before V2.0.7)<!----></a></li><li><a class="route-link route-link-active auto-link vp-sidebar-link active" href="/UserGuide/latest/User-Manual/Authority-Management-Upgrade_apache.html" aria-label="Authority Management(From V2.0.7)"><!---->Authority Management(From V2.0.7)<!----></a></li></ul></section></li><li><section class="vp-sidebar-group"><button class="vp-sidebar-header clickable" type="button"><!----><span class="vp-sidebar-title">System Maintenance</span><span class="vp-arrow end"></span></button><!----></section></li></ul></section></li><li><section class="vp-sidebar-group"><button class="vp-sidebar-header clickable" type="button"><!----><span class="vp-sidebar-title">AI capability</span><span class="vp-arrow end"></span></button><!----></section></li><li><section class="vp-sidebar-group"><button class="vp-sidebar-header clickable" type="button"><!----><span class="vp-sidebar-title">Tools System</span><span class="vp-arrow end"></span></button><!----></section></li><li><section class="vp-sidebar-group"><button class="vp-sidebar-header clickable" type="button"><!----><span class="vp-sidebar-title">API</span><span class="vp-arrow end"></span></button><!----></section></li><li><section class="vp-sidebar-group"><button class="vp-sidebar-header clickable" type="button"><!----><span class="vp-sidebar-title">Ecosystem Integration</span><span class="vp-arrow end"></span></button><!----></section></li><li><section class="vp-sidebar-group"><button class="vp-sidebar-header clickable" type="button"><!----><span class="vp-sidebar-title">SQL Manual</span><span class="vp-arrow end"></span></button><!----></section></li><li><section class="vp-sidebar-group"><button class="vp-sidebar-header clickable" type="button"><!----><span class="vp-sidebar-title">Technical Insider</span><span class="vp-arrow end"></span></button><!----></section></li><li><section class="vp-sidebar-group"><button class="vp-sidebar-header clickable" type="button"><!----><span class="vp-sidebar-title">Reference</span><span class="vp-arrow end"></span></button><!----></section></li><li><section class="vp-sidebar-group"><button class="vp-sidebar-header clickable" type="button"><!----><span class="vp-sidebar-title">FAQ</span><span class="vp-arrow end"></span></button><!----></section></li></ul><!----></aside><!--[--><main id="main-content" class="vp-page"><!--[--><!----><!----><nav class="vp-breadcrumb disable"></nav><div class="vp-page-title"><h1><!---->Authority Management</h1><div class="page-info"><!----><!----><span class="page-date-info" aria-label="Writing Date📅" data-balloon-pos="up"><svg xmlns="http://www.w3.org/2000/svg" class="icon calendar-icon" viewBox="0 0 1024 1024" fill="currentColor" aria-label="calendar icon" name="calendar"><path d="M716.4 110.137c0-18.753-14.72-33.473-33.472-33.473-18.753 0-33.473 14.72-33.473 33.473v33.473h66.993v-33.473zm-334.87 0c0-18.753-14.72-33.473-33.473-33.473s-33.52 14.72-33.52 33.473v33.473h66.993v-33.473zm468.81 33.52H716.4v100.465c0 18.753-14.72 33.473-33.472 33.473a33.145 33.145 0 01-33.473-33.473V143.657H381.53v100.465c0 18.753-14.72 33.473-33.473 33.473a33.145 33.145 0 01-33.473-33.473V143.657H180.6A134.314 134.314 0 0046.66 277.595v535.756A134.314 134.314 0 00180.6 947.289h669.74a134.36 134.36 0 00133.94-133.938V277.595a134.314 134.314 0 00-133.94-133.938zm33.473 267.877H147.126a33.145 33.145 0 01-33.473-33.473c0-18.752 14.72-33.473 33.473-33.473h736.687c18.752 0 33.472 14.72 33.472 33.473a33.145 33.145 0 01-33.472 33.473z"></path></svg><span data-allow-mismatch="text">5/6/26</span><meta property="datePublished" content="2026-05-06T01:27:28.000Z"></span><!----><span class="page-reading-time-info" aria-label="Reading Time⌛" data-balloon-pos="up"><svg xmlns="http://www.w3.org/2000/svg" class="icon timer-icon" viewBox="0 0 1024 1024" fill="currentColor" aria-label="timer icon" name="timer"><path d="M799.387 122.15c4.402-2.978 7.38-7.897 7.38-13.463v-1.165c0-8.933-7.38-16.312-16.312-16.312H256.33c-8.933 0-16.311 7.38-16.311 16.312v1.165c0 5.825 2.977 10.874 7.637 13.592 4.143 194.44 97.22 354.963 220.201 392.763-122.204 37.542-214.893 196.511-220.2 389.397-4.661 5.049-7.638 11.651-7.638 19.03v5.825h566.49v-5.825c0-7.379-2.849-13.981-7.509-18.9-5.049-193.016-97.867-351.985-220.2-389.527 123.24-37.67 216.446-198.453 220.588-392.892zM531.16 450.445v352.632c117.674 1.553 211.787 40.778 211.787 88.676H304.097c0-48.286 95.149-87.382 213.728-88.676V450.445c-93.077-3.107-167.901-81.297-167.901-177.093 0-8.803 6.99-15.793 15.793-15.793 8.803 0 15.794 6.99 15.794 15.793 0 80.261 63.69 145.635 142.01 145.635s142.011-65.374 142.011-145.635c0-8.803 6.99-15.793 15.794-15.793s15.793 6.99 15.793 15.793c0 95.019-73.789 172.82-165.96 177.093z"></path></svg><span>About 8 min</span><meta property="timeRequired" content="PT8M"></span><!----><!----></div><hr></div><!----><div class="" vp-content><!----><div id="markdown-content"><h1 id="authority-management" tabindex="-1"><a class="header-anchor" href="#authority-management"><span>Authority Management</span></a></h1><p>IoTDB provides permission management capabilities for users to control access to data and cluster systems, ensuring data and system security. This article introduces the core concepts of the permission module in IoTDB, user definitions, permission governance, authentication logic, and practical use cases.</p><h2 id="_1-core-concepts" tabindex="-1"><a class="header-anchor" href="#_1-core-concepts"><span>1. Core Concepts</span></a></h2><h3 id="_1-1-user" tabindex="-1"><a class="header-anchor" href="#_1-1-user"><span>1.1 User</span></a></h3><p>A user refers to a legitimate database operator. Each user corresponds to a unique username and is authenticated via a password. Before accessing the database, users must log in with valid usernames and passwords stored in the system.</p><h3 id="_1-2-privilege" tabindex="-1"><a class="header-anchor" href="#_1-2-privilege"><span>1.2 Privilege</span></a></h3><p>The database supports a wide range of operations, but not all users are authorized to perform every action. A user is considered privileged for an operation if they are permitted to execute it. Each privilege is bounded by a specific path, and path patterns (<a class="route-link" href="/UserGuide/latest/Basic-Concept/Operate-Metadata_apache.html">Path Pattern</a>) enable flexible permission management.</p><h3 id="_1-3-role" tabindex="-1"><a class="header-anchor" href="#_1-3-role"><span>1.3 Role</span></a></h3><p>A role is a collection of privileges identified by a unique role name. Roles correspond to actual job identities (e.g., traffic dispatchers), and multiple users may share the same identity and identical permission sets. Roles enable unified batch management of permissions for user groups with identical access requirements.</p><h3 id="_1-4-default-users-and-roles" tabindex="-1"><a class="header-anchor" href="#_1-4-default-users-and-roles"><span>1.4 Default Users and Roles</span></a></h3><p>After initialization, IoTDB contains one default user: <code>root</code> with the default password <code>root</code>. As the built-in administrator account, the root user owns all permissions permanently. Its permissions cannot be granted, revoked, or deleted, and it is the sole administrator account in the database.</p><p>Newly created users and roles have no permissions by default.</p><h2 id="_2-user-specifications" tabindex="-1"><a class="header-anchor" href="#_2-user-specifications"><span>2. User Specifications</span></a></h2><p>Users with the <code>SECURITY</code> privilege are allowed to create users and roles, subject to the following constraints:</p><h3 id="_2-1-username-rules" tabindex="-1"><a class="header-anchor" href="#_2-1-username-rules"><span>2.1 Username Rules</span></a></h3><p>Usernames must be 4 to 32 characters long, supporting uppercase and lowercase letters, digits, and special symbols (<code>!@#$%^&amp;*()_+-=</code>). Creation of duplicate usernames matching the administrator account is prohibited.</p><h3 id="_2-2-password-rules" tabindex="-1"><a class="header-anchor" href="#_2-2-password-rules"><span>2.2 Password Rules</span></a></h3><p>Passwords must be 4 to 32 characters long, supporting uppercase and lowercase letters, digits, and special symbols (<code>!@#$%^&amp;*()_+-=</code>). Passwords cannot be identical to the associated username.</p><h3 id="_2-3-role-name-rules" tabindex="-1"><a class="header-anchor" href="#_2-3-role-name-rules"><span>2.3 Role Name Rules</span></a></h3><p>Role names must be 4 to 32 characters long, supporting uppercase and lowercase letters, digits, and special symbols (<code>!@#$%^&amp;*()_+-=</code>). Creation of duplicate role names matching the administrator account is prohibited.</p><h2 id="_3-permission-governance" tabindex="-1"><a class="header-anchor" href="#_3-permission-governance"><span>3. Permission Governance</span></a></h2><p>Based on its tree data model, IoTDB classifies permissions into two major categories: global privileges and series privileges.</p><h3 id="_3-1-global-privileges" tabindex="-1"><a class="header-anchor" href="#_3-1-global-privileges"><span>3.1 Global Privileges</span></a></h3><p>Global privileges include two types: <code>SYSTEM</code> and <code>SECURITY</code>:</p><ul><li><strong>SYSTEM</strong>: Governs O&amp;M operations and Data Definition Language (DDL) actions.</li><li><strong>SECURITY</strong>: Governs user/role management and privilege granting for other accounts.</li></ul><p>Detailed descriptions of each global privilege are shown in the table below:</p><table style="text-align:left;"><tbody><tr><th>Privilege Name</th><th>Original Privilege Name</th><th>Description</th></tr><tr><td rowspan="8">SYSTEM</td><td>MANAGE_DATABASE</td><td>Allows creation and deletion of databases.</td></tr><tr><td>USE_TRIGGER</td><td>Allows creation, deletion and query of triggers.</td></tr><tr><td>USE_UDF</td><td>Allows creation, deletion and query of user-defined functions.</td></tr><tr><td>USE_PIPE</td><td>Allows creation, startup, stop, deletion and query of PIPE tasks; allows creation, deletion and query of PIPEPLUGINS.</td></tr><tr><td>USE_CQ</td><td>Allows registration, startup, stop, uninstallation and query of stream processing tasks; allows registration, uninstallation and query of stream processing plugins.</td></tr><tr><td>EXTEND_TEMPLATE</td><td>Allows automatic template extension.</td></tr><tr><td>MAINTAIN</td><td>Allows query execution and cancellation, system variable viewing, and cluster status inspection.</td></tr><tr><td>USE_MODEL</td><td>Allows creation, deletion and query of deep learning models.</td></tr><tr><td rowspan="2">SECURITY</td><td>MANAGE_USER</td><td>Allows creation, deletion, modification and query of users.</td></tr><tr><td>MANAGE_ROLE</td><td>Allows creation, deletion and query of roles; grants and revokes roles for other users.</td></tr></tbody></table><h4 id="template-related-permission-rules" tabindex="-1"><a class="header-anchor" href="#template-related-permission-rules"><span>Template-Related Permission Rules</span></a></h4><ol><li>Template creation, deletion, modification, query, mounting and unmounting are restricted to the administrator only.</li><li>Template activation requires the <code>WRITE_SCHEMA</code> privilege for the target activation path.</li><li>When auto-creation is enabled, writing data to non-existent paths with mounted templates requires both the <code>EXTEND_TEMPLATE</code> privilege and the <code>WRITE_DATA</code> privilege for target time series.</li><li>Template unmounting requires the <code>WRITE_SCHEMA</code> privilege for the template mounting path.</li><li>Querying paths bound to metadata templates requires the <code>READ_SCHEMA</code> privilege for the target path; empty results will be returned without sufficient permissions.</li></ol><h3 id="_3-2-series-privileges" tabindex="-1"><a class="header-anchor" href="#_3-2-series-privileges"><span>3.2 Series Privileges</span></a></h3><p>Series privileges control the scope and mode of user data access, supporting authorization for absolute paths and prefix-matched paths at the time series granularity.</p><p>Definitions of all series privileges are listed below:</p><table><thead><tr><th>Privilege Name</th><th>Description</th></tr></thead><tbody><tr><td>READ_DATA</td><td>Allows reading time series data under authorized paths.</td></tr><tr><td>WRITE_DATA</td><td>Permits reading time series data under authorized paths;<br>Allows insertion and deletion of time series data;<br>Supports data import and loading. Data import requires the <code>WRITE_DATA</code> privilege for target paths; automatic database and time series creation additionally requires <code>SYSTEM</code> and <code>WRITE_SCHEMA</code> privileges.</td></tr><tr><td>READ_SCHEMA</td><td>Allows viewing detailed metadata tree information under authorized paths, including databases, sub-paths, nodes, devices, time series, templates and views.</td></tr><tr><td>WRITE_SCHEMA</td><td>Permits viewing metadata tree information under authorized paths;<br>Enables creation, deletion and modification of time series, templates and views;<br>View creation and modification require <code>WRITE_SCHEMA</code> for the view path and <code>READ_SCHEMA</code> for data sources; view read/write operations require <code>READ_DATA</code> and <code>WRITE_DATA</code> for the view path;<br>Supports TTL configuration, cancellation and query;<br>Allows template mounting and unmounting.</td></tr></tbody></table><h3 id="_3-3-privilege-granting-and-revocation" tabindex="-1"><a class="header-anchor" href="#_3-3-privilege-granting-and-revocation"><span>3.3 Privilege Granting and Revocation</span></a></h3><p>Users can obtain permissions through three methods:</p><ol><li>Grants issued by the super administrator (root).</li><li>Grants issued by common users with the <code>grant option</code> for specific privileges.</li><li>Role assignment by the super administrator or users with the <code>SECURITY</code> privilege.</li></ol><p>Permissions can be revoked through three methods:</p><ol><li>Revocation operations executed by the super administrator.</li><li>Revocation operations executed by common users with the <code>grant option</code> for specific privileges.</li><li>Role revocation performed by the super administrator or users with the <code>SECURITY</code> privilege.</li></ol><ul><li>A valid path must be specified for all authorization operations. Global privileges require the path <code>root.**</code>, while series privileges require absolute paths or prefix paths ending with double wildcards.</li><li>The <code>WITH GRANT OPTION</code> keyword can be appended during role authorization, enabling grantees to regrant or revoke the same privileges within the authorized path scope. For example, if User A is granted read access to <code>Group1.Company1.**</code> with the grant option, User A can authorize or revoke read permissions for all sub-nodes under <code>Group1.Company1</code>.</li><li>Revocation statements perform full matching against existing user permission paths. For instance, revoking read access for <code>Group1.Company1.**</code> will clear all granular read permissions for sub-paths such as <code>Group1.Company1.Factory1</code>.</li></ul><h2 id="_4-syntax-and-usage-examples" tabindex="-1"><a class="header-anchor" href="#_4-syntax-and-usage-examples"><span>4. Syntax and Usage Examples</span></a></h2><p>IoTDB provides combined privilege aliases to simplify authorization configuration:</p><table><thead><tr><th>Combined Privilege</th><th>Coverage</th></tr></thead><tbody><tr><td>ALL</td><td>All system and series privileges</td></tr><tr><td>READ</td><td>READ_SCHEMA, READ_DATA</td></tr><tr><td>WRITE</td><td>WRITE_SCHEMA, WRITE_DATA</td></tr></tbody></table><p>Combined privileges are simplified aliases and function identically to declaring individual privileges separately.</p><p>The following examples demonstrate common permission management SQL statements. Non-administrator users require corresponding prerequisites for executing these operations, which are marked in each scenario.</p><h3 id="_4-1-user-and-role-management" tabindex="-1"><a class="header-anchor" href="#_4-1-user-and-role-management"><span>4.1 User and Role Management</span></a></h3><ul><li><strong>Create User</strong> (Requires <code>SECURITY</code> privilege)</li></ul><div class="language-sql line-numbers-mode" data-highlighter="shiki" data-ext="sql" style="background-color:#282c34;color:#abb2bf;"><pre class="shiki one-dark-pro vp-code"><code class="language-sql"><span class="line"><span style="color:#C678DD;">CREATE</span><span style="color:#ABB2BF;"> USER </span><span style="color:#56B6C2;">&lt;</span><span style="color:#ABB2BF;">userName</span><span style="color:#56B6C2;">&gt;</span><span style="color:#56B6C2;"> &lt;</span><span style="color:#C678DD;">password</span><span style="color:#56B6C2;">&gt;</span></span>
<span class="line"><span style="color:#7F848E;font-style:italic;">-- Example</span></span>
<span class="line"><span style="color:#C678DD;">CREATE</span><span style="color:#C678DD;"> USER</span><span style="color:#61AFEF;"> user1</span><span style="color:#98C379;"> &#39;passwd&#39;</span></span></code></pre><div class="line-numbers" aria-hidden="true" style="counter-reset:line-number 0;"><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div></div></div><ul><li><strong>Drop User</strong> (Requires <code>SECURITY</code> privilege)</li></ul><div class="language-sql line-numbers-mode" data-highlighter="shiki" data-ext="sql" style="background-color:#282c34;color:#abb2bf;"><pre class="shiki one-dark-pro vp-code"><code class="language-sql"><span class="line"><span style="color:#C678DD;">DROP</span><span style="color:#C678DD;"> USER</span><span style="color:#56B6C2;"> &lt;</span><span style="color:#ABB2BF;">userName</span><span style="color:#56B6C2;">&gt;</span></span>
<span class="line"><span style="color:#7F848E;font-style:italic;">-- Example</span></span>
<span class="line"><span style="color:#C678DD;">DROP</span><span style="color:#C678DD;"> USER</span><span style="color:#ABB2BF;"> user1</span></span></code></pre><div class="line-numbers" aria-hidden="true" style="counter-reset:line-number 0;"><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div></div></div><ul><li><strong>Create Role</strong> (Requires <code>SECURITY</code> privilege)</li></ul><div class="language-sql line-numbers-mode" data-highlighter="shiki" data-ext="sql" style="background-color:#282c34;color:#abb2bf;"><pre class="shiki one-dark-pro vp-code"><code class="language-sql"><span class="line"><span style="color:#C678DD;">CREATE</span><span style="color:#C678DD;"> ROLE</span><span style="color:#56B6C2;"> &lt;</span><span style="color:#ABB2BF;">roleName</span><span style="color:#56B6C2;">&gt;</span></span>
<span class="line"><span style="color:#7F848E;font-style:italic;">-- Example</span></span>
<span class="line"><span style="color:#C678DD;">CREATE</span><span style="color:#C678DD;"> ROLE</span><span style="color:#ABB2BF;"> role1</span></span></code></pre><div class="line-numbers" aria-hidden="true" style="counter-reset:line-number 0;"><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div></div></div><ul><li><strong>Drop Role</strong> (Requires <code>SECURITY</code> privilege)</li></ul><div class="language-sql line-numbers-mode" data-highlighter="shiki" data-ext="sql" style="background-color:#282c34;color:#abb2bf;"><pre class="shiki one-dark-pro vp-code"><code class="language-sql"><span class="line"><span style="color:#C678DD;">DROP</span><span style="color:#C678DD;"> ROLE</span><span style="color:#56B6C2;"> &lt;</span><span style="color:#ABB2BF;">roleName</span><span style="color:#56B6C2;">&gt;</span></span>
<span class="line"><span style="color:#7F848E;font-style:italic;">-- Example</span></span>
<span class="line"><span style="color:#C678DD;">DROP</span><span style="color:#C678DD;"> ROLE</span><span style="color:#ABB2BF;"> role1</span></span></code></pre><div class="line-numbers" aria-hidden="true" style="counter-reset:line-number 0;"><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div></div></div><ul><li><strong>Grant Role to User</strong> (Requires <code>SECURITY</code> privilege)</li></ul><div class="language-sql line-numbers-mode" data-highlighter="shiki" data-ext="sql" style="background-color:#282c34;color:#abb2bf;"><pre class="shiki one-dark-pro vp-code"><code class="language-sql"><span class="line"><span style="color:#C678DD;">GRANT</span><span style="color:#C678DD;"> ROLE</span><span style="color:#56B6C2;"> &lt;</span><span style="color:#ABB2BF;">ROLENAME</span><span style="color:#56B6C2;">&gt;</span><span style="color:#C678DD;"> TO</span><span style="color:#56B6C2;"> &lt;</span><span style="color:#ABB2BF;">USERNAME</span><span style="color:#56B6C2;">&gt;</span></span>
<span class="line"><span style="color:#7F848E;font-style:italic;">-- Example</span></span>
<span class="line"><span style="color:#C678DD;">GRANT</span><span style="color:#C678DD;"> ROLE</span><span style="color:#C678DD;"> admin</span><span style="color:#C678DD;"> TO</span><span style="color:#ABB2BF;"> user1</span></span></code></pre><div class="line-numbers" aria-hidden="true" style="counter-reset:line-number 0;"><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div></div></div><ul><li><strong>Revoke Role from User</strong> (Requires <code>SECURITY</code> privilege)</li></ul><div class="language-sql line-numbers-mode" data-highlighter="shiki" data-ext="sql" style="background-color:#282c34;color:#abb2bf;"><pre class="shiki one-dark-pro vp-code"><code class="language-sql"><span class="line"><span style="color:#C678DD;">REVOKE</span><span style="color:#C678DD;"> ROLE</span><span style="color:#56B6C2;"> &lt;</span><span style="color:#ABB2BF;">ROLENAME</span><span style="color:#56B6C2;">&gt;</span><span style="color:#C678DD;"> FROM</span><span style="color:#56B6C2;"> &lt;</span><span style="color:#ABB2BF;">USER</span><span style="color:#56B6C2;">&gt;</span></span>
<span class="line"><span style="color:#7F848E;font-style:italic;">-- Example</span></span>
<span class="line"><span style="color:#C678DD;">REVOKE</span><span style="color:#C678DD;"> ROLE</span><span style="color:#C678DD;"> admin</span><span style="color:#C678DD;"> FROM</span><span style="color:#ABB2BF;"> user1</span></span></code></pre><div class="line-numbers" aria-hidden="true" style="counter-reset:line-number 0;"><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div></div></div><ul><li><strong>List All Users</strong> (Requires <code>SECURITY</code> privilege)</li></ul><div class="language-sql line-numbers-mode" data-highlighter="shiki" data-ext="sql" style="background-color:#282c34;color:#abb2bf;"><pre class="shiki one-dark-pro vp-code"><code class="language-sql"><span class="line"><span style="color:#ABB2BF;">LIST USER</span></span></code></pre><div class="line-numbers" aria-hidden="true" style="counter-reset:line-number 0;"><div class="line-number"></div></div></div><ul><li><strong>List All Roles</strong> (Requires <code>SECURITY</code> privilege)</li></ul><div class="language-sql line-numbers-mode" data-highlighter="shiki" data-ext="sql" style="background-color:#282c34;color:#abb2bf;"><pre class="shiki one-dark-pro vp-code"><code class="language-sql"><span class="line"><span style="color:#ABB2BF;">LIST </span><span style="color:#C678DD;">ROLE</span></span></code></pre><div class="line-numbers" aria-hidden="true" style="counter-reset:line-number 0;"><div class="line-number"></div></div></div><ul><li><strong>List Users Assigned to a Specified Role</strong> (Requires <code>SECURITY</code> privilege)</li></ul><div class="language-sql line-numbers-mode" data-highlighter="shiki" data-ext="sql" style="background-color:#282c34;color:#abb2bf;"><pre class="shiki one-dark-pro vp-code"><code class="language-sql"><span class="line"><span style="color:#ABB2BF;">LIST USER OF </span><span style="color:#C678DD;">ROLE</span><span style="color:#56B6C2;"> &lt;</span><span style="color:#ABB2BF;">roleName</span><span style="color:#56B6C2;">&gt;</span></span>
<span class="line"><span style="color:#7F848E;font-style:italic;">-- Example</span></span>
<span class="line"><span style="color:#ABB2BF;">LIST USER OF </span><span style="color:#C678DD;">ROLE</span><span style="color:#ABB2BF;"> roleuser</span></span></code></pre><div class="line-numbers" aria-hidden="true" style="counter-reset:line-number 0;"><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div></div></div><ul><li><strong>List Roles of a Specified User</strong><br> Users can view their own roles; viewing other users&#39; roles requires the <code>SECURITY</code> privilege.</li></ul><div class="language-sql line-numbers-mode" data-highlighter="shiki" data-ext="sql" style="background-color:#282c34;color:#abb2bf;"><pre class="shiki one-dark-pro vp-code"><code class="language-sql"><span class="line"><span style="color:#ABB2BF;">LIST </span><span style="color:#C678DD;">ROLE</span><span style="color:#ABB2BF;"> OF USER </span><span style="color:#56B6C2;">&lt;</span><span style="color:#ABB2BF;">username</span><span style="color:#56B6C2;">&gt;</span><span style="color:#ABB2BF;"> </span></span>
<span class="line"><span style="color:#7F848E;font-style:italic;">-- Example</span></span>
<span class="line"><span style="color:#ABB2BF;">LIST </span><span style="color:#C678DD;">ROLE</span><span style="color:#ABB2BF;"> OF USER tempuser</span></span></code></pre><div class="line-numbers" aria-hidden="true" style="counter-reset:line-number 0;"><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div></div></div><ul><li><strong>List All Privileges of a Specified User</strong><br> Users can view their own privileges; viewing other users&#39; privileges requires the <code>SECURITY</code> privilege.</li></ul><div class="language-sql line-numbers-mode" data-highlighter="shiki" data-ext="sql" style="background-color:#282c34;color:#abb2bf;"><pre class="shiki one-dark-pro vp-code"><code class="language-sql"><span class="line"><span style="color:#ABB2BF;">LIST PRIVILEGES OF USER </span><span style="color:#56B6C2;">&lt;</span><span style="color:#ABB2BF;">username</span><span style="color:#56B6C2;">&gt;</span><span style="color:#ABB2BF;">;</span></span>
<span class="line"><span style="color:#7F848E;font-style:italic;">-- Example</span></span>
<span class="line"><span style="color:#ABB2BF;">LIST PRIVILEGES OF USER tempuser;</span></span></code></pre><div class="line-numbers" aria-hidden="true" style="counter-reset:line-number 0;"><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div></div></div><ul><li><strong>List All Privileges of a Specified Role</strong><br> Users can view privileges of their assigned roles; viewing other roles&#39; privileges requires the <code>SECURITY</code> privilege.</li></ul><div class="language-sql line-numbers-mode" data-highlighter="shiki" data-ext="sql" style="background-color:#282c34;color:#abb2bf;"><pre class="shiki one-dark-pro vp-code"><code class="language-sql"><span class="line"><span style="color:#ABB2BF;">LIST PRIVILEGES OF </span><span style="color:#C678DD;">ROLE</span><span style="color:#56B6C2;"> &lt;</span><span style="color:#ABB2BF;">roleName</span><span style="color:#56B6C2;">&gt;</span><span style="color:#ABB2BF;">;</span></span>
<span class="line"><span style="color:#7F848E;font-style:italic;">-- Example</span></span>
<span class="line"><span style="color:#ABB2BF;">LIST PRIVILEGES OF </span><span style="color:#C678DD;">ROLE</span><span style="color:#ABB2BF;"> actor;</span></span></code></pre><div class="line-numbers" aria-hidden="true" style="counter-reset:line-number 0;"><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div></div></div><ul><li><strong>Modify Password</strong><br> Users can update their own passwords; modifying other users&#39; passwords requires the <code>SECURITY</code> privilege.</li></ul><div class="language-sql line-numbers-mode" data-highlighter="shiki" data-ext="sql" style="background-color:#282c34;color:#abb2bf;"><pre class="shiki one-dark-pro vp-code"><code class="language-sql"><span class="line"><span style="color:#C678DD;">ALTER</span><span style="color:#C678DD;"> USER</span><span style="color:#56B6C2;"> &lt;</span><span style="color:#ABB2BF;">username</span><span style="color:#56B6C2;">&gt;</span><span style="color:#C678DD;"> SET</span><span style="color:#C678DD;"> PASSWORD</span><span style="color:#56B6C2;"> &lt;</span><span style="color:#C678DD;">password</span><span style="color:#56B6C2;">&gt;</span><span style="color:#ABB2BF;">;</span></span>
<span class="line"><span style="color:#7F848E;font-style:italic;">-- Example</span></span>
<span class="line"><span style="color:#C678DD;">ALTER</span><span style="color:#C678DD;"> USER</span><span style="color:#ABB2BF;"> tempuser </span><span style="color:#C678DD;">SET</span><span style="color:#C678DD;"> PASSWORD</span><span style="color:#98C379;"> &#39;newpwd&#39;</span><span style="color:#ABB2BF;">;</span></span></code></pre><div class="line-numbers" aria-hidden="true" style="counter-reset:line-number 0;"><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div></div></div><h3 id="_4-2-privilege-granting-and-revocation" tabindex="-1"><a class="header-anchor" href="#_4-2-privilege-granting-and-revocation"><span>4.2 Privilege Granting and Revocation</span></a></h3><h4 id="grant-syntax" tabindex="-1"><a class="header-anchor" href="#grant-syntax"><span>Grant Syntax</span></a></h4><div class="language-sql line-numbers-mode" data-highlighter="shiki" data-ext="sql" style="background-color:#282c34;color:#abb2bf;"><pre class="shiki one-dark-pro vp-code"><code class="language-sql"><span class="line"><span style="color:#C678DD;">GRANT</span><span style="color:#56B6C2;"> &lt;</span><span style="color:#ABB2BF;">PRIVILEGES</span><span style="color:#56B6C2;">&gt;</span><span style="color:#C678DD;"> ON</span><span style="color:#56B6C2;"> &lt;</span><span style="color:#ABB2BF;">PATHS</span><span style="color:#56B6C2;">&gt;</span><span style="color:#C678DD;"> TO</span><span style="color:#C678DD;"> ROLE</span><span style="color:#ABB2BF;">/USER </span><span style="color:#56B6C2;">&lt;</span><span style="color:#C678DD;">NAME</span><span style="color:#56B6C2;">&gt;</span><span style="color:#E06C75;"> [WITH GRANT OPTION]</span><span style="color:#ABB2BF;">;</span></span>
<span class="line"><span style="color:#7F848E;font-style:italic;">-- Examples</span></span>
<span class="line"><span style="color:#C678DD;">GRANT</span><span style="color:#C678DD;"> READ</span><span style="color:#C678DD;"> ON</span><span style="color:#C678DD;"> root</span><span style="color:#ABB2BF;">.** </span><span style="color:#C678DD;">TO</span><span style="color:#C678DD;"> ROLE</span><span style="color:#ABB2BF;"> role1;</span></span>
<span class="line"><span style="color:#C678DD;">GRANT</span><span style="color:#ABB2BF;"> READ_DATA, WRITE_DATA </span><span style="color:#C678DD;">ON</span><span style="color:#D19A66;"> root</span><span style="color:#ABB2BF;">.</span><span style="color:#D19A66;">t1</span><span style="color:#ABB2BF;">.** </span><span style="color:#C678DD;">TO</span><span style="color:#ABB2BF;"> USER user1;</span></span>
<span class="line"><span style="color:#C678DD;">GRANT</span><span style="color:#ABB2BF;"> READ_DATA, WRITE_DATA </span><span style="color:#C678DD;">ON</span><span style="color:#D19A66;"> root</span><span style="color:#ABB2BF;">.</span><span style="color:#D19A66;">t1</span><span style="color:#ABB2BF;">.**,</span><span style="color:#D19A66;">root</span><span style="color:#ABB2BF;">.</span><span style="color:#D19A66;">t2</span><span style="color:#ABB2BF;">.** </span><span style="color:#C678DD;">TO</span><span style="color:#ABB2BF;"> USER user1;</span></span>
<span class="line"><span style="color:#C678DD;">GRANT</span><span style="color:#C678DD;"> SECURITY</span><span style="color:#C678DD;"> ON</span><span style="color:#C678DD;"> root</span><span style="color:#ABB2BF;">.** </span><span style="color:#C678DD;">TO</span><span style="color:#ABB2BF;"> USER user1 </span><span style="color:#C678DD;">WITH</span><span style="color:#C678DD;"> GRANT</span><span style="color:#C678DD;"> OPTION</span><span style="color:#ABB2BF;">;</span></span>
<span class="line"><span style="color:#C678DD;">GRANT</span><span style="color:#ABB2BF;"> ALL </span><span style="color:#C678DD;">ON</span><span style="color:#C678DD;"> root</span><span style="color:#ABB2BF;">.** </span><span style="color:#C678DD;">TO</span><span style="color:#ABB2BF;"> USER user1 </span><span style="color:#C678DD;">WITH</span><span style="color:#C678DD;"> GRANT</span><span style="color:#C678DD;"> OPTION</span><span style="color:#ABB2BF;">;</span></span></code></pre><div class="line-numbers" aria-hidden="true" style="counter-reset:line-number 0;"><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div></div></div><h4 id="revoke-syntax" tabindex="-1"><a class="header-anchor" href="#revoke-syntax"><span>Revoke Syntax</span></a></h4><div class="language-sql line-numbers-mode" data-highlighter="shiki" data-ext="sql" style="background-color:#282c34;color:#abb2bf;"><pre class="shiki one-dark-pro vp-code"><code class="language-sql"><span class="line"><span style="color:#C678DD;">REVOKE</span><span style="color:#56B6C2;"> &lt;</span><span style="color:#ABB2BF;">PRIVILEGES</span><span style="color:#56B6C2;">&gt;</span><span style="color:#C678DD;"> ON</span><span style="color:#56B6C2;"> &lt;</span><span style="color:#ABB2BF;">PATHS</span><span style="color:#56B6C2;">&gt;</span><span style="color:#C678DD;"> FROM</span><span style="color:#C678DD;"> ROLE</span><span style="color:#ABB2BF;">/USER </span><span style="color:#56B6C2;">&lt;</span><span style="color:#C678DD;">NAME</span><span style="color:#56B6C2;">&gt;</span><span style="color:#ABB2BF;">;</span></span>
<span class="line"><span style="color:#7F848E;font-style:italic;">-- Examples</span></span>
<span class="line"><span style="color:#C678DD;">REVOKE</span><span style="color:#C678DD;"> READ</span><span style="color:#C678DD;"> ON</span><span style="color:#C678DD;"> root</span><span style="color:#ABB2BF;">.** </span><span style="color:#C678DD;">FROM</span><span style="color:#C678DD;"> ROLE</span><span style="color:#ABB2BF;"> role1;</span></span>
<span class="line"><span style="color:#C678DD;">REVOKE</span><span style="color:#ABB2BF;"> READ_DATA, WRITE_DATA </span><span style="color:#C678DD;">ON</span><span style="color:#D19A66;"> root</span><span style="color:#ABB2BF;">.</span><span style="color:#D19A66;">t1</span><span style="color:#ABB2BF;">.** </span><span style="color:#C678DD;">FROM</span><span style="color:#ABB2BF;"> USER user1;</span></span>
<span class="line"><span style="color:#C678DD;">REVOKE</span><span style="color:#ABB2BF;"> READ_DATA, WRITE_DATA </span><span style="color:#C678DD;">ON</span><span style="color:#D19A66;"> root</span><span style="color:#ABB2BF;">.</span><span style="color:#D19A66;">t1</span><span style="color:#ABB2BF;">.**, </span><span style="color:#D19A66;">root</span><span style="color:#ABB2BF;">.</span><span style="color:#D19A66;">t2</span><span style="color:#ABB2BF;">.** </span><span style="color:#C678DD;">FROM</span><span style="color:#ABB2BF;"> USER user1;</span></span>
<span class="line"><span style="color:#C678DD;">REVOKE</span><span style="color:#C678DD;"> SECURITY</span><span style="color:#C678DD;"> ON</span><span style="color:#C678DD;"> root</span><span style="color:#ABB2BF;">.** </span><span style="color:#C678DD;">FROM</span><span style="color:#ABB2BF;"> USER user1;</span></span>
<span class="line"><span style="color:#C678DD;">REVOKE</span><span style="color:#ABB2BF;"> ALL </span><span style="color:#C678DD;">ON</span><span style="color:#C678DD;"> root</span><span style="color:#ABB2BF;">.** </span><span style="color:#C678DD;">FROM</span><span style="color:#ABB2BF;"> USER user1;</span></span></code></pre><div class="line-numbers" aria-hidden="true" style="counter-reset:line-number 0;"><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div></div></div><ul><li>Non-administrator users must hold the target privileges with the <code>WITH GRANT OPTION</code> attribute for the specified paths to execute grant or revoke operations.</li><li>For global privileges (or statements containing global privileges such as <code>ALL</code>), the path must be strictly set to <code>root.**</code>.</li></ul><p><strong>Valid Authorization Examples</strong></p><div class="language-sql line-numbers-mode" data-highlighter="shiki" data-ext="sql" style="background-color:#282c34;color:#abb2bf;"><pre class="shiki one-dark-pro vp-code"><code class="language-sql"><span class="line"><span style="color:#C678DD;">GRANT</span><span style="color:#C678DD;"> SECURITY</span><span style="color:#C678DD;"> ON</span><span style="color:#C678DD;"> root</span><span style="color:#ABB2BF;">.** </span><span style="color:#C678DD;">TO</span><span style="color:#ABB2BF;"> USER user1;</span></span>
<span class="line"><span style="color:#C678DD;">GRANT</span><span style="color:#C678DD;"> SECURITY</span><span style="color:#C678DD;"> ON</span><span style="color:#C678DD;"> root</span><span style="color:#ABB2BF;">.** </span><span style="color:#C678DD;">TO</span><span style="color:#C678DD;"> ROLE</span><span style="color:#ABB2BF;"> role1 </span><span style="color:#C678DD;">WITH</span><span style="color:#C678DD;"> GRANT</span><span style="color:#C678DD;"> OPTION</span><span style="color:#ABB2BF;">;</span></span>
<span class="line"><span style="color:#C678DD;">GRANT</span><span style="color:#ABB2BF;"> ALL </span><span style="color:#C678DD;">ON</span><span style="color:#C678DD;"> root</span><span style="color:#ABB2BF;">.** </span><span style="color:#C678DD;">TO</span><span style="color:#C678DD;"> role</span><span style="color:#ABB2BF;"> role1 </span><span style="color:#C678DD;">WITH</span><span style="color:#C678DD;"> GRANT</span><span style="color:#C678DD;"> OPTION</span><span style="color:#ABB2BF;">;</span></span>
<span class="line"><span style="color:#C678DD;">REVOKE</span><span style="color:#C678DD;"> SECURITY</span><span style="color:#C678DD;"> ON</span><span style="color:#C678DD;"> root</span><span style="color:#ABB2BF;">.** </span><span style="color:#C678DD;">FROM</span><span style="color:#ABB2BF;"> USER user1;</span></span>
<span class="line"><span style="color:#C678DD;">REVOKE</span><span style="color:#C678DD;"> SECURITY</span><span style="color:#C678DD;"> ON</span><span style="color:#C678DD;"> root</span><span style="color:#ABB2BF;">.** </span><span style="color:#C678DD;">FROM</span><span style="color:#C678DD;"> ROLE</span><span style="color:#ABB2BF;"> role1;</span></span>
<span class="line"><span style="color:#C678DD;">REVOKE</span><span style="color:#ABB2BF;"> ALL </span><span style="color:#C678DD;">ON</span><span style="color:#C678DD;"> root</span><span style="color:#ABB2BF;">.** </span><span style="color:#C678DD;">FROM</span><span style="color:#C678DD;"> ROLE</span><span style="color:#ABB2BF;"> role1;</span></span></code></pre><div class="line-numbers" aria-hidden="true" style="counter-reset:line-number 0;"><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div></div></div><p><strong>Invalid Authorization Examples</strong></p><div class="language-sql line-numbers-mode" data-highlighter="shiki" data-ext="sql" style="background-color:#282c34;color:#abb2bf;"><pre class="shiki one-dark-pro vp-code"><code class="language-sql"><span class="line"><span style="color:#C678DD;">GRANT</span><span style="color:#C678DD;"> READ</span><span style="color:#ABB2BF;">, </span><span style="color:#C678DD;">SECURITY</span><span style="color:#C678DD;"> ON</span><span style="color:#D19A66;"> root</span><span style="color:#ABB2BF;">.</span><span style="color:#D19A66;">t1</span><span style="color:#ABB2BF;">.** </span><span style="color:#C678DD;">TO</span><span style="color:#ABB2BF;"> USER user1;</span></span>
<span class="line"><span style="color:#C678DD;">GRANT</span><span style="color:#ABB2BF;"> ALL </span><span style="color:#C678DD;">ON</span><span style="color:#D19A66;"> root</span><span style="color:#ABB2BF;">.</span><span style="color:#D19A66;">t1</span><span style="color:#ABB2BF;">.t2 </span><span style="color:#C678DD;">TO</span><span style="color:#ABB2BF;"> USER user1 </span><span style="color:#C678DD;">WITH</span><span style="color:#C678DD;"> GRANT</span><span style="color:#C678DD;"> OPTION</span><span style="color:#ABB2BF;">;</span></span>
<span class="line"><span style="color:#C678DD;">REVOKE</span><span style="color:#ABB2BF;"> ALL </span><span style="color:#C678DD;">ON</span><span style="color:#D19A66;"> root</span><span style="color:#ABB2BF;">.</span><span style="color:#D19A66;">t1</span><span style="color:#ABB2BF;">.t2 </span><span style="color:#C678DD;">FROM</span><span style="color:#ABB2BF;"> USER user1;</span></span>
<span class="line"><span style="color:#C678DD;">REVOKE</span><span style="color:#C678DD;"> READ</span><span style="color:#ABB2BF;">, </span><span style="color:#C678DD;">SECURITY</span><span style="color:#C678DD;"> ON</span><span style="color:#D19A66;"> root</span><span style="color:#ABB2BF;">.</span><span style="color:#D19A66;">t1</span><span style="color:#ABB2BF;">.t2 </span><span style="color:#C678DD;">FROM</span><span style="color:#C678DD;"> ROLE</span><span style="color:#ABB2BF;"> ROLE1;</span></span></code></pre><div class="line-numbers" aria-hidden="true" style="counter-reset:line-number 0;"><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div></div></div><ul><li><p>Valid path formats include absolute full paths and paths ending with double wildcards:</p><div class="language-sql line-numbers-mode" data-highlighter="shiki" data-ext="sql" style="background-color:#282c34;color:#abb2bf;"><pre class="shiki one-dark-pro vp-code"><code class="language-sql"><span class="line"><span style="color:#7F848E;font-style:italic;">-- Valid Paths</span></span>
<span class="line"><span style="color:#C678DD;">root</span><span style="color:#ABB2BF;">.**</span></span>
<span class="line"><span style="color:#D19A66;">root</span><span style="color:#ABB2BF;">.</span><span style="color:#D19A66;">t1</span><span style="color:#ABB2BF;">.t2.**</span></span>
<span class="line"><span style="color:#D19A66;">root</span><span style="color:#ABB2BF;">.</span><span style="color:#D19A66;">t1</span><span style="color:#ABB2BF;">.</span><span style="color:#D19A66;">t2</span><span style="color:#ABB2BF;">.</span><span style="color:#D19A66;">t3</span></span></code></pre><div class="line-numbers" aria-hidden="true" style="counter-reset:line-number 0;"><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div></div></div><div class="language-sql line-numbers-mode" data-highlighter="shiki" data-ext="sql" style="background-color:#282c34;color:#abb2bf;"><pre class="shiki one-dark-pro vp-code"><code class="language-sql"><span class="line"><span style="color:#7F848E;font-style:italic;">-- Invalid Paths</span></span>
<span class="line"><span style="color:#D19A66;">root</span><span style="color:#ABB2BF;">.</span><span style="color:#D19A66;">t1</span><span style="color:#ABB2BF;">.*</span></span>
<span class="line"><span style="color:#D19A66;">root</span><span style="color:#ABB2BF;">.</span><span style="color:#D19A66;">t1</span><span style="color:#ABB2BF;">.**.t2</span></span>
<span class="line"><span style="color:#D19A66;">root</span><span style="color:#ABB2BF;">.</span><span style="color:#D19A66;">t1</span><span style="color:#ABB2BF;">*.</span><span style="color:#D19A66;">t2</span><span style="color:#ABB2BF;">.</span><span style="color:#D19A66;">t3</span></span></code></pre><div class="line-numbers" aria-hidden="true" style="counter-reset:line-number 0;"><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div></div></div></li></ul><h2 id="_5-practical-scenario-example" tabindex="-1"><a class="header-anchor" href="#_5-practical-scenario-example"><span>5. Practical Scenario Example</span></a></h2><p>Based on <a href="https://github.com/thulab/iotdb/files/4438687/OtherMaterial-Sample.Data.txt" target="_blank" rel="noopener noreferrer">sample data</a>, IoTDB sample data belongs to multiple power generation groups such as ln and sgcc. To ensure data isolation, cross-group data access needs to be restricted via permission control.</p><h3 id="_5-1-create-users" tabindex="-1"><a class="header-anchor" href="#_5-1-create-users"><span>5.1 Create Users</span></a></h3><p>Use the <code>CREATE USER</code> statement to create dedicated users. The root administrator creates two write users for the ln and sgcc groups with the unified password <code>write_pwd</code>:</p><div class="language-sql line-numbers-mode" data-highlighter="shiki" data-ext="sql" style="background-color:#282c34;color:#abb2bf;"><pre class="shiki one-dark-pro vp-code"><code class="language-sql"><span class="line"><span style="color:#C678DD;">CREATE</span><span style="color:#C678DD;"> USER</span><span style="color:#ABB2BF;"> `</span><span style="color:#61AFEF;">ln_write_user</span><span style="color:#ABB2BF;">` </span><span style="color:#98C379;">&#39;write_pwd&#39;</span><span style="color:#ABB2BF;">;</span></span>
<span class="line"><span style="color:#C678DD;">CREATE</span><span style="color:#C678DD;"> USER</span><span style="color:#ABB2BF;"> `</span><span style="color:#61AFEF;">sgcc_write_user</span><span style="color:#ABB2BF;">` </span><span style="color:#98C379;">&#39;write_pwd&#39;</span><span style="color:#ABB2BF;">;</span></span></code></pre><div class="line-numbers" aria-hidden="true" style="counter-reset:line-number 0;"><div class="line-number"></div><div class="line-number"></div></div></div><p>Execute the user listing statement to verify creation:</p><div class="language-sql line-numbers-mode" data-highlighter="shiki" data-ext="sql" style="background-color:#282c34;color:#abb2bf;"><pre class="shiki one-dark-pro vp-code"><code class="language-sql"><span class="line"><span style="color:#ABB2BF;">LIST USER;</span></span></code></pre><div class="line-numbers" aria-hidden="true" style="counter-reset:line-number 0;"><div class="line-number"></div></div></div><p>Execution result:</p><div class="language- line-numbers-mode" data-highlighter="shiki" data-ext="" style="background-color:#282c34;color:#abb2bf;"><pre class="shiki one-dark-pro vp-code"><code class="language-"><span class="line"><span>IoTDB&gt; CREATE USER `ln_write_user` &#39;write_pwd&#39;;</span></span>
<span class="line"><span>Msg: The statement is executed successfully.</span></span>
<span class="line"><span>IoTDB&gt; CREATE USER `sgcc_write_user` &#39;write_pwd&#39;;</span></span>
<span class="line"><span>Msg: The statement is executed successfully.</span></span>
<span class="line"><span>IoTDB&gt; LIST USER;</span></span>
<span class="line"><span>+------+---------------+-----------------+-----------------+</span></span>
<span class="line"><span>|UserId| User|MaxSessionPerUser|MinSessionPerUser|</span></span>
<span class="line"><span>+------+---------------+-----------------+-----------------+</span></span>
<span class="line"><span>| 0| root| -1| 1|</span></span>
<span class="line"><span>| 10000| ln_write_user| -1| -1|</span></span>
<span class="line"><span>| 10001|sgcc_write_user| -1| -1|</span></span>
<span class="line"><span>+------+---------------+-----------------+-----------------+</span></span>
<span class="line"><span>Total line number = 3</span></span>
<span class="line"><span>It costs 0.005s</span></span></code></pre><div class="line-numbers" aria-hidden="true" style="counter-reset:line-number 0;"><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div></div></div><h3 id="_5-2-grant-permissions" tabindex="-1"><a class="header-anchor" href="#_5-2-grant-permissions"><span>5.2 Grant Permissions</span></a></h3><p>Newly created users have no permissions by default. Attempting to write data directly will trigger a permission error:</p><div class="language-sql line-numbers-mode" data-highlighter="shiki" data-ext="sql" style="background-color:#282c34;color:#abb2bf;"><pre class="shiki one-dark-pro vp-code"><code class="language-sql"><span class="line"><span style="color:#C678DD;">INSERT INTO</span><span style="color:#D19A66;"> root</span><span style="color:#ABB2BF;">.</span><span style="color:#D19A66;">ln</span><span style="color:#ABB2BF;">.</span><span style="color:#D19A66;">wf01</span><span style="color:#ABB2BF;">.</span><span style="color:#D19A66;">wt01</span><span style="color:#ABB2BF;">(</span><span style="color:#C678DD;">timestamp</span><span style="color:#ABB2BF;">,</span><span style="color:#C678DD;">status</span><span style="color:#ABB2BF;">) </span><span style="color:#C678DD;">values</span><span style="color:#ABB2BF;">(</span><span style="color:#D19A66;">1509465600000</span><span style="color:#ABB2BF;">,true);</span></span></code></pre><div class="line-numbers" aria-hidden="true" style="counter-reset:line-number 0;"><div class="line-number"></div></div></div><p>Error message:</p><div class="language- line-numbers-mode" data-highlighter="shiki" data-ext="" style="background-color:#282c34;color:#abb2bf;"><pre class="shiki one-dark-pro vp-code"><code class="language-"><span class="line"><span>IoTDB&gt; INSERT INTO root.ln.wf01.wt01(timestamp,status) values(1509465600000,true);</span></span>
<span class="line"><span>Msg: 803: No permissions for this operation, please add privilege WRITE_DATA on [root.ln.wf01.wt01.status]</span></span></code></pre><div class="line-numbers" aria-hidden="true" style="counter-reset:line-number 0;"><div class="line-number"></div><div class="line-number"></div></div></div><p>Grant targeted write permissions to each user via the root account:</p><div class="language-sql line-numbers-mode" data-highlighter="shiki" data-ext="sql" style="background-color:#282c34;color:#abb2bf;"><pre class="shiki one-dark-pro vp-code"><code class="language-sql"><span class="line"><span style="color:#C678DD;">GRANT</span><span style="color:#ABB2BF;"> WRITE_DATA </span><span style="color:#C678DD;">ON</span><span style="color:#D19A66;"> root</span><span style="color:#ABB2BF;">.</span><span style="color:#D19A66;">ln</span><span style="color:#ABB2BF;">.** </span><span style="color:#C678DD;">TO</span><span style="color:#ABB2BF;"> USER </span><span style="color:#98C379;">`ln_write_user`</span><span style="color:#ABB2BF;">;</span></span>
<span class="line"><span style="color:#C678DD;">GRANT</span><span style="color:#ABB2BF;"> WRITE_DATA </span><span style="color:#C678DD;">ON</span><span style="color:#D19A66;"> root</span><span style="color:#ABB2BF;">.</span><span style="color:#D19A66;">sgcc1</span><span style="color:#ABB2BF;">.**, </span><span style="color:#D19A66;">root</span><span style="color:#ABB2BF;">.</span><span style="color:#D19A66;">sgcc2</span><span style="color:#ABB2BF;">.** </span><span style="color:#C678DD;">TO</span><span style="color:#ABB2BF;"> USER </span><span style="color:#98C379;">`sgcc_write_user`</span><span style="color:#ABB2BF;">;</span></span></code></pre><div class="line-numbers" aria-hidden="true" style="counter-reset:line-number 0;"><div class="line-number"></div><div class="line-number"></div></div></div><p>Execution result:</p><div class="language- line-numbers-mode" data-highlighter="shiki" data-ext="" style="background-color:#282c34;color:#abb2bf;"><pre class="shiki one-dark-pro vp-code"><code class="language-"><span class="line"><span>IoTDB&gt; GRANT WRITE_DATA ON root.ln.** TO USER `ln_write_user`;</span></span>
<span class="line"><span>Msg: The statement is executed successfully.</span></span>
<span class="line"><span>IoTDB&gt; GRANT WRITE_DATA ON root.sgcc1.**, root.sgcc2.** TO USER `sgcc_write_user`;</span></span>
<span class="line"><span>Msg: The statement is executed successfully.</span></span></code></pre><div class="line-numbers" aria-hidden="true" style="counter-reset:line-number 0;"><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div></div></div><p>Retry data writing with <code>ln_write_user</code>:</p><div class="language-sql line-numbers-mode" data-highlighter="shiki" data-ext="sql" style="background-color:#282c34;color:#abb2bf;"><pre class="shiki one-dark-pro vp-code"><code class="language-sql"><span class="line"><span style="color:#ABB2BF;">IoTDB</span><span style="color:#56B6C2;">&gt;</span><span style="color:#C678DD;"> INSERT INTO</span><span style="color:#D19A66;"> root</span><span style="color:#ABB2BF;">.</span><span style="color:#D19A66;">ln</span><span style="color:#ABB2BF;">.</span><span style="color:#D19A66;">wf01</span><span style="color:#ABB2BF;">.</span><span style="color:#D19A66;">wt01</span><span style="color:#ABB2BF;">(</span><span style="color:#C678DD;">timestamp</span><span style="color:#ABB2BF;">, </span><span style="color:#C678DD;">status</span><span style="color:#ABB2BF;">) </span><span style="color:#C678DD;">values</span><span style="color:#ABB2BF;">(</span><span style="color:#D19A66;">1509465600000</span><span style="color:#ABB2BF;">, true);</span></span>
<span class="line"><span style="color:#ABB2BF;">Msg: The </span><span style="color:#C678DD;">statement</span><span style="color:#C678DD;"> is</span><span style="color:#ABB2BF;"> executed successfully.</span></span></code></pre><div class="line-numbers" aria-hidden="true" style="counter-reset:line-number 0;"><div class="line-number"></div><div class="line-number"></div></div></div><h3 id="_5-3-revoke-permissions" tabindex="-1"><a class="header-anchor" href="#_5-3-revoke-permissions"><span>5.3 Revoke Permissions</span></a></h3><p>Use the <code>REVOKE</code> statement to reclaim granted permissions:</p><div class="language-sql line-numbers-mode" data-highlighter="shiki" data-ext="sql" style="background-color:#282c34;color:#abb2bf;"><pre class="shiki one-dark-pro vp-code"><code class="language-sql"><span class="line"><span style="color:#C678DD;">REVOKE</span><span style="color:#ABB2BF;"> WRITE_DATA </span><span style="color:#C678DD;">ON</span><span style="color:#D19A66;"> root</span><span style="color:#ABB2BF;">.</span><span style="color:#D19A66;">ln</span><span style="color:#ABB2BF;">.** </span><span style="color:#C678DD;">FROM</span><span style="color:#ABB2BF;"> USER </span><span style="color:#98C379;">`ln_write_user`</span><span style="color:#ABB2BF;">;</span></span>
<span class="line"><span style="color:#C678DD;">REVOKE</span><span style="color:#ABB2BF;"> WRITE_DATA </span><span style="color:#C678DD;">ON</span><span style="color:#D19A66;"> root</span><span style="color:#ABB2BF;">.</span><span style="color:#D19A66;">sgcc1</span><span style="color:#ABB2BF;">.**, </span><span style="color:#D19A66;">root</span><span style="color:#ABB2BF;">.</span><span style="color:#D19A66;">sgcc2</span><span style="color:#ABB2BF;">.** </span><span style="color:#C678DD;">FROM</span><span style="color:#ABB2BF;"> USER </span><span style="color:#98C379;">`sgcc_write_user`</span><span style="color:#ABB2BF;">;</span></span></code></pre><div class="line-numbers" aria-hidden="true" style="counter-reset:line-number 0;"><div class="line-number"></div><div class="line-number"></div></div></div><p>Execution result:</p><div class="language- line-numbers-mode" data-highlighter="shiki" data-ext="" style="background-color:#282c34;color:#abb2bf;"><pre class="shiki one-dark-pro vp-code"><code class="language-"><span class="line"><span>IoTDB&gt; REVOKE WRITE_DATA ON root.ln.** FROM USER `ln_write_user`</span></span>
<span class="line"><span>Msg: The statement is executed successfully.</span></span>
<span class="line"><span>IoTDB&gt; REVOKE WRITE_DATA ON root.sgcc1.**, root.sgcc2.** FROM USER `sgcc_write_user`</span></span>
<span class="line"><span>Msg: The statement is executed successfully.</span></span></code></pre><div class="line-numbers" aria-hidden="true" style="counter-reset:line-number 0;"><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div></div></div><p>After permission revocation, the user loses write access again:</p><div class="language-sql line-numbers-mode" data-highlighter="shiki" data-ext="sql" style="background-color:#282c34;color:#abb2bf;"><pre class="shiki one-dark-pro vp-code"><code class="language-sql"><span class="line"><span style="color:#ABB2BF;">IoTDB</span><span style="color:#56B6C2;">&gt;</span><span style="color:#C678DD;"> INSERT INTO</span><span style="color:#D19A66;"> root</span><span style="color:#ABB2BF;">.</span><span style="color:#D19A66;">ln</span><span style="color:#ABB2BF;">.</span><span style="color:#D19A66;">wf01</span><span style="color:#ABB2BF;">.</span><span style="color:#D19A66;">wt01</span><span style="color:#ABB2BF;">(</span><span style="color:#C678DD;">timestamp</span><span style="color:#ABB2BF;">, </span><span style="color:#C678DD;">status</span><span style="color:#ABB2BF;">) </span><span style="color:#C678DD;">values</span><span style="color:#ABB2BF;">(</span><span style="color:#D19A66;">1509465600000</span><span style="color:#ABB2BF;">, true)</span></span>
<span class="line"><span style="color:#ABB2BF;">Msg: </span><span style="color:#D19A66;">803</span><span style="color:#ABB2BF;">: </span><span style="color:#C678DD;">No</span><span style="color:#ABB2BF;"> permissions </span><span style="color:#C678DD;">for</span><span style="color:#ABB2BF;"> this operation, please </span><span style="color:#C678DD;">add</span><span style="color:#ABB2BF;"> privilege WRITE_DATA </span><span style="color:#C678DD;">on</span><span style="color:#E06C75;"> [root.ln.wf01.wt01.status]</span></span></code></pre><div class="line-numbers" aria-hidden="true" style="counter-reset:line-number 0;"><div class="line-number"></div><div class="line-number"></div></div></div><h2 id="_6-authentication-supplementary-instructions" tabindex="-1"><a class="header-anchor" href="#_6-authentication-supplementary-instructions"><span>6. Authentication &amp; Supplementary Instructions</span></a></h2><h3 id="_6-1-authentication-mechanism" tabindex="-1"><a class="header-anchor" href="#_6-1-authentication-mechanism"><span>6.1 Authentication Mechanism</span></a></h3><p>Each user&#39;s permission set consists of three core elements: effective path range, privilege type, and the <code>with grant option</code> tag.</p><div class="language-plain line-numbers-mode" data-highlighter="shiki" data-ext="plain" style="background-color:#282c34;color:#abb2bf;"><pre class="shiki one-dark-pro vp-code"><code class="language-plain"><span class="line"><span>userTest1 : </span></span>
<span class="line"><span> root.t1.** - read_schema, read_data - with grant option</span></span>
<span class="line"><span> root.** - write_schema, write_data - with grant option</span></span></code></pre><div class="line-numbers" aria-hidden="true" style="counter-reset:line-number 0;"><div class="line-number"></div><div class="line-number"></div><div class="line-number"></div></div></div><p>All user permissions can be queried via <code>LIST PRIVILEGES OF USER &lt;username&gt;</code>.</p><p>During authentication, IoTDB matches the target operation path against the user&#39;s authorized paths in sequence. The check passes if a matching path and corresponding privilege are found; otherwise, the operation is rejected.</p><ul><li>For multi-path query tasks, only data accessible to the current user will be returned.</li><li>For multi-path write tasks, the operation requires valid write permissions for <strong>all</strong> target time series.</li></ul><p><strong>Operations Requiring Combined Permissions</strong></p><ol><li>With auto-creation enabled, inserting data into non-existent time series requires both <code>WRITE_DATA</code> and <code>WRITE_SCHEMA</code> privileges.</li><li>The <code>SELECT INTO</code> statement requires read permissions for source paths and write permissions for target paths. Insufficient source permissions result in partial data; insufficient target permissions terminate the task directly.</li><li>View access control is isolated from source data paths. Read and write operations on views only verify view-specific permissions without checking underlying data source permissions.</li></ol><h3 id="_6-2-supplementary-notes" tabindex="-1"><a class="header-anchor" href="#_6-2-supplementary-notes"><span>6.2 Supplementary Notes</span></a></h3><p>A role is an independent permission container, while users possess both individual standalone permissions and inherited role permissions.</p><p>User effective permissions are the <strong>union</strong> of personal permissions and all permissions from assigned roles. No permission conflicts exist in IoTDB.</p><ul><li>Revoking a user&#39;s standalone permission cannot restrict the operation if the same permission is inherited from an assigned role. To fully disable an operation, administrators must revoke both user-specific permissions and relevant role permissions, or unbind the role from the user.</li><li>Role permission modifications take effect in real time for all bound users. Adding permissions to a role immediately grants access to all associated users, and removing permissions restricts access unless users hold identical standalone permissions.</li></ul></div><!----><!----><!----></div><footer class="vp-page-meta"><div class="vp-meta-item edit-link"><a class="auto-link external-link vp-meta-label" href="https://github.com/apache/iotdb-docs/edit/main/src/UserGuide/latest/User-Manual/Authority-Management-Upgrade_apache.md" aria-label="Found Error? Edit this page on GitHub" rel="noopener noreferrer" target="_blank"><!--[--><svg xmlns="http://www.w3.org/2000/svg" class="icon edit-icon" viewBox="0 0 1024 1024" fill="currentColor" aria-label="edit icon" name="edit"><path d="M430.818 653.65a60.46 60.46 0 0 1-50.96-93.281l71.69-114.012 7.773-10.365L816.038 80.138A60.46 60.46 0 0 1 859.225 62a60.46 60.46 0 0 1 43.186 18.138l43.186 43.186a60.46 60.46 0 0 1 0 86.373L588.879 565.55l-8.637 8.637-117.466 68.234a60.46 60.46 0 0 1-31.958 11.229z"></path><path d="M728.802 962H252.891A190.883 190.883 0 0 1 62.008 771.98V296.934a190.883 190.883 0 0 1 190.883-192.61h267.754a60.46 60.46 0 0 1 0 120.92H252.891a69.962 69.962 0 0 0-69.098 69.099V771.98a69.962 69.962 0 0 0 69.098 69.098h475.911A69.962 69.962 0 0 0 797.9 771.98V503.363a60.46 60.46 0 1 1 120.922 0V771.98A190.883 190.883 0 0 1 728.802 962z"></path></svg><!--]-->Found Error? Edit this page on GitHub<!----></a></div><div class="vp-meta-item git-info"><div class="update-time"><span class="vp-meta-label">Last Updated: </span><time class="vp-meta-info" datetime="2026-05-06T01:27:28.000Z" data-allow-mismatch>5/6/26, 1:27 AM</time></div><!----></div></footer><nav class="vp-page-nav"><a class="route-link auto-link prev" href="/UserGuide/latest/User-Manual/Authority-Management_apache.html" aria-label="Authority Management(Before V2.0.7)"><div class="hint"><span class="arrow start"></span>Prev</div><div class="link"><!---->Authority Management(Before V2.0.7)</div></a><!----></nav><!----><!----><!--]--></main><!--]--><footer class="site-footer"><span id="doc-version" style="display:none;">latest</span><p class="copyright-text">Copyright © 2026 The Apache Software Foundation.
Apache IoTDB, IoTDB, Apache, the Apache feather logo, and the Apache IoTDB project logo are either registered trademarks or trademarks of The Apache Software Foundation in all countries</p><p style="text-align:center;margin-top:10px;color:#909399;font-size:12px;margin:0 30px;"><strong>Having questions?</strong> Connect with us on QQ, WeChat, or Slack. <a href="https://github.com/apache/iotdb/issues/1995">Join the community</a></p></footer></div><!--]--><!--]--><!--[--><!----><!--]--><!--]--></div>
<script type="module" src="/assets/app-2tVSyqJL.js" defer></script>
</body>
</html>