Requesting Access
How to request access to PostgreSQL roles through the P0 bot.
Last updated
How to request access to PostgreSQL roles through the P0 bot.
Last updated
Open up the p0 request modal by typing the command /p0 request in any Slack channel and select PostgreSQL as the resource:
You'll see an "Access type" field with the option "Role".
"Role": Select this option if you would like to request access to an existing PostgreSQL role. See Role Requests for details.
This will grant you the role for a certain amount of time and automatically remove the binding when the access expires.
PostgreSQL instance: The SQL instance you would like access to.
Role Name: The PostgreSQL role name is defined to control access and permissions within the database. The "Role Name" is typically associated with specific users or groups and determines their privileges and restrictions within the PostgreSQL instance. Please provide the appropriate "Role Name" associated with your access request; see PostgreSQL Roles for more details.
Reason: Optionally, provide a reason to be communicated to the approver(s).
Then click the button to submit the request, and see Next Steps.
Once you submit the request, you will get a Slack message from the p0 bot confirming your request creation. The p0 bot will also send a message to the approvers in the Slack channel designated by your org admin.
If your request is approved, you will receive a message from the p0 bot saying that your access has been granted and letting you know when it will expire. You can go ahead and use the permission.
If you are on-call (on a PagerDuty schedule), and your org admin has enabled PagerDuty routing, your access may be automatically approved for 1 hour.
After your request is approved, you'll see a "relinquish" button on the Slack message from the p0 bot. You can optionally use this button to let go of your access early if you finish what you want to do before the expiration date. This will revoke the access, and you must make another request if you need it again.
If you wait for the access to expire, you will get a message that it has expired once it does.
If your request is denied, you'll receive a message.
Roles in PostgreSQL are a fundamental component of database access control and permission management. They are used to define and group users, allowing you to control who can access the database and what actions they can perform.
When granting access to a PostgreSQL database, consider the specific role(s) that need access and the required permissions. Roles can be granted various privileges, including SELECT, INSERT, UPDATE, DELETE, CREATE, and more. Careful management of roles and permissions is crucial for maintaining the security and integrity of your database.
Note that, for security reasons, P0 cannot manage roles that have the superuser status (also called the superuser attribute); this means that it is not possible to request access to a superuser role using P0, and such roles will not be listed as available roles in P0. Notably, for GCP CloudSQL-based Postgres instances, by default cloudsqladmin is a superuser role, but cloudsqlsuperuser is not (though it does grant plenty of permissions otherwise).
You are encouraged to create your custom least-privileged roles to use with p0.
PostgreSQL provides a set of predefined roles that provide access to certain, commonly needed, privileged capabilities and information. Refer to for predefined roles.
Reference:
