Stay organized with collectionsSave and categorize content based on your preferences.
This page defines the characteristics, constraints, and intended use of the
three predefined system roles that fine-grained access control provides for
each database. Each system role has a different set of privileges, which can't
be revoked. This information applies to both GoogleSQL-dialect databases and PostgreSQL-dialect databases.
publicsystem role
All fine-grained access control users have IAM membership inpublicby default.
All database roles inherit privileges from this role.
Initially,publichas no privileges, but you can grant it privileges.
If you grant a privilege topublic, it's available to
all database roles, including database roles created afterward.
spanner_info_readersystem role
This role has theSELECTprivilege onINFORMATION_SCHEMAviews for GoogleSQL-dialect databases andinformation_schemaviews for PostgreSQL-dialect databases.
You can't grant any other privileges tospanner_info_reader.
Grant membership in this role to any database role that needs to have
unfiltered read access to theINFORMATION_SCHEMAviews (GoogleSQL-dialect databases) or
theinformation_schemaviews (PostgreSQL-dialect databases).
spanner_sys_readersystem role
This role has theSELECTprivilege onSPANNER_SYStables.
You can't grant any other privileges tospanner_sys_reader.
Grant membership in this role to any database role that must have read access
to theSPANNER_SYSschema.
Restrictions on system roles
You can't delete a system role by using aDROP ROLEstatement.
System roles can't be members of other database roles. That is, the following
GoogleSQL statement is invalid:
GRANTROLEpii_accessTOROLEspanner_info_reader;
You can't grant membership in thepublicrole to your database roles. For example, the following GoogleSQL
statement is also invalid:
GRANTROLEpublicTOROLEpii_access;
However, you can grant membership in thespanner_info_readerandspanner_sys_readerroles. For example, the following are valid statements.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["# Fine-grained access control system roles\n\nThis page defines the characteristics, constraints, and intended use of the\nthree predefined system roles that fine-grained access control provides for\neach database. Each system role has a different set of privileges, which can't\nbe revoked. This information applies to both GoogleSQL-dialect databases and PostgreSQL-dialect databases.\n\n### `public` system role\n\n- All fine-grained access control users have IAM membership in `public`\n by default.\n\n- All database roles inherit privileges from this role.\n\n- Initially, `public` has no privileges, but you can grant it privileges.\n If you grant a privilege to `public`, it's available to\n all database roles, including database roles created afterward.\n\n### `spanner_info_reader` system role\n\n- This role has the `SELECT` privilege on\n [`INFORMATION_SCHEMA`](/spanner/docs/information-schema) views for GoogleSQL-dialect databases and\n [`information_schema`](/spanner/docs/information-schema-pg) views for PostgreSQL-dialect databases.\n\n- You can't grant any other privileges to `spanner_info_reader`.\n\n- Grant membership in this role to any database role that needs to have\n unfiltered read access to the `INFORMATION_SCHEMA` views (GoogleSQL-dialect databases) or\n the `information_schema` views (PostgreSQL-dialect databases).\n\n### `spanner_sys_reader` system role\n\n- This role has the `SELECT` privilege on `SPANNER_SYS` tables.\n\n- You can't grant any other privileges to `spanner_sys_reader`.\n\n- Grant membership in this role to any database role that must have read access\n to the `SPANNER_SYS` schema.\n\nRestrictions on system roles\n----------------------------\n\n- You can't delete a system role by using a `DROP ROLE` statement.\n\n- System roles can't be members of other database roles. That is, the following\n GoogleSQL statement is invalid:\n\n GRANT ROLE pii_access TO ROLE spanner_info_reader;\n\n- You can't grant membership in the `public`\n role to your database roles. For example, the following GoogleSQL\n statement is also invalid:\n\n GRANT ROLE public TO ROLE pii_access;\n\n However, you can grant membership in the `spanner_info_reader` and\n `spanner_sys_reader` roles. For example, the following are valid statements. \n\n ### GoogleSQL\n\n GRANT ROLE spanner_info_reader TO ROLE pii_access;\n GRANT ROLE spanner_sys_reader TO ROLE pii_access;\n ```\n\n ### PostgreSQL\n\n GRANT spanner_info_reader TO pii_access;\n GRANT spanner_sys_reader TO pii_access;\n\nWhat's next\n-----------\n\n- Learn how to [Configure fine-grained access control](/spanner/docs/configure-fgac).\n- Learn [About fine-grained access control](/spanner/docs/fgac-about)."]]
