For information about naming conventions for change stream read functions and
formatting for the information that they return, see the following topics:
The rows in these views are filtered based on the current database role
privileges on change streams. This ensures that principals can view only the
roles, privileges, and change streams that they have access to.
Row filtering also applies to following change streams-related views:
Change streams use a metadata database to maintain internal state. The
metadata database can be the same as or different from the application
database. We recommend that you use a different database. However, for
fine-grained access control users, the metadata database can't be the same as the
application database. This is because the IAM principal that
runs the Dataflow job needs read or write access at the database
level for the metadata database. This would override the fine-grained access control
privileges that were configured for the application database.
Because a change stream contains a separate copy of the data from the
tracked tables and columns, be careful when granting users access to the
change stream. The readers of the change stream can view data changes from
the tracked tables and columns, even when they don't have SELECT
privileges on the tables and columns. Although it's more flexible
to set up separate controls on change streams and their tracked tables and
columns, there's a potential risk, so ensure that you structure database
roles and privileges accordingly. For example, when revoking the SELECT
privilege on a table from a role, consider whether to also revoke SELECT
on the change stream and revoke EXECUTE on the associated read
function.
If you grant SELECT on a change stream that tracks all tables, the grantee
can see data changes for any tables added in the future.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-28 UTC."],[],[],null,["# Fine-grained access control for change streams\n\nThis page explains how [fine-grained access control](/spanner/docs/fgac-about) works with\nSpanner change streams for GoogleSQL-dialect databases and PostgreSQL-dialect databases.\n\nFor fine-grained access control users, you allow read access to change streams data by using\nthe following grants. Both grants are required.\n\n- Grant `SELECT` on the change stream.\n\n ### GoogleSQL\n\n ```googlesql\n GRANT SELECT ON CHANGE STREAM CHANGE_STREAM_NAME TO ROLE ROLE_NAME;\n ```\n\n ### PostgreSQL\n\n ```postgresql\n GRANT SELECT ON CHANGE STREAM CHANGE_STREAM_NAME TO ROLE_NAME;\n ```\n- Grant `EXECUTE` on the read function that is automatically\n created for the change stream. You use the read function to read\n change stream records.\n\n ### GoogleSQL\n\n ```googlesql\n GRANT EXECUTE ON TABLE FUNCTION READ_FUNCTION_NAME TO ROLE ROLE_NAME;\n ```\n\n ### PostgreSQL\n\n ```postgresql\n GRANT EXECUTE ON FUNCTION READ_FUNCTION_NAME TO ROLE_NAME;\n ```\n\n For information about naming conventions for change stream read functions and\n formatting for the information that they return, see the following topics:\n - [Change stream read functions and query syntax](/spanner/docs/change-streams/details#change_stream_query_syntax)\n - [Change streams record format](/spanner/docs/change-streams/details#change_streams_record_format)\n\n`INFORMATION_SCHEMA` views for change streams\n---------------------------------------------\n\nThe following views show database roles and privileges information for change\nstreams:\n\n- GoogleSQL-dialect databases: [`INFORMATION_SCHEMA.CHANGE_STREAM_PRIVILEGES`](/spanner/docs/information-schema#change-stream-privileges)\n- PostgreSQL-dialect databases: [`information_schema.change_stream_privileges`](/spanner/docs/information-schema-pg#change-stream-privileges)\n\nThe rows in these views are filtered based on the current database role\nprivileges on change streams. This ensures that principals can view only the\nroles, privileges, and change streams that they have access to.\n\nRow filtering also applies to following change streams-related views: \n\n### GoogleSQL\n\n- [`INFORMATION_SCHEMA.CHANGE_STREAMS`](/spanner/docs/information-schema#change-streams)\n- [`INFORMATION_SCHEMA.CHANGE_STREAM_TABLES`](/spanner/docs/information-schema#change-stream-tables)\n- [`INFORMATION_SCHEMA.CHANGE_STREAM_COLUMNS`](/spanner/docs/information-schema#change-stream-columns)\n- [`INFORMATION_SCHEMA.CHANGE_STREAM_OPTIONS`](/spanner/docs/information-schema#change-stream-options)\n\nThe system role `spanner_info_reader` and its members always see an unfiltered\n`INFORMATION_SCHEMA`.\n\n### PostgreSQL\n\n- [`information_schema.change_streams`](/spanner/docs/information-schema-pg#change-streams)\n- [`information_schema.change_stream_tables`](/spanner/docs/information-schema-pg#change-stream-tables)\n- [`information_schema.change_stream_columns`](/spanner/docs/information-schema-pg#change-stream-columns)\n- [`information_schema.change_stream_options`](/spanner/docs/information-schema-pg#change-stream-options)\n\nThe system role `spanner_info_reader` and its members see an unfiltered\n`information_schema`.\n\nRow filtering also applies to the following metadata views for change stream\nread functions: \n\n### GoogleSQL\n\n- [`INFORMATION_SCHEMA.ROUTINES`](/spanner/docs/information-schema#routines)\n- [`INFORMATION_SCHEMA.ROUTINE_OPTIONS`](/spanner/docs/information-schema#routine_options)\n- [`INFORMATION_SCHEMA.ROUTINE_PRIVILEGES`](/spanner/docs/information-schema#routine_privileges)\n- [`INFORMATION_SCHEMA.PARAMETERS`](/spanner/docs/information-schema#parameters)\n\n### PostgreSQL\n\n- [`information_schema.routines`](/spanner/docs/information-schema-pg#routines)\n- [`information_schema.routine_options`](/spanner/docs/information-schema-pg#routine_options)\n- [`information_schema.routine_privileges`](/spanner/docs/information-schema-pg#routine_privileges)\n- [`information_schema.parameters`](/spanner/docs/information-schema-pg#parameters)\n\nCaveats\n-------\n\n- Change streams use a metadata database to maintain internal state. The\n metadata database can be the same as or different from the application\n database. We recommend that you use a different database. However, for\n fine-grained access control users, the metadata database can't be the same as the\n application database. This is because the IAM principal that\n runs the Dataflow job needs read or write access at the database\n level for the metadata database. This would override the fine-grained access control\n privileges that were configured for the application database.\n\n For more information, see [Consider a separate metadata\n database](/spanner/docs/change-streams/manage#why-metadata).\n- Because a change stream contains a separate copy of the data from the\n tracked tables and columns, be careful when granting users access to the\n change stream. The readers of the change stream can view data changes from\n the tracked tables and columns, even when they don't have `SELECT`\n privileges on the tables and columns. Although it's more flexible\n to set up separate controls on change streams and their tracked tables and\n columns, there's a potential risk, so ensure that you structure database\n roles and privileges accordingly. For example, when revoking the `SELECT`\n privilege on a table from a role, consider whether to also revoke `SELECT`\n on the change stream and revoke `EXECUTE` on the associated read\n function.\n\n- If you grant `SELECT` on a change stream that tracks all tables, the grantee\n can see data changes for any tables added in the future.\n\nWhat's next\n-----------\n\n- [Change streams overview](/spanner/docs/change-streams)\n- [Create and manage change streams](/spanner/docs/change-streams/manage)\n- [Fine-grained access control overview](/spanner/docs/fgac-about)"]]
