Re: Why does TRUNCATE require a special privilege?

public inbox for [email protected]  
help / color / mirror / Atom feed

From: Adrian Klaver <[email protected]>
To: Marcelo Fernandes <[email protected]>
Cc: Dominique Devienne <[email protected]>
Cc: [email protected]
Subject: Re: Why does TRUNCATE require a special privilege?
Date: Fri, 16 Jan 2026 14:11:55 -0800
Message-ID: <[email protected]> (raw)
In-Reply-To: <CAM2F1VMb3VyRXGMGC51mo+PLaB=vRZQD=7YGyOo-z=XXpX8MHg@mail.gmail.com>
References: <CAM2F1VNkovvL_56K_6OJiYU8toUdEG1Jk7ABRQ426Geh8LMB+g@mail.gmail.com>
	<CAFCRh-9HTzAU7ia--Uad2-KnZv=zXeFaG0iT2ut0KXGEZhsHuw@mail.gmail.com>
	<[email protected]>
	<CAM2F1VMb3VyRXGMGC51mo+PLaB=vRZQD=7YGyOo-z=XXpX8MHg@mail.gmail.com>

On 1/16/26 13:15, Marcelo Fernandes wrote:
> Those operations do different things, sure.
> 
> But from a roles/privilege framework perspective, why would you want to give
> certain users the DELETE privilege whereas others you want to give them
> only the TRUNCATE privilege?
> 
> Are we saying to a user that "You need a different level of privilege because
> you are about to cause a MVCC-unsafe operation?".

The thing I see as difference worthy of separation is:

"CASCADE

     Automatically truncate all tables that have foreign-key references 
to any of the named tables, or to any tables added to the group due to 
CASCADE.
"

Now the same end result can be done with:

delete from some_table:

where the FK's pointing at some_table have ON CASCADE DELETE. The 
difference being a DBA has the option of creating the FKs with ON 
CASCADE NO ACTION which would throw an error. In other words you can 
prevent an unconstrained DELETE on some_table from removing all the 
child records. With TRUNCATE ... CASCADE, you cannot, the potential for 
harm is greater.

> 
> Or is the privilege framework simply ruling "Do different things, have
> different permissions"?
> 
> Marcelo.
> 

-- 
Adrian Klaver
[email protected]

view thread (5+ messages)  latest in thread

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected], [email protected], [email protected]
  Subject: Re: Why does TRUNCATE require a special privilege?
  In-Reply-To: <[email protected]>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox