There are two special procedures and functions available within VoltDB that are not called out in the schema. These features include system procedures, which all begin with an at sign (@) and perform special functions such as saving and restoring snapshots. (See Appendix G, System Procedures for more information about system procedures.) The other feature that is not called out in the schema are the default INSERT, SELECT, UPDATE, and DELETE procedures created for each table.
By default, when security is not enabled, any calling application has access to these features. However, when you enable security, you must explicitly assign access to these functions as well.
Since there is no procedure definition in the schema, you assign access to these functions using the WITH clause when declaring the role. The three permissions enabled by the WITH clause are:
SYSPROC — allows access to all system procedures
ADHOC — allows access to the @AdHoc procedure only
DEFAULTPROC — allows access to the default procedures for all tables
In the CREATE ROLE statement you enable access to these features by including the adhoc, defaultproc, and sysproc keywords in the WITH clause. (The default, if security is enabled and the keyword is not specified, is that the role is not allowed access to the corresponding feature.)
Note that the permissions are additive. So if a user is assigned one role that allows access to adhoc but not sysproc, but that user also is assigned another role that allows sysproc, the user has both permissions.
The following example assigns access to all system procedures to members of the admin role, access to the adhoc procedure and default procedures to members of the dbuser role, and no access to system procedures but access to default procedures for all other users.
CREATE ROLE admin WITH sysproc; CREATE ROLE dbuser WITH adhoc, defaultproc; CREATE ROLE apps WITH defaultproc;