Stay organized with collections
Save and categorize content based on your preferences.
This page defines the characteristics, constraints, and intended use of the
three predefined system roles that fine-grained access control provides for
each database. Each system role has a different set of privileges, which can't
be revoked. This information applies to both GoogleSQL-dialect databases and PostgreSQL-dialect databases.
public system role
All fine-grained access control users have IAM membership in public
by default.
All database roles inherit privileges from this role.
Initially, public has no privileges, but you can grant it privileges.
If you grant a privilege to public, it's available to
all database roles, including database roles created afterward.
spanner_info_reader system role
This role has the SELECT privilege on
INFORMATION_SCHEMA views for GoogleSQL-dialect databases and
information_schema views for PostgreSQL-dialect databases.
You can't grant any other privileges to spanner_info_reader.
Grant membership in this role to any database role that needs to have
unfiltered read access to the INFORMATION_SCHEMA views (GoogleSQL-dialect databases) or
the information_schema views (PostgreSQL-dialect databases).
spanner_sys_reader system role
This role has the SELECT privilege on SPANNER_SYS tables.
You can't grant any other privileges to spanner_sys_reader.
Grant membership in this role to any database role that must have read access
to the SPANNER_SYS schema.
Restrictions on system roles
You can't delete a system role by using a DROP ROLE statement.
System roles can't be members of other database roles. That is, the following
GoogleSQL statement is invalid:
GRANTROLEpii_accessTOROLEspanner_info_reader;
You can't grant membership in the public
role to your database roles. For example, the following GoogleSQL
statement is also invalid:
GRANTROLEpublicTOROLEpii_access;
However, you can grant membership in the spanner_info_reader and
spanner_sys_reader roles. For example, the following are valid statements.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-28 UTC."],[],[],null,["# Fine-grained access control system roles\n\nThis page defines the characteristics, constraints, and intended use of the\nthree predefined system roles that fine-grained access control provides for\neach database. Each system role has a different set of privileges, which can't\nbe revoked. This information applies to both GoogleSQL-dialect databases and PostgreSQL-dialect databases.\n\n### `public` system role\n\n- All fine-grained access control users have IAM membership in `public`\n by default.\n\n- All database roles inherit privileges from this role.\n\n- Initially, `public` has no privileges, but you can grant it privileges.\n If you grant a privilege to `public`, it's available to\n all database roles, including database roles created afterward.\n\n### `spanner_info_reader` system role\n\n- This role has the `SELECT` privilege on\n [`INFORMATION_SCHEMA`](/spanner/docs/information-schema) views for GoogleSQL-dialect databases and\n [`information_schema`](/spanner/docs/information-schema-pg) views for PostgreSQL-dialect databases.\n\n- You can't grant any other privileges to `spanner_info_reader`.\n\n- Grant membership in this role to any database role that needs to have\n unfiltered read access to the `INFORMATION_SCHEMA` views (GoogleSQL-dialect databases) or\n the `information_schema` views (PostgreSQL-dialect databases).\n\n### `spanner_sys_reader` system role\n\n- This role has the `SELECT` privilege on `SPANNER_SYS` tables.\n\n- You can't grant any other privileges to `spanner_sys_reader`.\n\n- Grant membership in this role to any database role that must have read access\n to the `SPANNER_SYS` schema.\n\nRestrictions on system roles\n----------------------------\n\n- You can't delete a system role by using a `DROP ROLE` statement.\n\n- System roles can't be members of other database roles. That is, the following\n GoogleSQL statement is invalid:\n\n GRANT ROLE pii_access TO ROLE spanner_info_reader;\n\n- You can't grant membership in the `public`\n role to your database roles. For example, the following GoogleSQL\n statement is also invalid:\n\n GRANT ROLE public TO ROLE pii_access;\n\n However, you can grant membership in the `spanner_info_reader` and\n `spanner_sys_reader` roles. For example, the following are valid statements. \n\n ### GoogleSQL\n\n GRANT ROLE spanner_info_reader TO ROLE pii_access;\n GRANT ROLE spanner_sys_reader TO ROLE pii_access;\n ```\n\n ### PostgreSQL\n\n GRANT spanner_info_reader TO pii_access;\n GRANT spanner_sys_reader TO pii_access;\n\nWhat's next\n-----------\n\n- Learn how to [Configure fine-grained access control](/spanner/docs/configure-fgac).\n- Learn [About fine-grained access control](/spanner/docs/fgac-about)."]]
