How to Configure RBAC in ParadeDB in PostgreSQL

Galaxy Glossary

How do I set up RBAC in ParadeDB on PostgreSQL?

RBAC in ParadeDB secures vector indexes and search functions with PostgreSQL role-based permissions.

Sign up for the latest in SQL knowledge from the Galaxy Team!
Welcome to the Galaxy, Guardian!
Oops! Something went wrong while submitting the form.

Description

Table of Contents

Why set up RBAC for ParadeDB?

RBAC prevents unauthorized users from creating, querying, or deleting ParadeDB indexes.It leverages native PostgreSQL roles, so you keep one security model.

Which privileges must be granted?

Users need: ① USAGE on the schema holding vector indexes, ② EXECUTE on ParadeDB search functions, ③ INSERT/UPDATE on tables that store embeddings, and ④ SELECT on any materialized view used for search.

How to create least-privilege roles?

Create a dedicated role (e.g., product_searcher) and grant only the minimum rights required for read-only vector search.Then assign that role to analysts.

How to revoke default PUBLIC access?

PostgreSQL grants EXECUTE on new functions to PUBLIC by default. REVOKE that right first, then grant explicit roles so ParadeDB functions stay private.

How to audit ParadeDB access?

Turn on log_statement=‘ddl’ or pgAudit to record who runs ParadeDB DDL, ensuring you catch unauthorized index drops or re-ingests.

Best practice: use schemas

Place all ParadeDB objects in a paradedb schema. Grant USAGE only to trusted roles.This isolates vector operations from core OLTP data.

Best practice: one service role per app

Give each microservice its own login role and bind it to a limited ParadeDB role. Compromise in one service won’t expose all vector data.

.

Why How to Configure RBAC in ParadeDB in PostgreSQL is important

How to Configure RBAC in ParadeDB in PostgreSQL Example Usage


-- Allow analysts to vector-search product names without write access
SET ROLE analyst_role;

SELECT id, name, price
FROM   Products
WHERE  paradedb.search(name, 'wireless headphones', 3) < 0.3
ORDER  BY price;

How to Configure RBAC in ParadeDB in PostgreSQL Syntax


-- 1. Create role for read-only ParadeDB search
CREATE ROLE product_searcher NOLOGIN;

-- 2. Revoke default PUBLIC rights on ParadeDB functions
REVOKE EXECUTE ON ALL FUNCTIONS IN SCHEMA paradedb FROM PUBLIC;

-- 3. Grant minimal privileges
GRANT USAGE               ON SCHEMA paradedb                TO product_searcher;
GRANT EXECUTE             ON FUNCTION paradedb.search       TO product_searcher;
GRANT SELECT              ON TABLE   Products               TO product_searcher;
GRANT SELECT              ON TABLE   Orders                 TO product_searcher;

-- 4. Bind human users or apps
GRANT product_searcher TO analyst_role;

Common Mistakes

Frequently Asked Questions (FAQs)

Can I use row-level security with ParadeDB?

Yes. Create RLS policies on the underlying tables. ParadeDB respects them because it calls standard SELECT queries under the hood.

Do I need superuser to create ParadeDB roles?

No. A role with CREATEROLE can manage RBAC. Superuser is only needed when first installing the ParadeDB extension.

Will future ParadeDB functions inherit my grants?

No. Use ALTER DEFAULT PRIVILEGES to automatically grant EXECUTE on any new functions inside the paradedb schema.

Want to learn about other SQL terms?

Trusted by top engineers on high-velocity teams
Aryeo Logo
Assort Health
Curri
Rubie Logo
Bauhealth Logo
Truvideo Logo
Welcome to the Galaxy, Guardian!
Oops! Something went wrong while submitting the form.