Skip to main content
TDengine
Who We Are

TDengine™ is a time-series database purpose-built for Industry 4.0 and IIoT.

Our mission is to democratize industrial data systems and make big data accessible, valuable, and affordable for everyone.

TDengine Enterprise
On Premises
TDengine Enterprise
Deploy TDengine on the edge, on a local server, or in a public, private, or hybrid cloud
TDengine Cloud
In the Cloud
TDengine Cloud
Run your industrial data workflows in our fully managed cloud service
What We Do

TDengine is designed to help traditional industries achieve digital transformation and improve operational efficiency.

TDengine centralizes, stores, analyzes, and shares massive amounts of industrial data so you can scale your operations for Industry 4.0.

By Industry
Renewable Energy
Manufacturing
Connected Cars
By Data Source
MQTT
OPC
PI System
Wonderware Historian
…and more
By Application
High-Frequency Data
Predictive Maintenance
Condition Monitoring
Operational Efficiency
Why Developers Choose Us
  • High Performance: outperforms other time-series databases in ingestion, querying, and compression.
  • Cloud Native: enables scalability, elasticity, resiliency, observability, and automation in a distributed architecture.
  • Ease of Use: reduces effort to deploy your time-series database, with simple, standardized interfaces and seamless integration.
TDengine Docs
Docs

Read the official documentation to learn about our products

TDengine Blog
Blog

View the latest articles about industrial data processing

TDengine Downloads
Downloads

Download installation packages, special reports, and more

TDengine Partners
Tutorials

Follow along with step-by-step guides through the data lifecycle

TDengine Events
Webinars

Watch live and on-demand webinars to learn more about TDengine

TDengine OSS
TDengine OSS

Explore our open source time series database project

Star
...
Contact UsCloud
TDengine

Permissions

In TDengine, permission management is divided into user management, database authorization management, and message subscription authorization management. This section focuses on database authorization and subscription authorization.

Database Access Authorization

System administrators can authorize each user in the system for each database according to business needs to prevent business data from being read or modified by inappropriate users. The syntax for authorizing a user for database access is as follows:

GRANT privileges ON priv_level TO user_name

privileges : {
    ALL
  | priv_type [, priv_type] ...
}

priv_type : {
    READ
  | WRITE
}

priv_level : {
    dbname.tbname
  | dbname.*
  | *.*
}

Database access permissions include read and write permissions, which can be granted separately or simultaneously.

Note

  • In the priv_level format, the "." before represents the database name, and the "." after represents the table name, meaning table-level authorization control. If "*" follows the ".", it means all tables in the database specified before the "."
  • "dbname.*" means all tables in the database named "dbname"
  • "." means all tables in all database names

Database Permission Description

The permissions for root users and ordinary users are described in the following table

UserDescriptionPermission Description
SuperuserOnly root is a superuserAll operations outside DB, such as CRUD for user, dnode, udf, qnode, etc. DB permissions, including create, delete, update, such as modifying Option, moving Vgroup, etc. Read, write, Enable/Disable users
Ordinary UserAll other users except root are ordinary usersIn readable DBs, ordinary users can perform read operations: select, describe, show, subscribe In writable DBs, users can perform write operations: create, delete, modify supertables, create, delete, modify subtables, create, delete, modify topics, write data When restricted from system information, the following operations cannot be performed: show dnode, mnode, vgroups, qnode, snode Modify users including own password When showing db, can only see their own db, and cannot see vgroups, replicas, cache, etc. Regardless of whether system information is restricted, can manage udf Can create DB Own created DBs have all permissions Non-self-created DBs, refer to the permissions in the read, write list

Message Subscription Authorization

Any user can create a topic on a database where they have read permissions. The superuser root can create a topic on any database. Subscription permissions for each topic can be independently granted to any user, regardless of whether they have access permissions to the database. Deleting a topic can only be done by the root user or the creator of the topic. A topic can only be subscribed to by a superuser, the creator of the topic, or a user who has been explicitly granted subscribe permissions.

The specific SQL syntax is as follows:

GRANT SUBSCRIBE ON topic_name TO user_name

REVOKE SUBSCRIBE ON topic_name FROM user_name

Tag-Based Authorization (Table-Level Authorization)

Starting from TDengine 3.0.5.0, we support granting permissions to specific subtables within a supertable based on tags. The specific SQL syntax is as follows.

GRANT privileges ON priv_level [WITH tag_condition] TO user_name
 
privileges : {
    ALL
  | priv_type [, priv_type] ...
}
 
priv_type : {
    READ
  | WRITE
}
 
priv_level : {
    dbname.tbname
  | dbname.*
  | *.*
}

REVOKE privileges ON priv_level [WITH tag_condition] FROM user_name

privileges : {
    ALL
  | priv_type [, priv_type] ...
}
 
priv_type : {
    READ
  | WRITE
}
 
priv_level : {
    dbname.tbname
  | dbname.*
  | *.*
}

The semantics of the above SQL are:

  • Users can grant or revoke read and write permissions for specified tables (including supertables and regular tables) through dbname.tbname, but cannot directly grant or revoke permissions for subtables.
  • Users can grant or revoke read and write permissions for all subtables that meet the conditions through dbname.tbname and the WITH clause. When using the WITH clause, the permission level must be for a supertable.

Relationship Between Table-Level Permissions and Database Permissions

The table below lists the actual permissions produced under different combinations of database authorization and table-level authorization.

No Table AuthorizationTable Read AuthorizationTable Read Authorization with Tag ConditionsTable Write AuthorizationTable Write Authorization with Tag Conditions
No Database AuthorizationNo AuthorizationRead permission for this table, no permissions for other tables in the databaseRead permission for subtables of this table that meet tag conditions, no permissions for other tables in the databaseWrite permission for this table, no permissions for other tables in the databaseWrite permission for subtables of this table that meet tag conditions, no permissions for other tables in the database
Database Read AuthorizationRead permission for all tablesRead permission for all tablesRead permission for subtables of this table that meet tag conditions, read permissions for other tables in the databaseWrite permission for this table, read permissions for all tablesWrite permission for subtables of this table that meet tag conditions, read permissions for all tables
Database Write AuthorizationWrite permission for all tablesRead permission for this table, write permissions for all tablesRead permission for subtables of this table that meet tag conditions, write permissions for all tablesWrite permission for all tablesWrite permission for subtables of this table that meet tag conditions, write permissions for other tables in the database

View User Authorization

Use the following command to display the authorizations a user has:

show user privileges

Revoke Authorization

  1. Revoke database access authorization
REVOKE privileges ON priv_level FROM user_name

privileges : {
    ALL
  | priv_type [, priv_type] ...
}

priv_type : {
    READ
  | WRITE
}

priv_level : {
    dbname.tbname
  | dbname.*
  | *.*
}
  1. Revoke data subscription authorization
REVOKE privileges ON priv_level FROM user_name

privileges : {
    ALL
  | priv_type [, priv_type] ...
}

priv_type : {
    SUBSCRIBE
}

priv_level : {
    topic_name
}
TDengine
SOC 2 Certified
ISO 27001 Certified
ISO 27017 Certified

TDengine™ is a time-series database purpose-built for Industry 4.0 and Industrial IoT. It enables real-time ingestion, storage, analysis, and distribution of petabytes of data per day, generated by billions of sensors and data collectors. With TDengine making big data accessible, valuable, and affordable, digital transformation has never been easier.

© 2022–2024 TDengine

Products
TDengine EnterpriseTDengine Cloud
Learn
DocsBlogWebinars
Company
AboutNewsroomSecurityLegalPartnersNewsletterContact Us
Social