Author image David E. Wheeler


Pg::Priv - PostgreSQL ACL parser and iterator


  use DBI;
  use Pg::Priv;

  my $dbh = DBI->connect('dbi:Pg:dbname=template1', 'postgres', '');
  my $sth = $dbh->prepare(
      q{SELECT relname, relacl FROM pg_class WHERE relkind = 'r'}

  while (my $row = $sth->fetchrow_hashref) {
      print "Table $row->{relname}:\n";
      for my $priv ( Pg::Priv->parse_acl( $row->{relacl} ) ) {
          print '    ', $priv->by, ' granted to ', $priv->to, ': ',
              join( ', ', $priv->labels ), $/;


This module parses PostgreSQL ACL arrays and represents the underlying privileges as objects. Use accessors on the objects to see what privileges are granted by whom and to whom.

PostgreSQL ACLs are arrays of strings. Each string represents a single set of privileges granted by one role to another role. ACLs look something like this:

  my $acl = [

The format of the privileges are interpreted thus (borrowed from the PostgreSQL Documentation):

       rolename=xxxx -- privileges granted to a role
               =xxxx -- privileges granted to PUBLIC

                   r -- SELECT ("read")
                   w -- UPDATE ("write")
                   a -- INSERT ("append")
                   d -- DELETE
                   D -- TRUNCATE
                   x -- REFERENCES
                   t -- TRIGGER
                   X -- EXECUTE
                   U -- USAGE
                   C -- CREATE
                   c -- CONNECT
                   T -- TEMPORARY
             arwdDxt -- ALL PRIVILEGES (for tables, varies for other objects)
                   * -- grant option for preceding privilege

               /yyyy -- role that granted this privilege

Pg::Priv uses these rules (plus a few other gotchas here and there) to parse these privileges into objects. The above three privileges in the ACL array would thus be returned by parse_acl() as three Pg::Priv objects that you could then interrogate.


Class Methods


  for my $priv ( Pg::Priv->parse_acl($acl) ) {
      print '    ', $priv->by, ' granted to ', $priv->to, ': ',
          join( ', ', $priv->labels ), $/;

Takes a PostgreSQL ACL array, parses it, and returns a list or array reference of Pg::Priv objects. Pass an optional second argument to specify that role names should be quoted as identifiers (like the PostgreSQL quote_ident() function does).



  my $priv = Pg::Priv->new(
      to    => $to,
      by    => $by,
      privs => $priv,

Constructs and returns a Pg::Priv object for the given grantor, grantee, and privileges. The privs parameter is a string representing the privileges, such as arwdxt. If you're fetching ACLs from PostgreSQL, you're more likely to want parse_acl(), which will figure this stuff out for you.

Instance Methods


Returns the name of the role to which the privileges were granted (the grantee).


Returns the name of the role that granted the privileges (the grantor).


A string representing the privileges granted, such as arwdxt.


A list or array reference of the labels for the granted privileges. These correspond to the uppercase labels shown in the description.


  print "We can read!\n" if $priv->can('r');
  print "We can read and write!\n" if $priv->can(qw(r w));

Pass in one or more privilege characters or labels and this method will return true if that all the privileges have been granted. If at least one of the specified privileges has not been granted, can returns false.


Convenience methods for verifying individual privileges:


Returns true if the SELECT privilege has been granted.


Returns true if the SELECT privilege has been granted.


Returns true if the UPDATE privilege has been granted.


Returns true if the UPDATE privilege has been granted.


Returns true if the INSERT privilege has been granted.


Returns true if the INSERT privilege has been granted.


Returns true if the DELETE privilege has been granted.


Returns true if the REFERENCE privilege has been granted.


Returns true if the TRIGGER privilege has been granted.


Returns true if the EXECUTE privilege has been granted.


Returns true if the USAGE privilege has been granted.


Returns true if the CREATE privilege has been granted.


Returns true if the CONNECT privilege has been granted.


Returns true if the TEMPORARY privilege has been granted.


Returns true if the TEMPORARY privilege has been granted.

See Also


This module was originally developed under contract to Etsy, Inc.. Many thanks to them for agreeing to release it as open-source code!


David E. Wheeler <>

Copyright and License

Copyright (c) 2009-2010 Etsy, Inc. and David. E. Wheeler. Some Rights Reserved.

This module is free software; you can redistribute it and/or modify it under the same terms as Perl itself.