Database Permissions

Tightly scope PostgreSQL credentials for TypeGraph with least-privilege runtime and deploy roles.

Permission Model

Use separate roles for deployment and runtime when possible. The deploy role can create extensions, tables, and indexes. The runtime role reads and writes TypeGraph tables but should not be a superuser.

Install pgvector

TypeGraph self-hosted Postgres requires pgvector. Many managed providers preinstall it; otherwise run the extension command with a privileged migration role.

extension.sql

create extension if not exists vector;

Runtime Role

Use this role for application traffic after typegraphDeploy() has provisioned the schema.

runtime-role.sql

create role typegraph_app login password 'change-me';

grant usage on schema public to typegraph_app;
grant select, insert, update, delete on all tables in schema public to typegraph_app;
grant usage, select on all sequences in schema public to typegraph_app;

alter default privileges in schema public
grant select, insert, update, delete on tables to typegraph_app;

alter default privileges in schema public
grant usage, select on sequences to typegraph_app;

Deploy Role

Use a separate deploy role in migrations or setup jobs. This keeps normal app traffic away from DDL privileges.

deploy-role.sql

create role typegraph_deploy login password 'change-me';

grant usage, create on schema public to typegraph_deploy;
grant create on database your_database to typegraph_deploy;

-- Run typegraphDeploy with this role.
-- Run typegraphInit and normal app traffic with typegraph_app.

Verify Tables

SDK 0.5 uses typegraph_documents, typegraph_events for business events, and typegraph_telemetry for SDK telemetry. Legacy source data is not migrated by the hard-cut setup path.

verify.sql

-- Core SDK tables use the new names.
select table_name
from information_schema.tables
where table_schema = 'public'
  and table_name like 'typegraph_%'
order by table_name;

-- Telemetry is operational SDK logging.
-- Business events are stored separately.
select count(*) from typegraph_telemetry;
select count(*) from typegraph_events;

Back to All Guides

create role typegraph_app login password 'change-me'; grant usage on schema public to typegraph_app; grant select, insert, update, delete on all tables in schema public to typegraph_app; grant usage, select on all sequences in schema public to typegraph_app; alter default privileges in schema public grant select, insert, update, delete on tables to typegraph_app; alter default privileges in schema public grant usage, select on sequences to typegraph_app;

create role typegraph_deploy login password 'change-me'; grant usage, create on schema public to typegraph_deploy; grant create on database your_database to typegraph_deploy; -- Run typegraphDeploy with this role. -- Run typegraphInit and normal app traffic with typegraph_app.

-- Core SDK tables use the new names. select table_name from information_schema.tables where table_schema = 'public' and table_name like 'typegraph_%' order by table_name; -- Telemetry is operational SDK logging. -- Business events are stored separately. select count(*) from typegraph_telemetry; select count(*) from typegraph_events;