PostgreSQL and Sybase Replication Permission Guide
This document summarizes common permission requirements for replication scenarios involving PostgreSQL and Sybase, including the following links:
- Sybase > PostgreSQL
- PostgreSQL Sybase
- Sybase > PostgreSQL (Bidirectional)
How To Use This Guide
- This guide focuses on the permissions commonly needed to create tasks, pass prechecks, and keep tasks running stably.
- Full permissions usually include both schema permissions and full-data permissions. Incremental permissions extend full permissions with CDC or logical-replication related capabilities.
- Enterprise environments may also enforce IP allowlists, SSL, audit policies, or object-owner restrictions, so the final authority should still be the console precheck result and your DBA policy.
Quick Reference Table
| Database | Scenario | Common Source Permissions | Common Target Permissions | Notes |
|---|---|---|---|---|
| PostgreSQL | Schema | If views, functions, triggers, or other objects are involved, SUPERUSER is recommended | If writes involve TABLESPACE, FOREIGN KEY, TYPE, or similar objects, use the DB owner or SUPERUSER; if the target database does not exist yet, CREATEDB is also required | Applies when PostgreSQL acts as either the source or the target |
| PostgreSQL | Full | USAGE on schema + SELECT on tables | Read/write permissions on the target database; if foreign-key dependencies require trigger disabling, PostgreSQL >= 15 needs GRANT SET ON PARAMETER session_replication_role, and PostgreSQL < 15 needs SUPERUSER | Full permissions include both schema permissions and full-data permissions |
| PostgreSQL | Incremental | REPLICATION + DB Owner or SUPERUSER | Read/write permissions on the target database; if the target database does not exist yet, CREATEDB / CREATEROLE is also required; if trigger disabling is needed, PostgreSQL >= 15 needs GRANT SET ON PARAMETER session_replication_role, and PostgreSQL < 15 needs SUPERUSER | When DDL replication is enabled, only the SUPERUSER option can be used |
| Sybase | Full | SELECT | SELECT, INSERT, DELETE, TRUNCATE | Applies to full tasks when Sybase acts as either the source or the target |
| Sybase | Incremental | sa_role; bidirectional tasks also require sso_role | SELECT, INSERT, DELETE, TRUNCATE; if trigger disabling is required, replication_role is also needed | sso_role is additionally needed when bidirectional replication creates the extra schema |
PostgreSQL Permissions
Permission Details
| Scenario | Common Source Permissions | Common Target Permissions | Notes |
|---|---|---|---|
| Schema | If views, functions, triggers, or other objects are involved, SUPERUSER is recommended | If writes involve TABLESPACE, FOREIGN KEY, TYPE, or similar objects, use the DB owner or SUPERUSER; if the target database does not exist yet, CREATEDB is also required | Schema permissions are usually prerequisites for both full and incremental tasks |
| Full | USAGE on schema + SELECT on tables | Read/write permissions on the target database; if trigger disabling is needed, PostgreSQL >= 15 needs GRANT SET ON PARAMETER session_replication_role, and PostgreSQL < 15 needs SUPERUSER | Full permissions include both schema permissions and full-data permissions |
| Incremental | REPLICATION + DB Owner or SUPERUSER | Read/write permissions on the target database; if the target database does not exist yet, CREATEDB / CREATEROLE is also required; if trigger disabling is needed, PostgreSQL >= 15 needs GRANT SET ON PARAMETER session_replication_role, and PostgreSQL < 15 needs SUPERUSER | When DDL replication is enabled, only the SUPERUSER option can be used |
Common Grant Examples
Schema-Related
-- If views, functions, triggers, or similar objects are involved, SUPERUSER is recommended on the source
ALTER ROLE sync_user WITH SUPERUSER;
-- Target option 1: DB owner
for each db:
GRANT <db_owner> TO sync_user;
ALTER ROLE sync_user WITH CREATEDB;
-- Target option 2: SUPERUSER
ALTER ROLE sync_user WITH SUPERUSER;Full Replication
-- Source: read tables in schema repl_db
GRANT USAGE ON SCHEMA repl_db TO sync_user;
GRANT SELECT ON ALL TABLES IN SCHEMA repl_db TO sync_user;
-- Target: if foreign-key dependencies require triggers to be disabled and PostgreSQL >= 15
GRANT SET ON PARAMETER session_replication_role TO sync_user;
-- Target: if foreign-key dependencies require triggers to be disabled and PostgreSQL < 15
ALTER ROLE sync_user WITH SUPERUSER;Incremental Replication
-- Source option 1: REPLICATION + DB Owner
ALTER ROLE sync_user WITH REPLICATION;
for each db:
GRANT <db_owner> TO sync_user;
-- Source option 2: SUPERUSER
ALTER ROLE sync_user WITH SUPERUSER;
-- Target: if the target database does not exist yet, CREATE DB and role privileges are also required
CREATE USER sync_user WITH CREATEDB CREATEROLE PASSWORD 'sync_user';
-- Target: if foreign-key dependencies exist and PostgreSQL >= 15
GRANT SET ON PARAMETER session_replication_role TO sync_user;
-- Target: PostgreSQL < 15 requires SUPERUSER
ALTER ROLE sync_user WITH SUPERUSER;
tip
If DDL replication is enabled, only the SUPERUSER option can be used.
Runtime Permission Notes
| Role | Scenario | System Behavior or Operation | Common Required Permission |
|---|---|---|---|
| Source | Full | Read all replicated tables | SELECT |
| Source | Incremental | Create a replication slot by running SELECT * FROM pg_create_logical_replication_slot('<slot>', 'pgoutput'); | REPLICATION |
| Source | Incremental | Set REPLICA IDENTITY FULL by running ALTER TABLE <table> REPLICA IDENTITY FULL; | Table owner |
| Source | Incremental | Create a publication by running CREATE PUBLICATION <pub> FOR TABLE <table>[, <table>]; or CREATE PUBLICATION <pub> FOR ALL TABLES; | Table owner, CREATE ON DATABASE, or SUPERUSER |
| Source | Incremental | Create the _nd_repl_ schema and nd_repl_de_cycle_v3 table for bidirectional replication | DB owner or CREATE ON DATABASE |
| Source | Incremental | Enable DDL capture by running CREATE EVENT TRIGGER xxx; | SUPERUSER |
| Target | Full | Write to and clear target tables | SELECT, INSERT, TRUNCATE |
| Target | Incremental | Apply row-level synchronized writes | SELECT, INSERT, UPDATE, DELETE |
Sybase Permissions
Permission Details
| Scenario | Common Source Permissions | Common Target Permissions | Notes |
|---|---|---|---|
| Full | SELECT | SELECT, INSERT, DELETE, TRUNCATE | Basic DML permissions for full tasks |
| Incremental | sa_role; if bidirectional replication creates the extra schema, sso_role is also required | SELECT, INSERT, DELETE, TRUNCATE; if triggers are disabled, replication_role is also required | Extra role permissions are needed for bidirectional replication and trigger control |
Common Grant Examples
-- Incremental source
GRANT sa_role TO {user_name};
GRANT sso_role TO {user_name};
-- Incremental target
GRANT replication_role TO {user_name};