How to Get a List of Permissions of MySQL Users

MySQL has an advanced database access system. A database user can have access to the whole database, separate tables, or to separate columns of tables. Also, there is a restriction for actions a user may perform with records.

MySQL server uses several tables in a special database to organize such a complicated database access structure. The access policy is based on the values available in these tables.

The database that MySQL server uses to store internal data about users is called mysql by default. There are tables for storing information about users’ accounts in this database:

• user contains a list of all users of the MySQL server and their permissions to access the database;
• db contains a list of databases with a matching list of database users and their privileges for executing operations;
• tables_priv contains a list of database tables (views) that a user has access to;
• columns_priv contains a list of columns from the database tables (views) a user has access to;
• procs_priv contains a list of database procedures (functions) a user has access to.

To get the list of users’ privileges concerning data access, the following queries may be executed:

• the list of global privileges:

  SELECT
  mu.host `Host`,
  mu.user `User`,
  REPLACE(RTRIM(CONCAT(
  IF(mu.Select_priv = 'Y', 'Select ', ''),
  IF(mu.Insert_priv = 'Y', 'Insert ', ''),
  IF(mu.Update_priv = 'Y', 'Update ', ''),
  IF(mu.Delete_priv = 'Y', 'Delete ', ''),
  IF(mu.Create_priv = 'Y', 'Create ', ''),
  IF(mu.Drop_priv = 'Y', 'Drop ', ''),
  IF(mu.Reload_priv = 'Y', 'Reload ', ''),
  IF(mu.Shutdown_priv = 'Y', 'Shutdown ', ''),
  IF(mu.Process_priv = 'Y', 'Process ', ''),
  IF(mu.File_priv = 'Y', 'File ', ''),
  IF(mu.Grant_priv = 'Y', 'Grant ', ''),
  IF(mu.References_priv = 'Y', 'References ', ''),
  IF(mu.Index_priv = 'Y', 'Index ', ''),
  IF(mu.Alter_priv = 'Y', 'Alter ', ''),
  IF(mu.Show_db_priv = 'Y', 'Show_db ', ''),
  IF(mu.Super_priv = 'Y', 'Super ', ''),
  IF(mu.Create_tmp_table_priv = 'Y', 'Create_tmp_table ', ''),
  IF(mu.Lock_tables_priv = 'Y', 'Lock_tables ', ''),
  IF(mu.Execute_priv = 'Y', 'Execute ', ''),
  IF(mu.Repl_slave_priv = 'Y', 'Repl_slave ', ''),
  IF(mu.Repl_client_priv = 'Y', 'Repl_client ', ''),
  IF(mu.Create_view_priv = 'Y', 'Create_view ', ''),
  IF(mu.Show_view_priv = 'Y', 'Show_view ', ''),
  IF(mu.Create_routine_priv = 'Y', 'Create_routine ', ''),
  IF(mu.Alter_routine_priv = 'Y', 'Alter_routine ', ''),
  IF(mu.Create_user_priv = 'Y', 'Create_user ', ''),
  IF(mu.Event_priv = 'Y', 'Event ', ''),
  IF(mu.Trigger_priv = 'Y', 'Trigger ', '')
  )), ' ', ', ') AS `Privileges`
 FROM
  mysql.user mu
 ORDER BY
  mu.Host,
  mu.User

• the list of privileges for a database:

 SELECT 
  md.host `Host`,
  md.user `User`,
  md.db `Database`,
  REPLACE(RTRIM(CONCAT(
  IF(md.Select_priv = 'Y', 'Select ', ''),
  IF(md.Insert_priv = 'Y', 'Insert ', ''),
  IF(md.Update_priv = 'Y', 'Update ', ''),
  IF(md.Delete_priv = 'Y', 'Delete ', ''),
  IF(md.Create_priv = 'Y', 'Create ', ''),
  IF(md.Drop_priv = 'Y', 'Drop ', ''),
  IF(md.Grant_priv = 'Y', 'Grant ', ''),
  IF(md.References_priv = 'Y', 'References ', ''),
  IF(md.Index_priv = 'Y', 'Index ', ''),
  IF(md.Alter_priv = 'Y', 'Alter ', ''),
  IF(md.Create_tmp_table_priv = 'Y', 'Create_tmp_table ', ''),
  IF(md.Lock_tables_priv = 'Y', 'Lock_tables ', ''),
  IF(md.Create_view_priv = 'Y', 'Create_view ', ''),
  IF(md.Show_view_priv = 'Y', 'Show_view ', ''),
  IF(md.Create_routine_priv = 'Y', 'Create_routine ', ''),
  IF(md.Alter_routine_priv = 'Y', 'Alter_routine ', ''),
  IF(md.Execute_priv = 'Y', 'Execute ', ''),
  IF(md.Event_priv = 'Y', 'Event ', ''),
  IF(md.Trigger_priv = 'Y', 'Trigger ', '')
  )), ' ', ', ') AS `Privileges`
 FROM
  mysql.db md
 ORDER BY
  md.Host,
  md.User,
  md.Db

• the list of privileges for tables:

 SELECT 
  mt.host `Host`,
  mt.user `User`,
  CONCAT(mt.Db, '.', mt.Table_name) `Tables`,
  REPLACE(mt.Table_priv, ',', ', ') AS `Privileges`
 FROM
  mysql.tables_priv mt
 WHERE
  mt.Table_name IN
  (SELECT
  DISTINCT
    t.table_name `tables`
  FROM
    information_schema.tables AS t
  WHERE
    t.table_type IN
    ('BASE TABLE', 'SYSTEM VIEW', 'TEMPORARY', '') OR
    t.table_type <> 'VIEW' AND
    t.create_options IS NOT NULL
  )
 ORDER BY
  mt.Host,
  mt.User,
  mt.Db,
  mt.Table_name;

• the list of privileges for views:

 SELECT 
  mv.host `Host`,
  mv.user `User`,
  CONCAT(mv.Db, '.', mv.Table_name) `Views`,
  REPLACE(mv.Table_priv, ',', ', ') AS `Privileges`
 FROM
  mysql.tables_priv mv
 WHERE
  mv.Table_name IN
  (SELECT
  DISTINCT
    v.table_name `views`
  FROM
    information_schema.views AS v
  )
 ORDER BY
  mv.Host,
  mv.User,
  mv.Db,
  mv.Table_name;

• the list of privileges for table columns:

SELECT 
  mtc.host `Host`,
  mtc.user `User`,
  CONCAT(mtc.Db, '.', mtc.Table_name, '.', mtc.Column_name) `Tables Columns`,
  REPLACE(mtc.Column_priv, ',', ', ') AS `Privileges`
FROM
  mysql.columns_priv mtc
WHERE
  mtc.Table_name IN
  (SELECT
  DISTINCT
    t.table_name `tables`
  FROM
    information_schema.tables AS t
  WHERE
    t.table_type IN
    ('BASE TABLE', 'SYSTEM VIEW', 'TEMPORARY', '') OR
    t.table_type <> 'VIEW' AND
    t.create_options IS NOT NULL
  )
ORDER BY
  mtc.Host,
  mtc.User,
  mtc.Db,
  mtc.Table_name,
  mtc.Column_name;

• the list of privileges for view columns:

 SELECT
  mvc.host `Host`,
  mvc.user `User`,
  CONCAT(mvc.Db, '.', mvc.Table_name, '.', mvc.Column_name) `Views Columns`,
  REPLACE(mvc.Column_priv, ',', ', ') AS `Privileges`
 FROM
  mysql.columns_priv mvc
 WHERE
  mvc.Table_name IN
  (SELECT
  DISTINCT
    v.table_name `views`
  FROM
    information_schema.views AS v
  )
 ORDER BY
  mvc.Host,
  mvc.User,
  mvc.Db,
  mvc.Table_name,
  mvc.Column_name;

• the list of privileges for procedures:

 SELECT
  mp.host `Host`,
  mp.user `User`,
  CONCAT(mp.Db, '.', mp.Routine_name) `Procedures`,
  REPLACE(mp.Proc_priv, ',', ', ') AS `Privileges`
 FROM
  mysql.procs_priv mp
 WHERE
  mp.Routine_type = 'PROCEDURE'
 ORDER BY
  mp.Host,
  mp.User,
  mp.Db,
  mp.Routine_name;

• the list of privileges for functions:

 SELECT
  mf.host `Host`,
  mf.user `User`,
  CONCAT(mf.Db, '.', mf.Routine_name) `Procedures`,
  REPLACE(mf.Proc_priv, ',', ', ') AS `Privileges`
 FROM
  mysql.procs_priv mf
 WHERE
  mf.Routine_type = 'FUNCTION'
 ORDER BY
  mf.Host,
  mf.User,
  mf.Db,
  mf.Routine_name;

You may need to create a decent printable report with this data and to give it as a report, for example, by the demand of a customer or authority. For this purpose, you may use a special MySQL GUI tool that includes a data report designer.

If you have ready queries, you can take advantage of an easy-to-use wizard and create a report using a predefined template and data grouped, for example, by the host, in several minutes.

New Data Report menu

Data Report Wizard

Data Report Custom Query

Data Report Load Query

Data Report Group by Host

Data Report Title

Data Report Preview

As you can see on these screenshots, we have created a report using dbForge Studio’s wizard without tedious designing the report itself.

Conclusion

In the article, we have described with particular scripts how to get a list of users’ privileges concerning data access.