Execute As
EXECUTE AS is wrapper syntax for a single SQL statement. It switches USER-table or STREAM-table execution to a resolved target user ID only when the authenticated actor role is allowed to target that user’s role.
EXECUTE AS
EXECUTE AS '<user_id>' ( <single_statement>);Rules
- The wrapper must contain exactly one SQL statement
- The target user ID must be single-quoted
- System users may target system, DBA, service, and user accounts
- DBA users may target DBA, service, and user accounts
- Service users may target service and user accounts
- Regular users may only target themselves
- The wrapper is valid for USER and STREAM tables; shared tables use their table policy directly
- Legacy inline
... AS USER 'name'syntax is not supported
Examples
Authorized delegated query:
EXECUTE AS 'user_123' ( SELECT * FROM app.messages WHERE conversation_id = 42);Authorized delegated insert:
EXECUTE AS 'user_123' ( INSERT INTO app.messages (conversation_id, sender, role, content) VALUES (42, 'user_123', 'assistant', 'Processing complete'));Authorized delegated delete:
EXECUTE AS 'user_123' ( DELETE FROM app.messages WHERE id = 123);Use Cases
| Scenario | Description |
|---|---|
| Service workers | Write rows into a user’s USER-table or STREAM-table partition through an explicit delegation boundary |
| Testing | Assert allowed and denied role-matrix edges consistently |
| Audit trails | Record the actor and target user for delegated operations |
Last updated on