Page tree
Skip to end of metadata
Go to start of metadata

Unless you use different Postgres users for each connection (see last section of this page), all users will always be able to query all data from all schemas/spaces.

Users need permissions to create new queries, but, using existing queries, they can use SQL tricks such as filtering (which is done in SQL, hence they can specify their WHERE clause, therefore they can call a stored procedure, etc) to access data from other spaces or schemas.

Spreadsheets and Queries

Spreadsheets and queries are local to a Space, so they inherit the same permissions.

Space PermissionsQuery permissionSpreadsheet permission
ViewView, sort, filter*View, sort, filter*
Create pageCan edit existing queries, but not save themCan add and edit spreadsheets
Remove pageCan edit and save existing queriesCan remove spreadsheets

Space Admin (if configured in Play SQL Settings)

or Confluence Admin

Can edit the datasourceCan edit the datasource

* Sorting and filtering is done in SQL. It makes it possible to use unfiltered SQL (which is intended), but it also makes it possible to call SQL stored procedures or anything that the SQL connection allows. If you want to ensure no other data is accessed, you need to use the "Space-level permissions" (see below).

Cross-space macros

When you insert a macro, the "Recently Viewed Spreadsheets" shows spreadsheets from other spaces:

Don't forget that the permissions of the original space apply to the data. Therefore if the audience of the new space doesn't match, you'll have to tune the permissions. See next paragraph.

Space-level permissions

Since  PLAYSQL-135 - Getting issue details... STATUS , it is possible to change the permissions of spreadsheets at a space level.

  • By default in Play SQL, there are permissions for:
    • View: Viewing all data, filtering and sorting,
    • Edit: Edit rows, add rows,
    • Structure: Edit columns, change types,
    • Admin: Change the datasource properties.
  • The space permissions apply: Only users who can view the space can view spreadsheets, etc.
  • It is possible to enlarge the audience: "Accepted Groups" are groups which are accepted in addition to the space users. If the "Inherit from space" checkbox is unticked, only the accepted groups will be allowed.
  • It is possible to restrict the audience: For example administrators could decide that only Board Members can see the data. The group "Board Members" will be added to Required Groups.
  • It is possible to specify a database password for each level.

Database schema visibility

By default, Play SQL creates one schema per space:

  • You can always access a table from another schema using SPACE_[space key].TABLE_NAME.
  • If you want to isolate schemas, you'll need to create a separate Postgres user for each schema and configure a separate connection for each.


  • No labels