hi folks, are there any guidance for the minimum set of permissions that meltano would need to load data into a database (postgres & redshift in this instances). context: • we are setting up a database to house sensitive information (HR data), and want to lock it down as much as possible • meltano would need to insert and update records for sure, but: • is it possible / straightforward to manage the schema evolution outside of meltano (as new fields are added to the extract? • is it possible to limit select access to the meltano role? If anyone would be willing to share how you're handling this use-case where the data team is responsible for setting up the database but should not access any of the data within, I would love to pick your brain 💜

Heya!

• is it possible / straightforward to manage the schema evolution outside of meltano (as new fields are added to the extract?

Could you please elaborate on "outside of meltano" i.e. an example?

• is it possible to limit select access to the meltano role?

1. "select" the streams (columns) you are interested in the extractor config 2. Remove all privileges from a table with sensitive columns to meltano role Then

GRANT SELECT (my_col1, my_col2) ON TABLE my_sensitive_table TO my_meltano_role;

This way meltano is able to read only the specified columns. Source: https://www.postgresql.org/docs/15/sql-grant.html edit: updated the grant example

We manage database objects and permissions with Liquibase. The meltano user has create permissions on dedicated staging schemas. It doesn’t have permissions outside those schemas.

Is it possible to revoke select permission completely from a table and allow meltano to load data into it?

After meltano has created table, you can revoke all privileges from the meltano user and grant

insert

,

update

and

truncate

.