Subsetter connection requirements
Published 11 September 2025
This document outlines the required database permissions for the database user used in our data migration/synchronization process. The user needs different permission sets for connecting to the source and target databases.
Overview
The database user must be configured with specific permissions on both the source and target databases to ensure proper functionality subsetting.
SqlServer
These permissions are all at the database level.
Source Database Permissions
The following permissions are required on the source database:
| Permission | Purpose |
|---|---|
CONNECT | Establish connection to the database |
CREATE TABLE | Create temporary tables for data processing |
ALTER ANY SCHEMA | Modify schema structures during migration |
SELECT | Read data from source tables |
VIEW ANY COLUMN ENCRYPTION KEY DEFINITION | Access encrypted column metadata |
VIEW ANY COLUMN MASTER KEY DEFINITION | Access master key information for encrypted data |
VIEW DATABASE PERFORMANCE STATE | Monitor database performance during operations |
ALTER ANY TRIGGERS DDL | Modify triggers that may affect data operations |
Target Database Permissions
The following permissions are required on the target database:
| Permission | Purpose |
|---|---|
CONNECT | Establish connection to the database |
SELECT | Allows read access to a table-like objects |
INSERT | Insert migrated data into target tables |
DELETE | Remove data during cleanup or error handling |
EXECUTE | Run stored procedures and functions |
VIEW ANY COLUMN ENCRYPTION KEY DEFINITION | Handle encrypted columns in target database |
VIEW ANY COLUMN MASTER KEY DEFINITION | Access encryption keys for target data |
VIEW DATABASE PERFORMANCE STATE | Monitor target database performance |
ALTER ANY TRIGGERS DDL | Manage triggers on target tables |
PostgreSQL
These permissions are per schema and per table in a database.
We need a user that has superuser privileges or to be the owner of the tables you are planning to subset because that is, to our knowledge, the only way to disable triggers and constraints in PostgreSQL.
We only try to disable triggers and constraints that are enabled, meaning if they have been disabled before Subset then, the following are the least amount of privileges needed for a subset:
Source Database Permissions
The following permissions are required on the source database:
| Object | Permission | Purpose |
|---|---|---|
| Database | CONNECT | Establish connection to the database |
| Schema | CREATE | Create objects in a schema, needed for Subsetter's working tables |
| Table | SELECT | Allows read access to a table-like objects |
Target Database Permissions
The following permissions are required on the target database:
| Object | Permission | Purpose |
|---|---|---|
| Database | CONNECT | Establish connection to the database |
| Schema | USAGE | Allows access to objects contained in the schema (assuming that the objects' own privilege requirements are also met). |
| Table | SELECT | Allows read access to a table-like objects |
| Table | INSERT | Insert migrated data into target tables |
MySql/MariaDB/Oracle
We currently have no way of Subsetting these databases without being the schema owner or a proxy user.
