Back to Documentation
Read-Only Setup
Create a dedicated read-only database user for Squish with minimal privileges. We recommend this approach over using your application credentials.
Why use a dedicated user?
- Limits access to metadata only -- Squish cannot read your data even if it tried
- Instant revocation -- drop the user to remove all access
- Audit trail -- filter database logs by user to see exactly what Squish queries
- No impact on your application -- separate credentials, separate connection pool
Create a dedicated user
CREATE USER squish_readonly WITH PASSWORD 'your_secure_password_here';Grant connection and schema access
GRANT CONNECT ON DATABASE your_database TO squish_readonly;
GRANT USAGE ON SCHEMA public TO squish_readonly;
GRANT USAGE ON SCHEMA information_schema TO squish_readonly;Grant metadata read access
GRANT SELECT ON ALL TABLES IN SCHEMA information_schema TO squish_readonly;
GRANT SELECT ON ALL TABLES IN SCHEMA pg_catalog TO squish_readonly;If you have custom schemas beyond "public", also run: GRANT USAGE ON SCHEMA your_schema TO squish_readonly;
Want to understand our full security model?
Security Model Documentation