---
title: Manage data security in your service | Tiger Data Docs
description: Restrict data access with read-only PostgreSQL roles
---

When you create a service, Tiger Cloud assigns you the tsdmadmin role. This role has full permissions to modify data in your service. However, Tiger Cloud does not provide superuser access. tsdmadmin is not a superuser.

As tsdmadmin, you can use standard PostgreSQL means to create other roles or assign individual permissions. This page shows you how to create a read-only role for your database. Adding a read-only role does not provide resource isolation. To restrict the access of a read-only user, as well as isolate resources, create a [read replica](/docs/deploy/tiger-cloud/tiger-cloud-aws/high-availability/read-scaling/index.md) instead.

The database-level roles for the individual services in your project do not overlap with the Tiger Cloud project user roles. This page describes the database-level roles. For user roles available in Console, see [Control user access to Tiger Cloud projects](/docs/deploy/tiger-cloud/tiger-cloud-aws/security/members/index.md).

## Create a read-only user

You can create a read-only user to provide limited access to your database.

1. **Connect to your service as the tsdbadmin user**

2. **Create the new role**

   ```
   CREATE ROLE readaccess;
   ```

3. **Grant usage on the schema to allow access to objects within it**

   ```
   GRANT USAGE ON SCHEMA <SCHEMA_NAME> TO readaccess;
   ```

4. **Grant the appropriate permissions for the role, as required**

   For example, to grant `SELECT` permissions to a specific table, use:

   ```
   GRANT SELECT ON <TABLE_NAME> TO readaccess;
   ```

   To grant `SELECT` permissions to all tables in a specific schema, use:

   ```
   GRANT SELECT ON ALL TABLES IN SCHEMA <SCHEMA_NAME> TO readaccess;
   ```

5. **Create a new user**

   ```
   CREATE USER read_user WITH PASSWORD 'read_password';
   ```

6. **Assign the role to the new user**

   ```
   GRANT readaccess TO read_user;
   ```