5.1.9.1 System Variable Privileges

A system variable can have a global value that affects server operation as a whole, a session value that affects the current session, or both. Many system variables are dynamic and can be changed at runtime using the SET statement to affect operation of the current server instance. SET can also be used to persist certain global system variables to the mysqld-auto.cnf file in the data directory, to affect server operation for subsequent startups. RESET PERSIST removes persisted settings from mysqld-auto.cnf.

This section describes the privileges required to assign values to system variables at runtime. This includes persistence-related privileges because some statements that modify system variable values persist those settings to the mysqld-auto.cnf file. For more information about persisting system variables and the mysqld-auto.cnf file, see Section 5.1.9.3, “Persisted System Variables”.

These privileges apply to setting global system variable values:

The descriptions for individual system variables indicate any exceptions to the preceding privilege requirements. An example is mandatory_roles.

To set a session system variable at runtime, use the SET SESSION statement. In contrast to global system variable values, setting session system variable values at runtime normally requires no special privileges and can be done by any user to affect the current session. However, for some system variables, setting the session value can have effects outside the current session and thus is a restricted operation that can be done only by users who have a special privilege:

If a session system variable is restricted, the variable description indicates that restriction. Examples include binlog_format, sql_log_bin, and sql_log_off.

The reason for restricting certain session system variables is that changing them can have an effect beyond the current session. For example, setting the session binlog_format or sql_log_bin value affects binary logging for the current session, but that may have implications for the integrity of server replication and backups.

SESSION_VARIABLES_ADMIN enables administrators to minimize the privilege footprint of users who may previously have been granted SYSTEM_VARIABLES_ADMIN or SUPER for the purpose of enabling them to modify restricted session system variables. Suppose that an administrator has created the following role to confer the ability to set restricted session system variables:

Any user granted the set_session_sysvars role (and who has that role active) is able to set restricted session system variables. However, that user is also able to set global system variables, which may be undesirable.

By modifying the role to have SESSION_VARIABLES_ADMIN instead of SYSTEM_VARIABLES_ADMIN, the role privileges can be reduced to the ability to set restricted session system variables and nothing else. To modify the role, use these statements:

Modifying the role has an immediate effect: Any account granted the set_session_sysvars role no longer has SYSTEM_VARIABLES_ADMIN and is not able to set global system variables without being granted that ability explicitly. A similar GRANT/REVOKE sequence can be applied to any account that was granted SYSTEM_VARIABLES_ADMIN directly rather than by means of a role.