Fix default admin acl by adding WriteUserAttributes (#26071)

Enjection · web-flow · commit 57f0b054073e · 2025-09-30T21:01:21.000+03:00
diff --git a/ydb/core/viewer/tests/canondata/result.json b/ydb/core/viewer/tests/canondata/result.json
@@ -1670,7 +1670,8 @@
                             "CreateTable",
                             "CreateQueue",
                             "RemoveSchema",
-                            "AlterSchema"
+                            "AlterSchema",
+                            "WriteUserAttributes"
                         ],
                         "AccessType": "Allow",
                         "InheritanceType": [
@@ -1750,7 +1751,8 @@
                             "CreateTable",
                             "CreateQueue",
                             "RemoveSchema",
-                            "AlterSchema"
+                            "AlterSchema",
+                            "WriteUserAttributes"
                         ],
                         "AccessType": "Allow",
                         "InheritanceType": [
@@ -1836,7 +1838,8 @@
                             "CreateTable",
                             "CreateQueue",
                             "RemoveSchema",
-                            "AlterSchema"
+                            "AlterSchema",
+                            "WriteUserAttributes"
                         ],
                         "AccessType": "Allow",
                         "InheritanceType": [
@@ -1916,7 +1919,8 @@
                             "CreateTable",
                             "CreateQueue",
                             "RemoveSchema",
-                            "AlterSchema"
+                            "AlterSchema",
+                            "WriteUserAttributes"
                         ],
                         "AccessType": "Allow",
                         "InheritanceType": [
@@ -2002,7 +2006,8 @@
                             "CreateTable",
                             "CreateQueue",
                             "RemoveSchema",
-                            "AlterSchema"
+                            "AlterSchema",
+                            "WriteUserAttributes"
                         ],
                         "AccessType": "Allow",
                         "InheritanceType": [
@@ -2082,7 +2087,8 @@
                             "CreateTable",
                             "CreateQueue",
                             "RemoveSchema",
-                            "AlterSchema"
+                            "AlterSchema",
+                            "WriteUserAttributes"
                         ],
                         "AccessType": "Allow",
                         "InheritanceType": [
@@ -2168,7 +2174,8 @@
                             "CreateTable",
                             "CreateQueue",
                             "RemoveSchema",
-                            "AlterSchema"
+                            "AlterSchema",
+                            "WriteUserAttributes"
                         ],
                         "AccessType": "Allow",
                         "InheritanceType": [
@@ -2248,7 +2255,8 @@
                             "CreateTable",
                             "CreateQueue",
                             "RemoveSchema",
-                            "AlterSchema"
+                            "AlterSchema",
+                            "WriteUserAttributes"
                         ],
                         "AccessType": "Allow",
                         "InheritanceType": [
@@ -2334,7 +2342,8 @@
                             "CreateTable",
                             "CreateQueue",
                             "RemoveSchema",
-                            "AlterSchema"
+                            "AlterSchema",
+                            "WriteUserAttributes"
                         ],
                         "AccessType": "Allow",
                         "InheritanceType": [
@@ -2414,7 +2423,8 @@
                             "CreateTable",
                             "CreateQueue",
                             "RemoveSchema",
-                            "AlterSchema"
+                            "AlterSchema",
+                            "WriteUserAttributes"
                         ],
                         "AccessType": "Allow",
                         "InheritanceType": [
@@ -2553,7 +2563,8 @@
                             "CreateTable",
                             "CreateQueue",
                             "RemoveSchema",
-                            "AlterSchema"
+                            "AlterSchema",
+                            "WriteUserAttributes"
                         ],
                         "AccessType": "Allow",
                         "InheritanceType": [
@@ -2726,7 +2737,8 @@
                             "CreateTable",
                             "CreateQueue",
                             "RemoveSchema",
-                            "AlterSchema"
+                            "AlterSchema",
+                            "WriteUserAttributes"
                         ],
                         "AccessType": "Allow",
                         "InheritanceType": [
@@ -2887,7 +2899,8 @@
                             "CreateTable",
                             "CreateQueue",
                             "RemoveSchema",
-                            "AlterSchema"
+                            "AlterSchema",
+                            "WriteUserAttributes"
                         ],
                         "AccessType": "Allow",
                         "InheritanceType": [
diff --git a/ydb/library/aclib/aclib.cpp b/ydb/library/aclib/aclib.cpp
@@ -587,6 +587,8 @@ ui32 TACL::SpecialRightsFromString(const TString& string) {
             result |= EAccessRights::GrantAccessRights;
         if (r == "ConnDB")
             result |= EAccessRights::ConnectDatabase;
+        if (r == "WUA")
+            result |= EAccessRights::WriteUserAttributes;
     }
     return result;
 }
diff --git a/ydb/library/yaml_config/ut_transform/canondata/test_transform.TestYamlConfigTransformations.test_basic_args0-dump_/block-4-2.yaml.result.json b/ydb/library/yaml_config/ut_transform/canondata/test_transform.TestYamlConfigTransformations.test_basic_args0-dump_/block-4-2.yaml.result.json
@@ -326,7 +326,7 @@
               "+(DS|RA):METADATA-READERS",
               "+(SR):DATA-READERS",
               "+(UR|ER):DATA-WRITERS",
-              "+(CD|CT|CQ|WA|AS|RS):DDL-ADMINS",
+              "+(CD|CT|CQ|WA|WUA|AS|RS):DDL-ADMINS",
               "+(GAR):ACCESS-ADMINS",
               "+(CDB|DDB):DATABASE-ADMINS"
             ],
diff --git a/ydb/library/yaml_config/ut_transform/canondata/test_transform.TestYamlConfigTransformations.test_basic_args0-dump_/bridge-mirror-3dc-3-nodes.yaml.result.json b/ydb/library/yaml_config/ut_transform/canondata/test_transform.TestYamlConfigTransformations.test_basic_args0-dump_/bridge-mirror-3dc-3-nodes.yaml.result.json
@@ -247,7 +247,7 @@
               "+(DS|RA):METADATA-READERS",
               "+(SR):DATA-READERS",
               "+(UR|ER):DATA-WRITERS",
-              "+(CD|CT|CQ|WA|AS|RS):DDL-ADMINS",
+              "+(CD|CT|CQ|WA|WUA|AS|RS):DDL-ADMINS",
               "+(GAR):ACCESS-ADMINS",
               "+(CDB|DDB):DATABASE-ADMINS"
             ],
diff --git a/ydb/library/yaml_config/ut_transform/canondata/test_transform.TestYamlConfigTransformations.test_basic_args0-dump_/mirror-3dc-3-nodes-in-memory.yaml.result.json b/ydb/library/yaml_config/ut_transform/canondata/test_transform.TestYamlConfigTransformations.test_basic_args0-dump_/mirror-3dc-3-nodes-in-memory.yaml.result.json
@@ -267,7 +267,7 @@
               "+(DS|RA):METADATA-READERS",
               "+(SR):DATA-READERS",
               "+(UR|ER):DATA-WRITERS",
-              "+(CD|CT|CQ|WA|AS|RS):DDL-ADMINS",
+              "+(CD|CT|CQ|WA|WUA|AS|RS):DDL-ADMINS",
               "+(GAR):ACCESS-ADMINS",
               "+(CDB|DDB):DATABASE-ADMINS"
             ],
diff --git a/ydb/library/yaml_config/ut_transform/canondata/test_transform.TestYamlConfigTransformations.test_basic_args0-dump_/mirror-3dc-3-nodes.yaml.result.json b/ydb/library/yaml_config/ut_transform/canondata/test_transform.TestYamlConfigTransformations.test_basic_args0-dump_/mirror-3dc-3-nodes.yaml.result.json
@@ -268,7 +268,7 @@
               "+(DS|RA):METADATA-READERS",
               "+(SR):DATA-READERS",
               "+(UR|ER):DATA-WRITERS",
-              "+(CD|CT|CQ|WA|AS|RS):DDL-ADMINS",
+              "+(CD|CT|CQ|WA|WUA|AS|RS):DDL-ADMINS",
               "+(GAR):ACCESS-ADMINS",
               "+(CDB|DDB):DATABASE-ADMINS"
             ],
diff --git a/ydb/library/yaml_config/ut_transform/canondata/test_transform.TestYamlConfigTransformations.test_basic_args0-dump_/mirror-3dc-9-nodes.yaml.result.json b/ydb/library/yaml_config/ut_transform/canondata/test_transform.TestYamlConfigTransformations.test_basic_args0-dump_/mirror-3dc-9-nodes.yaml.result.json
@@ -342,7 +342,7 @@
               "+(DS|RA):METADATA-READERS",
               "+(SR):DATA-READERS",
               "+(UR|ER):DATA-WRITERS",
-              "+(CD|CT|CQ|WA|AS|RS):DDL-ADMINS",
+              "+(CD|CT|CQ|WA|WUA|AS|RS):DDL-ADMINS",
               "+(GAR):ACCESS-ADMINS",
               "+(CDB|DDB):DATABASE-ADMINS"
             ],
diff --git a/ydb/library/yaml_config/ut_transform/canondata/test_transform.TestYamlConfigTransformations.test_basic_args0-dump_/simple.yaml.result.json b/ydb/library/yaml_config/ut_transform/canondata/test_transform.TestYamlConfigTransformations.test_basic_args0-dump_/simple.yaml.result.json
@@ -331,7 +331,7 @@
               "+(DS|RA):METADATA-READERS",
               "+(SR):DATA-READERS",
               "+(UR|ER):DATA-WRITERS",
-              "+(CD|CT|CQ|WA|AS|RS):DDL-ADMINS",
+              "+(CD|CT|CQ|WA|WUA|AS|RS):DDL-ADMINS",
               "+(GAR):ACCESS-ADMINS",
               "+(CDB|DDB):DATABASE-ADMINS"
             ],
diff --git a/ydb/library/yaml_config/ut_transform/canondata/test_transform.TestYamlConfigTransformations.test_basic_args0-dump_/single-node-in-memory.yaml.result.json b/ydb/library/yaml_config/ut_transform/canondata/test_transform.TestYamlConfigTransformations.test_basic_args0-dump_/single-node-in-memory.yaml.result.json
@@ -234,7 +234,7 @@
               "+(DS|RA):METADATA-READERS",
               "+(SR):DATA-READERS",
               "+(UR|ER):DATA-WRITERS",
-              "+(CD|CT|CQ|WA|AS|RS):DDL-ADMINS",
+              "+(CD|CT|CQ|WA|WUA|AS|RS):DDL-ADMINS",
               "+(GAR):ACCESS-ADMINS",
               "+(CDB|DDB):DATABASE-ADMINS"
             ],
diff --git a/ydb/library/yaml_config/ut_transform/canondata/test_transform.TestYamlConfigTransformations.test_basic_args0-dump_/single-node-with-file.yaml.result.json b/ydb/library/yaml_config/ut_transform/canondata/test_transform.TestYamlConfigTransformations.test_basic_args0-dump_/single-node-with-file.yaml.result.json
@@ -234,7 +234,7 @@
               "+(DS|RA):METADATA-READERS",
               "+(SR):DATA-READERS",
               "+(UR|ER):DATA-WRITERS",
-              "+(CD|CT|CQ|WA|AS|RS):DDL-ADMINS",
+              "+(CD|CT|CQ|WA|WUA|AS|RS):DDL-ADMINS",
               "+(GAR):ACCESS-ADMINS",
               "+(CDB|DDB):DATABASE-ADMINS"
             ],
diff --git a/ydb/library/yaml_config/ut_transform/canondata/test_transform.TestYamlConfigTransformations.test_domains_config_dump_/domains-config.yaml.result.json b/ydb/library/yaml_config/ut_transform/canondata/test_transform.TestYamlConfigTransformations.test_domains_config_dump_/domains-config.yaml.result.json
@@ -179,7 +179,7 @@
               "+(DS|RA):METADATA-READERS",
               "+(SR):DATA-READERS",
               "+(UR|ER):DATA-WRITERS",
-              "+(CD|CT|CQ|WA|AS|RS):DDL-ADMINS",
+              "+(CD|CT|CQ|WA|WUA|AS|RS):DDL-ADMINS",
               "+(GAR):ACCESS-ADMINS",
               "+(CDB|DDB):DATABASE-ADMINS"
             ],
diff --git a/ydb/library/yaml_config/ut_transform/canondata/test_transform.TestYamlConfigTransformations.test_domains_config_dump_/multinode-missing-types.yaml.result.json b/ydb/library/yaml_config/ut_transform/canondata/test_transform.TestYamlConfigTransformations.test_domains_config_dump_/multinode-missing-types.yaml.result.json
@@ -177,7 +177,7 @@
               "+(DS|RA):METADATA-READERS",
               "+(SR):DATA-READERS",
               "+(UR|ER):DATA-WRITERS",
-              "+(CD|CT|CQ|WA|AS|RS):DDL-ADMINS",
+              "+(CD|CT|CQ|WA|WUA|AS|RS):DDL-ADMINS",
               "+(GAR):ACCESS-ADMINS",
               "+(CDB|DDB):DATABASE-ADMINS"
             ],
diff --git a/ydb/library/yaml_config/ut_transform/canondata/test_transform.TestYamlConfigTransformations.test_domains_config_dump_/multinode-storage-pool-distconf.yaml.result.json b/ydb/library/yaml_config/ut_transform/canondata/test_transform.TestYamlConfigTransformations.test_domains_config_dump_/multinode-storage-pool-distconf.yaml.result.json
@@ -199,7 +199,7 @@
               "+(DS|RA):METADATA-READERS",
               "+(SR):DATA-READERS",
               "+(UR|ER):DATA-WRITERS",
-              "+(CD|CT|CQ|WA|AS|RS):DDL-ADMINS",
+              "+(CD|CT|CQ|WA|WUA|AS|RS):DDL-ADMINS",
               "+(GAR):ACCESS-ADMINS",
               "+(CDB|DDB):DATABASE-ADMINS"
             ],
diff --git a/ydb/library/yaml_config/ut_transform/canondata/test_transform.TestYamlConfigTransformations.test_domains_config_dump_/multinode-storage-pool.yaml.result.json b/ydb/library/yaml_config/ut_transform/canondata/test_transform.TestYamlConfigTransformations.test_domains_config_dump_/multinode-storage-pool.yaml.result.json
@@ -199,7 +199,7 @@
               "+(DS|RA):METADATA-READERS",
               "+(SR):DATA-READERS",
               "+(UR|ER):DATA-WRITERS",
-              "+(CD|CT|CQ|WA|AS|RS):DDL-ADMINS",
+              "+(CD|CT|CQ|WA|WUA|AS|RS):DDL-ADMINS",
               "+(GAR):ACCESS-ADMINS",
               "+(CDB|DDB):DATABASE-ADMINS"
             ],
diff --git a/ydb/library/yaml_config/ut_transform/canondata/test_transform.TestYamlConfigTransformations.test_domains_config_dump_/multinode-valid.yaml.result.json b/ydb/library/yaml_config/ut_transform/canondata/test_transform.TestYamlConfigTransformations.test_domains_config_dump_/multinode-valid.yaml.result.json
@@ -177,7 +177,7 @@
               "+(DS|RA):METADATA-READERS",
               "+(SR):DATA-READERS",
               "+(UR|ER):DATA-WRITERS",
-              "+(CD|CT|CQ|WA|AS|RS):DDL-ADMINS",
+              "+(CD|CT|CQ|WA|WUA|AS|RS):DDL-ADMINS",
               "+(GAR):ACCESS-ADMINS",
               "+(CDB|DDB):DATABASE-ADMINS"
             ],
diff --git a/ydb/library/yaml_config/ut_transform/canondata/test_transform.TestYamlConfigTransformations.test_domains_config_dump_/storage-pool-types-distconf.yaml.result.json b/ydb/library/yaml_config/ut_transform/canondata/test_transform.TestYamlConfigTransformations.test_domains_config_dump_/storage-pool-types-distconf.yaml.result.json
@@ -201,7 +201,7 @@
               "+(DS|RA):METADATA-READERS",
               "+(SR):DATA-READERS",
               "+(UR|ER):DATA-WRITERS",
-              "+(CD|CT|CQ|WA|AS|RS):DDL-ADMINS",
+              "+(CD|CT|CQ|WA|WUA|AS|RS):DDL-ADMINS",
               "+(GAR):ACCESS-ADMINS",
               "+(CDB|DDB):DATABASE-ADMINS"
             ],
diff --git a/ydb/library/yaml_config/ut_transform/canondata/test_transform.TestYamlConfigTransformations.test_domains_config_dump_/storage-pool-types.yaml.result.json b/ydb/library/yaml_config/ut_transform/canondata/test_transform.TestYamlConfigTransformations.test_domains_config_dump_/storage-pool-types.yaml.result.json
@@ -201,7 +201,7 @@
               "+(DS|RA):METADATA-READERS",
               "+(SR):DATA-READERS",
               "+(UR|ER):DATA-WRITERS",
-              "+(CD|CT|CQ|WA|AS|RS):DDL-ADMINS",
+              "+(CD|CT|CQ|WA|WUA|AS|RS):DDL-ADMINS",
               "+(GAR):ACCESS-ADMINS",
               "+(CDB|DDB):DATABASE-ADMINS"
             ],
diff --git a/ydb/library/yaml_config/ut_transform/canondata/test_transform.TestYamlConfigTransformations.test_simplified_dump_/block-4-2.yaml.result.json b/ydb/library/yaml_config/ut_transform/canondata/test_transform.TestYamlConfigTransformations.test_simplified_dump_/block-4-2.yaml.result.json
@@ -275,7 +275,7 @@
               "+(DS|RA):METADATA-READERS",
               "+(SR):DATA-READERS",
               "+(UR|ER):DATA-WRITERS",
-              "+(CD|CT|CQ|WA|AS|RS):DDL-ADMINS",
+              "+(CD|CT|CQ|WA|WUA|AS|RS):DDL-ADMINS",
               "+(GAR):ACCESS-ADMINS",
               "+(CDB|DDB):DATABASE-ADMINS"
             ],
diff --git a/ydb/library/yaml_config/ut_transform/canondata/test_transform.TestYamlConfigTransformations.test_simplified_dump_/disk-type-short-single.yaml.result.json b/ydb/library/yaml_config/ut_transform/canondata/test_transform.TestYamlConfigTransformations.test_simplified_dump_/disk-type-short-single.yaml.result.json
@@ -179,7 +179,7 @@
               "+(DS|RA):METADATA-READERS",
               "+(SR):DATA-READERS",
               "+(UR|ER):DATA-WRITERS",
-              "+(CD|CT|CQ|WA|AS|RS):DDL-ADMINS",
+              "+(CD|CT|CQ|WA|WUA|AS|RS):DDL-ADMINS",
               "+(GAR):ACCESS-ADMINS",
               "+(CDB|DDB):DATABASE-ADMINS"
             ],
diff --git a/ydb/library/yaml_config/ut_transform/canondata/test_transform.TestYamlConfigTransformations.test_simplified_dump_/disk-type-short.yaml.result.json b/ydb/library/yaml_config/ut_transform/canondata/test_transform.TestYamlConfigTransformations.test_simplified_dump_/disk-type-short.yaml.result.json
@@ -177,7 +177,7 @@
               "+(DS|RA):METADATA-READERS",
               "+(SR):DATA-READERS",
               "+(UR|ER):DATA-WRITERS",
-              "+(CD|CT|CQ|WA|AS|RS):DDL-ADMINS",
+              "+(CD|CT|CQ|WA|WUA|AS|RS):DDL-ADMINS",
               "+(GAR):ACCESS-ADMINS",
               "+(CDB|DDB):DATABASE-ADMINS"
             ],
diff --git a/ydb/library/yaml_config/ut_transform/canondata/test_transform.TestYamlConfigTransformations.test_simplified_dump_/disk.yaml.result.json b/ydb/library/yaml_config/ut_transform/canondata/test_transform.TestYamlConfigTransformations.test_simplified_dump_/disk.yaml.result.json
@@ -179,7 +179,7 @@
               "+(DS|RA):METADATA-READERS",
               "+(SR):DATA-READERS",
               "+(UR|ER):DATA-WRITERS",
-              "+(CD|CT|CQ|WA|AS|RS):DDL-ADMINS",
+              "+(CD|CT|CQ|WA|WUA|AS|RS):DDL-ADMINS",
               "+(GAR):ACCESS-ADMINS",
               "+(CDB|DDB):DATABASE-ADMINS"
             ],
diff --git a/ydb/library/yaml_config/ut_transform/canondata/test_transform.TestYamlConfigTransformations.test_simplified_dump_/drive.yaml.result.json b/ydb/library/yaml_config/ut_transform/canondata/test_transform.TestYamlConfigTransformations.test_simplified_dump_/drive.yaml.result.json
@@ -179,7 +179,7 @@
               "+(DS|RA):METADATA-READERS",
               "+(SR):DATA-READERS",
               "+(UR|ER):DATA-WRITERS",
-              "+(CD|CT|CQ|WA|AS|RS):DDL-ADMINS",
+              "+(CD|CT|CQ|WA|WUA|AS|RS):DDL-ADMINS",
               "+(GAR):ACCESS-ADMINS",
               "+(CDB|DDB):DATABASE-ADMINS"
             ],
diff --git a/ydb/library/yaml_config/ut_transform/canondata/test_transform.TestYamlConfigTransformations.test_simplified_dump_/mirror-3dc-3-nodes-distconf.yaml.result.json b/ydb/library/yaml_config/ut_transform/canondata/test_transform.TestYamlConfigTransformations.test_simplified_dump_/mirror-3dc-3-nodes-distconf.yaml.result.json
@@ -200,7 +200,7 @@
               "+(DS|RA):METADATA-READERS",
               "+(SR):DATA-READERS",
               "+(UR|ER):DATA-WRITERS",
-              "+(CD|CT|CQ|WA|AS|RS):DDL-ADMINS",
+              "+(CD|CT|CQ|WA|WUA|AS|RS):DDL-ADMINS",
               "+(GAR):ACCESS-ADMINS",
               "+(CDB|DDB):DATABASE-ADMINS"
             ],
diff --git a/ydb/library/yaml_config/ut_transform/canondata/test_transform.TestYamlConfigTransformations.test_simplified_dump_/mirror-3dc-3-nodes-in-memory.yaml.result.json b/ydb/library/yaml_config/ut_transform/canondata/test_transform.TestYamlConfigTransformations.test_simplified_dump_/mirror-3dc-3-nodes-in-memory.yaml.result.json
@@ -217,7 +217,7 @@
               "+(DS|RA):METADATA-READERS",
               "+(SR):DATA-READERS",
               "+(UR|ER):DATA-WRITERS",
-              "+(CD|CT|CQ|WA|AS|RS):DDL-ADMINS",
+              "+(CD|CT|CQ|WA|WUA|AS|RS):DDL-ADMINS",
               "+(GAR):ACCESS-ADMINS",
               "+(CDB|DDB):DATABASE-ADMINS"
             ],
diff --git a/ydb/library/yaml_config/ut_transform/canondata/test_transform.TestYamlConfigTransformations.test_simplified_dump_/mirror-3dc-3-nodes.yaml.result.json b/ydb/library/yaml_config/ut_transform/canondata/test_transform.TestYamlConfigTransformations.test_simplified_dump_/mirror-3dc-3-nodes.yaml.result.json
@@ -217,7 +217,7 @@
               "+(DS|RA):METADATA-READERS",
               "+(SR):DATA-READERS",
               "+(UR|ER):DATA-WRITERS",
-              "+(CD|CT|CQ|WA|AS|RS):DDL-ADMINS",
+              "+(CD|CT|CQ|WA|WUA|AS|RS):DDL-ADMINS",
               "+(GAR):ACCESS-ADMINS",
               "+(CDB|DDB):DATABASE-ADMINS"
             ],
diff --git a/ydb/library/yaml_config/ut_transform/canondata/test_transform.TestYamlConfigTransformations.test_simplified_dump_/mirror-3dc-9-nodes.yaml.result.json b/ydb/library/yaml_config/ut_transform/canondata/test_transform.TestYamlConfigTransformations.test_simplified_dump_/mirror-3dc-9-nodes.yaml.result.json
@@ -288,7 +288,7 @@
               "+(DS|RA):METADATA-READERS",
               "+(SR):DATA-READERS",
               "+(UR|ER):DATA-WRITERS",
-              "+(CD|CT|CQ|WA|AS|RS):DDL-ADMINS",
+              "+(CD|CT|CQ|WA|WUA|AS|RS):DDL-ADMINS",
               "+(GAR):ACCESS-ADMINS",
               "+(CDB|DDB):DATABASE-ADMINS"
             ],
diff --git a/ydb/library/yaml_config/ut_transform/canondata/test_transform.TestYamlConfigTransformations.test_simplified_dump_/ram.yaml.result.json b/ydb/library/yaml_config/ut_transform/canondata/test_transform.TestYamlConfigTransformations.test_simplified_dump_/ram.yaml.result.json
@@ -179,7 +179,7 @@
               "+(DS|RA):METADATA-READERS",
               "+(SR):DATA-READERS",
               "+(UR|ER):DATA-WRITERS",
-              "+(CD|CT|CQ|WA|AS|RS):DDL-ADMINS",
+              "+(CD|CT|CQ|WA|WUA|AS|RS):DDL-ADMINS",
               "+(GAR):ACCESS-ADMINS",
               "+(CDB|DDB):DATABASE-ADMINS"
             ],
diff --git a/ydb/library/yaml_config/ut_transform/canondata/test_transform.TestYamlConfigTransformations.test_simplified_dump_/single-node-in-memory.yaml.result.json b/ydb/library/yaml_config/ut_transform/canondata/test_transform.TestYamlConfigTransformations.test_simplified_dump_/single-node-in-memory.yaml.result.json
@@ -179,7 +179,7 @@
               "+(DS|RA):METADATA-READERS",
               "+(SR):DATA-READERS",
               "+(UR|ER):DATA-WRITERS",
-              "+(CD|CT|CQ|WA|AS|RS):DDL-ADMINS",
+              "+(CD|CT|CQ|WA|WUA|AS|RS):DDL-ADMINS",
               "+(GAR):ACCESS-ADMINS",
               "+(CDB|DDB):DATABASE-ADMINS"
             ],
diff --git a/ydb/library/yaml_config/ut_transform/canondata/test_transform.TestYamlConfigTransformations.test_simplified_dump_/single-node-with-file.yaml.result.json b/ydb/library/yaml_config/ut_transform/canondata/test_transform.TestYamlConfigTransformations.test_simplified_dump_/single-node-with-file.yaml.result.json
@@ -179,7 +179,7 @@
               "+(DS|RA):METADATA-READERS",
               "+(SR):DATA-READERS",
               "+(UR|ER):DATA-WRITERS",
-              "+(CD|CT|CQ|WA|AS|RS):DDL-ADMINS",
+              "+(CD|CT|CQ|WA|WUA|AS|RS):DDL-ADMINS",
               "+(GAR):ACCESS-ADMINS",
               "+(CDB|DDB):DATABASE-ADMINS"
             ],
diff --git a/ydb/library/yaml_config/yaml_config_parser.cpp b/ydb/library/yaml_config/yaml_config_parser.cpp
@@ -555,7 +555,7 @@ namespace NKikimr::NYaml {
             securityConfig->AddDefaultAccess("+(DS|RA):METADATA-READERS"); // DescribeSchema | ReadAttributes
             securityConfig->AddDefaultAccess("+(SR):DATA-READERS"); // SelectRow
             securityConfig->AddDefaultAccess("+(UR|ER):DATA-WRITERS"); // UpdateRow | EraseRow
-            securityConfig->AddDefaultAccess("+(CD|CT|CQ|WA|AS|RS):DDL-ADMINS"); // CreateDirectory | CreateTable | CreateQueue | WriteAttributes | AlterSchema | RemoveSchema
+            securityConfig->AddDefaultAccess("+(CD|CT|CQ|WA|WUA|AS|RS):DDL-ADMINS"); // CreateDirectory | CreateTable | CreateQueue | WriteAttributes | WriteUserAttributes | AlterSchema | RemoveSchema
             securityConfig->AddDefaultAccess("+(GAR):ACCESS-ADMINS"); // GrantAccessRights
             securityConfig->AddDefaultAccess("+(CDB|DDB):DATABASE-ADMINS"); // CreateDatabase | DropDatabase
         }

Original file line number	Diff line number	Diff line change
`@@ -587,6 +587,8 @@ ui32 TACL::SpecialRightsFromString(const TString& string) {`
`587`	`587`	`result \|= EAccessRights::GrantAccessRights;`
`588`	`588`	`if (r == "ConnDB")`
`589`	`589`	`result \|= EAccessRights::ConnectDatabase;`
	`590`	`+ if (r == "WUA")`
	`591`	`+ result \|= EAccessRights::WriteUserAttributes;`
`590`	`592`	`}`
`591`	`593`	`return result;`
`592`	`594`	`}`