From 8d1fd1de5b6d7dfdd03b95610519ecf67a8bc2ee Mon Sep 17 00:00:00 2001
From: adela <a@bytebase.com>
Date: Fri, 13 Feb 2026 13:41:11 +0100
Subject: [PATCH 1/4] update

---
 docs/changelog/bytebase-3-15-0.mdx | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/docs/changelog/bytebase-3-15-0.mdx b/docs/changelog/bytebase-3-15-0.mdx
index 19590277..0dfadf84 100644
--- a/docs/changelog/bytebase-3-15-0.mdx
+++ b/docs/changelog/bytebase-3-15-0.mdx
@@ -28,7 +28,7 @@ We introduce project-level Service Accounts and Workload Identities in addition
     Affected APIs: `CreateServiceAccount`, `ListServiceAccounts`, `CreateWorkloadIdentity`, `ListWorkloadIdentities`.  
     Endpoint change:  
     `/v1/serviceAccounts` → `/v1/workspaces/-/serviceAccounts`
-  - Terraform users must update IAM member prefixes and use the new service account/workload identity resources.
+  - Terraform users must update IAM member prefixes and use the new service account/workload identity resources. [Latest provider documentation](https://registry.terraform.io/providers/bytebase/bytebase/latest/docs)
 
 ## 🔔 Other Notable Changes
 
@@ -37,7 +37,7 @@ We introduce project-level Service Accounts and Workload Identities in addition
   - **Max result rows** can also be configured at the project level.
   - `DataSourceQueryPolicy` is merged into `QueryDataPolicy` and deprecated (auto-migrated).
   - DDL/DML execution control is now configured at the project role level using `bb.sql.ddl` and `bb.sql.dml` permissions. The previous `disallow_ddl` / `disallow_dml` environment policy is removed.
-  - For Terraform users, the settings update also affect Terraform, need to update bytebase_policy configuration. [Latest provider documentation](https://registry.terraform.io/providers/bytebase/bytebase/3.15.1/docs/resources/policy)
+  - For Terraform users, the settings update also affect Terraform, need to update bytebase_policy configuration. [Latest provider documentation](https://registry.terraform.io/providers/bytebase/bytebase/latest/docs)
 
 - **Role & permission adjustments**
   - Add `bb.taskRuns.create` permission to the **Project Owner** role.
@@ -77,6 +77,6 @@ We introduce project-level Service Accounts and Workload Identities in addition
 - Fix access token refresh on SQL Editor LSP websocket reconnection.
 - Fix incorrect Learn More link for online migration.
 - **Google Cloud SQL** - Fix IAM authentication while creating instances in Bytebase Cloud.
-- **PostgreSQL** - Support CTE for Backup.
+- **PostgreSQL** - Support Common Table Expressions (CTE) in backup statement execution.
 
 <InstallUpgrade />

From 3d8c47cf53f567047c829c044d4cb120b4a06c65 Mon Sep 17 00:00:00 2001
From: adela <a@bytebase.com>
Date: Fri, 13 Feb 2026 13:54:12 +0100
Subject: [PATCH 2/4] update changlog

---
 docs/changelog/bytebase-3-15-0.mdx | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/docs/changelog/bytebase-3-15-0.mdx b/docs/changelog/bytebase-3-15-0.mdx
index 0dfadf84..ef009b7c 100644
--- a/docs/changelog/bytebase-3-15-0.mdx
+++ b/docs/changelog/bytebase-3-15-0.mdx
@@ -36,13 +36,14 @@ We introduce project-level Service Accounts and Workload Identities in addition
   - Add a dedicated **SQL Editor** section under **Workspace Settings > General**, consolidating data export, data copying, admin data source access, max result size, max result rows, and max query time.
   - **Max result rows** can also be configured at the project level.
   - `DataSourceQueryPolicy` is merged into `QueryDataPolicy` and deprecated (auto-migrated).
-  - DDL/DML execution control is now configured at the project role level using `bb.sql.ddl` and `bb.sql.dml` permissions. The previous `disallow_ddl` / `disallow_dml` environment policy is removed.
+  - DDL/DML execution control is now managed via `bb.sql.ddl` and `bb.sql.dml` project role permissions, which can be restricted to specific environments. The previous `disallow_ddl` / `disallow_dml`  environment policy is removed.
   - For Terraform users, the settings update also affect Terraform, need to update bytebase_policy configuration. [Latest provider documentation](https://registry.terraform.io/providers/bytebase/bytebase/latest/docs)
 
 - **Role & permission adjustments**
   - Add `bb.taskRuns.create` permission to the **Project Owner** role.
   - Remove `bb.rollouts.create` permission from the **Project Developer** role (use **Project Releaser** or **Project Owner**).
   - Allow managing project IAM policy without the **Project Owner** role.
+  - Add `bb.sql.ddl` and `bb.sql.dml` permissions to the **SQL Editor User** and **Project Owner** role.
 
 - **Online migration configuration change**
   - Move gh-ost configuration from Plan spec to SQL directive in sheet content (`-- gh-ost = { ... }`).

From 933b0752ecf32d366b8717b7dba5bde80aaa50ac Mon Sep 17 00:00:00 2001
From: adela <a@bytebase.com>
Date: Fri, 13 Feb 2026 13:55:45 +0100
Subject: [PATCH 3/4] update

---
 docs/changelog/bytebase-3-15-0.mdx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/changelog/bytebase-3-15-0.mdx b/docs/changelog/bytebase-3-15-0.mdx
index ef009b7c..5aa7c0a8 100644
--- a/docs/changelog/bytebase-3-15-0.mdx
+++ b/docs/changelog/bytebase-3-15-0.mdx
@@ -37,7 +37,7 @@ We introduce project-level Service Accounts and Workload Identities in addition
   - **Max result rows** can also be configured at the project level.
   - `DataSourceQueryPolicy` is merged into `QueryDataPolicy` and deprecated (auto-migrated).
   - DDL/DML execution control is now managed via `bb.sql.ddl` and `bb.sql.dml` project role permissions, which can be restricted to specific environments. The previous `disallow_ddl` / `disallow_dml`  environment policy is removed.
-  - For Terraform users, the settings update also affect Terraform, need to update bytebase_policy configuration. [Latest provider documentation](https://registry.terraform.io/providers/bytebase/bytebase/latest/docs)
+  - For Terraform users, need to update `bytebase_policy` configuration. [Latest provider documentation](https://registry.terraform.io/providers/bytebase/bytebase/latest/docs)
 
 - **Role & permission adjustments**
   - Add `bb.taskRuns.create` permission to the **Project Owner** role.

From d2851ca6ce00e3d3461e683720dfb33bb5a9d3ff Mon Sep 17 00:00:00 2001
From: adela <a@bytebase.com>
Date: Mon, 16 Feb 2026 11:52:12 +0100
Subject: [PATCH 4/4] update

---
 docs/changelog/bytebase-3-15-0.mdx | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/docs/changelog/bytebase-3-15-0.mdx b/docs/changelog/bytebase-3-15-0.mdx
index 5aa7c0a8..9ad81bf5 100644
--- a/docs/changelog/bytebase-3-15-0.mdx
+++ b/docs/changelog/bytebase-3-15-0.mdx
@@ -32,18 +32,23 @@ We introduce project-level Service Accounts and Workload Identities in addition
 
 ## 🔔 Other Notable Changes
 
+- **DDL and DML execution control update**
+  - Environment condition is added to `bb.sql.ddl` and `bb.sql.dml` role grants as a replacement for the `disallow_ddl` and `disallow_dml` environment policy.
+  - Each IAM Policy (i.e. role grant) has a single environment condition that applies to both `bb.sql.ddl` and `bb.sql.dml` permissions together. This means you cannot allow DDL but disallow DML (or vice versa) within the same role. If you need different environment restrictions for DDL and DML, the recommended practice is to create 2 separate roles — one with `bb.sql.ddl` and one with `bb.sql.dml` — each with its own environment condition.
+  - `disallow_ddl` and `disallow_dml` are automatically migrated to be reflected in role grants in an OR manner — if for a specific environment, either `disallow_ddl` or `disallow_dml` is set to OFF, this environment condition will be configured for the role with `bb.sql.ddl` or `bb.sql.dml` permission. This could lead to **breaking changes** to DDL and DML control if your `disallow_ddl` and `disallow_dml` settings differ across environment policies. Please review after upgrading and follow the recommended practice to configure your role grants.
+  - Add `bb.sql.ddl` and `bb.sql.dml` permissions to the **SQL Editor User** and **Project Owner** role.
+  - For Terraform users, update the environment policy and your role grants accordingly. [Latest provider documentation](https://registry.terraform.io/providers/bytebase/bytebase/latest/docs)
+
 - **SQL Editor settings consolidation & policy updates**
   - Add a dedicated **SQL Editor** section under **Workspace Settings > General**, consolidating data export, data copying, admin data source access, max result size, max result rows, and max query time.
   - **Max result rows** can also be configured at the project level.
   - `DataSourceQueryPolicy` is merged into `QueryDataPolicy` and deprecated (auto-migrated).
-  - DDL/DML execution control is now managed via `bb.sql.ddl` and `bb.sql.dml` project role permissions, which can be restricted to specific environments. The previous `disallow_ddl` / `disallow_dml`  environment policy is removed.
-  - For Terraform users, need to update `bytebase_policy` configuration. [Latest provider documentation](https://registry.terraform.io/providers/bytebase/bytebase/latest/docs)
+  - For Terraform users, update `bytebase_policy` configuration. [Latest provider documentation](https://registry.terraform.io/providers/bytebase/bytebase/latest/docs)
 
 - **Role & permission adjustments**
   - Add `bb.taskRuns.create` permission to the **Project Owner** role.
   - Remove `bb.rollouts.create` permission from the **Project Developer** role (use **Project Releaser** or **Project Owner**).
   - Allow managing project IAM policy without the **Project Owner** role.
-  - Add `bb.sql.ddl` and `bb.sql.dml` permissions to the **SQL Editor User** and **Project Owner** role.
 
 - **Online migration configuration change**
   - Move gh-ost configuration from Plan spec to SQL directive in sheet content (`-- gh-ost = { ... }`).