diff --git a/src/box/call.c b/src/box/call.c
index 33124779341356f4310c62b3eb4d034803d04733..6388e1e68fa472b8b4b4e7d7d81ec2eea7e99b9c 100644
--- a/src/box/call.c
+++ b/src/box/call.c
@@ -72,8 +72,13 @@ access_check_func(const char *name, uint32_t name_len, struct func **funcp)
}
user_access_t access = PRIV_X | PRIV_U;
user_access_t func_access = access & ~credentials->universal_access;
- if (func == NULL || (func->def->uid != credentials->uid &&
+ if (func == NULL ||
+ /* Check for missing Usage access, ignore owner rights. */
+ func_access & PRIV_U ||
+ /* Check for missing specific access, respect owner rights. */
+ (func->def->uid != credentials->uid &&
func_access & ~func->access[credentials->auth_token].effective)) {
+
/* Access violation, report error. */
struct user *user = user_find(credentials->uid);
if (user != NULL) {
diff --git a/src/box/sequence.c b/src/box/sequence.c
index 0f6a8ca974e1af94978a2920b78fc568c167fde8..162147cdedbb8266d6c8d42a170325bd63ba9cb2 100644
--- a/src/box/sequence.c
+++ b/src/box/sequence.c
@@ -250,8 +250,13 @@ access_check_sequence(struct sequence *seq)
user_access_t access = PRIV_U | PRIV_W;
user_access_t sequence_access = access & ~cr->universal_access;
- if (seq->def->uid != cr->uid &&
- sequence_access & ~seq->access[cr->auth_token].effective) {
+ if (sequence_access &&
+ /* Check for missing Usage access, ignore owner rights. */
+ (sequence_access & PRIV_U ||
+ /* Check for missing specific access, respect owner rights. */
+ (seq->def->uid != cr->uid &&
+ sequence_access & ~seq->access[cr->auth_token].effective))) {
+
/* Access violation, report error. */
struct user *user = user_find(cr->uid);
if (user != NULL) {
diff --git a/src/box/space.c b/src/box/space.c
index bb5f07ed5c5fd61ac4a98f70aa41a9c00fd8a107..11fd2c17dd3b9d210939f9ef210a31ff8d5d7a43 100644
--- a/src/box/space.c
+++ b/src/box/space.c
@@ -59,8 +59,12 @@ access_check_space(struct space *space, user_access_t access)
*/
user_access_t space_access = access & ~cr->universal_access;
- if (space_access && space->def->uid != cr->uid &&
- space_access & ~space->access[cr->auth_token].effective) {
+ if (space_access &&
+ /* Check for missing Usage access, ignore owner rights. */
+ (space_access & PRIV_U ||
+ /* Check for missing specific access, respect owner rights. */
+ (space->def->uid != cr->uid &&
+ space_access & ~space->access[cr->auth_token].effective))) {
/*
* Report access violation. Throw "no such user"
* error if there is no user with this id.
diff --git a/test/box/access_misc.result b/test/box/access_misc.result
index 67234ab2437352ae8a6f3b20a0152de00066ac78..d358e5fdb30eae195aa0fcfc32abbd810160b02c 100644
--- a/test/box/access_misc.result
+++ b/test/box/access_misc.result
@@ -620,6 +620,109 @@ box.schema.user.drop('testuser')
s:drop()
---
...
+--
+-- gh-3089 usage access is not applied to owner
+--
+box.schema.user.grant("guest","read, write, execute, create", "universe")
+---
+...
+box.session.su("guest")
+---
+...
+s = box.schema.space.create("test")
+---
+...
+_ = s:create_index("prim")
+---
+...
+test_func = function() end
+---
+...
+box.schema.func.create('test_func')
+---
+...
+sq = box.schema.sequence.create("test")
+---
+...
+box.session.su("admin")
+---
+...
+box.schema.user.revoke("guest", "usage", "universe")
+---
+...
+box.session.su("guest")
+---
+...
+s:select{}
+---
+- error: Usage access to universe '' is denied for user 'guest'
+...
+s:drop()
+---
+- error: Usage access to universe '' is denied for user 'guest'
+...
+sq:set(100)
+---
+- error: Usage access to universe '' is denied for user 'guest'
+...
+sq:drop()
+---
+- error: Usage access to universe '' is denied for user 'guest'
+...
+c = require("net.box").connect(os.getenv("LISTEN"))
+---
+...
+c:call("test_func")
+---
+- error: Usage access to universe '' is denied for user 'guest'
+...
+box.session.su("admin")
+---
+...
+box.schema.user.revoke("guest","read, write, execute, create", "universe")
+---
+...
+box.session.su("guest")
+---
+...
+s:select{}
+---
+- error: Usage access to universe '' is denied for user 'guest'
+...
+s:drop()
+---
+- error: Usage access to universe '' is denied for user 'guest'
+...
+sq:set(100)
+---
+- error: Usage access to universe '' is denied for user 'guest'
+...
+sq:drop()
+---
+- error: Usage access to universe '' is denied for user 'guest'
+...
+c = require("net.box").connect(os.getenv("LISTEN"))
+---
+...
+c:call("test_func")
+---
+- error: Usage access to universe '' is denied for user 'guest'
+...
+box.session.su("admin")
+---
+...
+box.schema.user.grant("guest","usage", "universe")
+---
+...
+box.schema.func.drop("test_func")
+---
+...
+s:drop()
+---
+...
+sq:drop()
+---
+...
box.space._user:select()
---
- - [0, 1, 'guest', 'user', {'chap-sha1': 'vhvewKp0tNyweZQ+cFKAlsyphfg='}]
diff --git a/test/box/access_misc.test.lua b/test/box/access_misc.test.lua
index c23a021731038275b73e55cafb994e2931bbfb67..18e4e68564b0a2ef4bd655aec3826fbd83082165 100644
--- a/test/box/access_misc.test.lua
+++ b/test/box/access_misc.test.lua
@@ -243,6 +243,46 @@ box.schema.user.drop('testuser')
s:drop()
+--
+-- gh-3089 usage access is not applied to owner
+--
+box.schema.user.grant("guest","read, write, execute, create", "universe")
+box.session.su("guest")
+s = box.schema.space.create("test")
+_ = s:create_index("prim")
+test_func = function() end
+box.schema.func.create('test_func')
+sq = box.schema.sequence.create("test")
+box.session.su("admin")
+box.schema.user.revoke("guest", "usage", "universe")
+box.session.su("guest")
+
+s:select{}
+s:drop()
+sq:set(100)
+sq:drop()
+c = require("net.box").connect(os.getenv("LISTEN"))
+c:call("test_func")
+
+box.session.su("admin")
+box.schema.user.revoke("guest","read, write, execute, create", "universe")
+box.session.su("guest")
+
+s:select{}
+s:drop()
+sq:set(100)
+sq:drop()
+c = require("net.box").connect(os.getenv("LISTEN"))
+c:call("test_func")
+
+box.session.su("admin")
+
+box.schema.user.grant("guest","usage", "universe")
+
+box.schema.func.drop("test_func")
+s:drop()
+sq:drop()
+
box.space._user:select()
box.space._space:select()
box.space._func:select()