11.2.2. Statements for Granting Privileges

A GRANT statement is used for granting privileges — including roles — to users and other database objects.

GRANT

Used for

Granting privileges and assigning roles

Available in

DSQL, ESQL

Syntax

  1. GRANT
  2.   { <privileges> ON [TABLE] {tablename | viewname}
  3.   | EXECUTE ON PROCEDURE procname }
  4.   TO <grantee_list>
  5.   [WITH GRANT OPTION]} | [{GRANTED BY | AS} [USER] grantor]
  7. GRANT <role_granted>
  8.   TO <role_grantee_list> [WITH ADMIN OPTION]
  9.   [{GRANTED BY | AS} [USER] grantor]
  11. <privileges> ::= ALL [PRIVILEGES] | <privilege_list>
  13. <privilege_list> ::= {<privilege> [, <privilege> [,  ] ] }
  15. <privilege> ::=
  16.     SELECT
  17.   | DELETE
  18.   | INSERT
  19.   | UPDATE [(col [, col …])]
  20.   | REFERENCES [(col [, col …])]
  22. <grantee_list> ::= {<grantee> [, <grantee> [, …] ]}
  24. <grantee>  ::=
  25.   [USER] username | [ROLE] rolename |  GROUP Unix_group
  26.   | PROCEDURE procname | TRIGGER trigname | VIEW viewname | PUBLIC
  28. <role_granted> ::= rolename [, rolename …]
  30. <role_grantee_list> ::= [USER] <role_grantee> [,[USER] <role_grantee> [, …]]
  32. <role_grantee> ::= {username | PUBLIC }
Table 181. GRANT Statement Parameters
ParameterDescription

tablename

The name of the table the privilege applies to

viewname

The name of the view the privilege applies to

procname

The name of the stored procedure the EXECUTE privilege applies to; or the name of the procedure to be granted the privilege[s]

col

The table column the privilege is to apply to

Unix_group

The name of a user group in a POSIX operating system

username

The user name to which the privileges are granted to or to which the role is assigned

rolename

Role name

trigname

Trigger name

grantor

The user granting the privilege[s]

A GRANT statement grants one or more privileges on database objects to users, roles, stored procedures, triggers or views.

A regular, authenticated user has no privileges on any database object until they are explicitly granted, either to that individual user or to all users bundled as the user PUBLIC. When an object is created, only the user who has created it (the owner) and administrators have privileges for it and can grant privileges to other users, roles or objects.

Different sets of privileges apply to different types of metadata objects. The different types of privileges will be described separately later.

The TO Clause

The TO clause is used for listing the users, roles and database objects (procedures, triggers and views) that are to be granted the privileges enumerated in privileges. The clause is mandatory.

The optional USER and ROLE keywords in the TO clause allow you to specify exactly who or what is granted the privilege. If a USER or ROLE keyword is not specified, the server checks for a role with this name and, if there is none, the privileges are granted to the user without further checking.

Packaging Privileges in a ROLE Object

A role is a “container” object that can be used to package a collection of privileges. Use of the role is then granted to each user that requires those privileges. A role can also be granted to a list of users.

The role must exist before privileges can be granted to it. See CREATE ROLE in the DDL chapter for the syntax and rules. The role is maintained by granting privileges to it and, when required, revoking privileges from it. If a role is dropped (see DROP ROLE), all users lose the privileges acquired through the role. Any privileges that were granted additionally to an affected user by way of a different grant statement are retained.

A user that is granted a role must supply that role with his login credentials in order to exercise the associated privileges. Any other privileges granted to the user are not affected by logging in with a role.

More than one role can be granted to the same user but logging in with multiple roles simultaneously is not supported.

A role can be granted only to a user.

Please note:

  • When a GRANT statement is executed, the security database is not checked for the existence of the grantee user. This is not a bug: SQL permissions are concerned with controlling data access for authenticated users, both native and trusted, and trusted operating system users are not stored in the security database.

  • When granting a privilege to a database object, such as a procedure, trigger or view, you must specify the object type between the keyword TO and the object name.

  • Although the USER and ROLE keywords are optional, it is advisable to use them, in order to avoid ambiguity.

The User PUBLIC

Firebird has a predefined user named PUBLIC, that represents all users. Privileges for operations on a particular object that are granted to the user PUBLIC can be exercised by any user that has been authenticated at login.

If privileges are granted to the user PUBLIC, they should be revoked from the user PUBLIC as well.

The WITH GRANT OPTION Clause

The optional WITH GRANT OPTION clause allows the users specified in the user list to grant the privileges specified in the privilege list to other users.

It is possible to assign this option to the user PUBLIC. Do not do this!

The GRANTED BY Clause

By default, when privileges are granted in a database, the current user is recorded as the grantor. The GRANTED BY clause enables the current user to grant those privileges as another user.

If the REVOKE statement is used, it will fail if the current user is not the user that was named in the GRANTED BY clause.

The clauses GRANTED BY and AS can be used only by the database owner and administrators. The object owner cannot use it unless he also has administrator privileges.

Alternative Syntax Using AS *username*

The non-standard AS clause is supported as a synonym of the GRANTED BY clause to simplify migration from other database systems.

Privileges on Tables and Views

In theory, one GRANT statement grants one privilege to one user or object. In practice, the syntax allows multiple privileges to be granted to multiple users in one GRANT statement.

Syntax extract

  1. ...
  2. <privileges> ::= ALL [PRIVILEGES] | <privilege_list>
  4. <privilege_list> ::= {<privilege> [, <privilege> [,  ] ] }
  6. <privilege> ::=
  7.     SELECT
  8.   | DELETE
  9.   | INSERT
  10.   | UPDATE [(col [, col …])]
  11.   | REFERENCES [(col [, col …])]
Table 182. List of Privileges on Tables
PrivilegeDescription

SELECT

Permits the user or object to SELECT data from the table or view

INSERT

Permits the user or object to INSERT rows into the table or view

UPDATE

Permits the user or object to UPDATE rows in the table or view, optionally restricted to specific columns

col

(Optional) name of a column to which the user’s UPDATE or REFERENCES privilege is restricted

DELETE

Permits the user or object to DELETE rows from the table or view

REFERENCES

Permits the user or object to reference the table via a foreign key, optionally restricted to the specified columns. If the primary or unique key referenced by the foreign key of the other table is composite then all columns of the key must be specified.

ALL

Combines SELECT, INSERT, UPDATE, DELETE and REFERENCES privileges in a single package

Examples of GRANT <privilege> on Tables

  1. SELECT and INSERT privileges to the user ALEX:

    1. GRANT SELECT, INSERT ON TABLE SALES
    2.   TO USER ALEX;

  2. The SELECT privilege to the MANAGER, ENGINEER roles and to the user IVAN:

    1. GRANT SELECT ON TABLE CUSTOMER
    2.   TO ROLE MANAGER, ROLE ENGINEER, USER IVAN;

  3. All privileges to the ADMINISTRATOR role, together with the authority to grant the same privileges to others:

    1. GRANT ALL ON TABLE CUSTOMER
    2.   TO ROLE ADMINISTRATOR
    3.   WITH GRANT OPTION;

  4. The SELECT and REFERENCES privileges on the NAME column to all users and objects:

    1. GRANT SELECT, REFERENCES (NAME) ON TABLE COUNTRY
    2. TO PUBLIC;

  5. The SELECT privilege being granted to the user IVAN by the user ALEX:

    1. GRANT SELECT ON TABLE EMPLOYEE
    2.   TO USER IVAN
    3.   GRANTED BY ALEX;

  6. Granting the UPDATE privilege on the FIRST_NAME, LAST_NAME columns:

    1. GRANT UPDATE (FIRST_NAME, LAST_NAME) ON TABLE EMPLOYEE
    2.   TO USER IVAN;

  7. Granting the INSERT privilege to the stored procedure ADD_EMP_PROJ:

    1. GRANT INSERT ON EMPLOYEE_PROJECT
    2.   TO PROCEDURE ADD_EMP_PROJ;
The EXECUTE Privilege

The EXECUTE privilege applies to stored procedures. It allows the grantee to execute the stored procedure and, if applicable, to retrieve its output. In the case of selectable stored procedures, it acts somewhat like a SELECT privilege, insofar as this style of stored procedure is executed in response to a SELECT statement.

Example

Granting the EXECUTE privilege on a stored procedure to a role:

  1. GRANT EXECUTE ON PROCEDURE ADD_EMP_PROJ
  2.   TO ROLE MANAGER;
Assigning Roles

Assigning a role is similar to granting a privilege. One or more roles can be assigned to one or more users, including the user PUBLIC, using one GRANT statement.

The WITH ADMIN OPTION Clause

The optional WITH ADMIN OPTION clause allows the users specified in the user list to grant the role[s] specified to other users.

It is possible to assign this option to PUBLIC. Do not do this!

Examples of Role Assignment

  1. Assigning the DIRECTOR and MANAGER roles to the user IVAN:

    1. GRANT DIRECTOR, MANAGER TO USER IVAN;

  2. Assigning the ADMIN role to the user ALEX with the authority to assign this role to other users:

    1. GRANT MANAGER TO USER ALEX WITH ADMIN OPTION;

See also

REVOKE