GRANT

Synopsis

Use the GRANT statement to grant access privileges on database objects as well as to assign membership in roles.

Syntax

  1. grant_table ::= GRANT 
  2.                 { { SELECT
  3.                     | INSERT
  4.                     | UPDATE
  5.                     | DELETE
  6.                     | TRUNCATE
  7.                     | REFERENCES
  8.                     | TRIGGER } [ , ... ]
  9.                   | ALL [ PRIVILEGES ] } ON 
  10.                 { [ TABLE ] table_name [ , ... ]
  11.                   | ALL TABLES IN SCHEMA schema_name [ , ... ] } TO 
  12.                 grant_role_spec [ , ... ] [ WITH GRANT OPTION ]
  14. grant_table_col ::= GRANT 
  15.                     { { SELECT | INSERT | UPDATE | REFERENCES } ( 
  16.                       column_names ) [ ,(column_names ... ]
  17.                       | ALL [ PRIVILEGES ] ( column_names ) } ON 
  18.                     { [ TABLE ] table_name [ , ... ] } TO 
  19.                     grant_role_spec [ , ... ] [ WITH GRANT OPTION ]
  21. grant_seq ::= GRANT { { USAGE | SELECT | UPDATE } [ , ... ]
  22.                       | ALL [ PRIVILEGES ] } ON 
  23.               { SEQUENCE sequence_name [ , ... ]
  24.                 | ALL SEQUENCES IN SCHEMA schema_name 
  25.                   [ , sequence_name [ ... ] ] } TO grant_role_spec 
  26.               [ , ... ] [ WITH GRANT OPTION ]
  28. grant_db ::= GRANT { { CREATE | CONNECT | TEMPORARY | TEMP } [ , ... ]
  29.                      | ALL [ PRIVILEGES ] } ON DATABASE database_name 
  30.              [ , ... ] TO grant_role_spec [ , ... ] 
  31.              [ WITH GRANT OPTION ]
  33. grant_domain ::= GRANT { USAGE | ALL [ PRIVILEGES ] } ON DOMAIN 
  34.                  domain_name [ , ... ] TO grant_role_spec [ , ... ] 
  35.                  [ WITH GRANT OPTION ]
  37. grant_schema ::= GRANT { { CREATE | USAGE } [ , ... ]
  38.                          | ALL [ PRIVILEGES ] } ON SCHEMA schema_name 
  39.                  [ , ... ] TO grant_role_spec [ , ... ] 
  40.                  [ WITH GRANT OPTION ]
  42. grant_type ::= GRANT { USAGE | ALL [ PRIVILEGES ] } ON TYPE type_name 
  43.                [ , ... ] TO grant_role_spec [ , ... ] 
  44.                [ WITH GRANT OPTION ]
  46. grant_role ::= GRANT role_name [ , ... ] TO role_name [ , ... ] 
  47.                [ WITH ADMIN OPTION ]
  49. grant_role_spec ::= [ GROUP ] role_name
  50.                     | PUBLIC
  51.                     | CURRENT_USER
  52.                     | SESSION_USER

grant_table

GRANT - 图1

grant_table_col

GRANT - 图2

grant_seq

GRANT - 图3

grant_db

GRANT - 图4

grant_domain

GRANT - 图5

grant_schema

GRANT - 图6

grant_type

GRANT - 图7

grant_role

GRANT - 图8

grant_role_spec

GRANT - 图9

Semantics

GRANT can be used to assign privileges on database objects as well as memberships in roles.

GRANT on database objects

This variant of GRANT command is used to assign privileges on database objects to one or more roles.If keyword PUBLIC is used instead of role_name, then it means that the privileges are to be granted to all roles, including those that might be created later.

If WITH GRANT OPTION is specified, the recipient of the privilege can in turn grant it to others. Without a grant option, the recipient cannot do that. Grant options cannot be granted to PUBLIC.

There is no need to grant privileges to the owner of an object (usually the user that created it), as the owner has all privileges by default. (The owner could, however, choose to revoke some of their own privileges for safety.)

Possible privileges are

  • SELECT

    • This allows SELECT from any or specified columns of the specified table, view, or sequence. It also allows the use of COPY TO. This privilege is also needed to reference existing column values in UPDATE or DELETE.

  • INSERT

    • This allows INSERT of a new row into the specified table. If specific columns are listed, only those columns may be assigned to in the INSERT command (other columns will therefore receive default values). Also allows COPY FROM.

  • UPDATE

    • This allows UPDATE of any column, or the specific columns listed, of the specified table.

  • DELETE

    • This allows DELETE of a row from the specified table.

  • TRUNCATE

    • This allows TRUNCATE on the specified table.

  • REFERENCES

    • This allows creation of a foreign key constraint referencing the specified table, or specified columns of the table.

  • TRIGGER

    • This allows the creation of a trigger on the specified table.

  • CREATE

    • For databases, this allows new schemas to be created within the database.
    • For schemas, this allows new objects to be created within the schema. To rename an existing object, you must own the object and have this privilege for the containing schema.

  • CONNECT

    • This allows the user to connect to the specified database. This privilege is checked at connection startup.

  • TEMPORARY / TEMP

    • This allows temporary tables to be created while using the specified database.

  • EXECUTE

    • Allows the use of the specified function or procedure and the use of any operators that are implemented on top of the function.

  • USAGE

    • For schemas, this allows access to objects contained in the specified schema (assuming that the objects’ own privilege requirements are also met). Essentially this allows the grantee to “look up” objects within the schema.
    • For sequences, this privilege allows the use of the currval() and nextval() functions.
    • For types and domains, this privilege allows the use of the type or domain in the creation of tables, functions, and other schema objects.

  • ALL PRIVILEGES

    • Grant all privileges at once.

GRANT on roles

This variant of GRANT is used to grant membership in a role to one or more other roles.If WITH ADMIN OPTION is specified, the member can in turn grant membership in the role to others, and revoke membership in the role as well.

Examples

  • Grant SELECT privilege to all users on table ‘stores’
  1. yugabyte=# GRANT SELECT ON stores TO PUBLIC;
  • Add user John to SysAdmins group.
  1. yugabyte=# GRANT SysAdmins TO John;

See also