on a column if they hold that privilege for either the specific column or its whole table. GROUP is still allowed in the command, but it is a noise word.Ī user may perform SELECT, INSERT, etc. It is therefore no longer necessary to use the keyword GROUP to identify whether a grantee is a user or a group. Since PostgreSQL 8.1, the concepts of users and groups have been unified into a single kind of entity called a role. The REVOKE command is used to revoke access privileges. Note also that this form of the command does not allow the noise word GROUP in role_specification. Unlike the case with privileges, membership in a role cannot be granted to PUBLIC. Only database superusers may use this option, except when it names the same role executing the command. If GRANTED BY is specified, the grant is recorded as having been done by the specified role. Roles having CREATEROLE privilege can grant or revoke membership in any role that is not a superuser. Database superusers can grant or revoke membership in any role to anyone. A role is not considered to hold WITH ADMIN OPTION on itself. Without the admin option, ordinary users cannot do that. If WITH ADMIN OPTION is specified, the member can in turn grant membership in the role to others, and revoke membership in the role as well. Membership in a role is significant because it conveys the privileges granted to a role to each of its members. This variant of the GRANT command grants membership in a role to one or more other roles. ALL FUNCTIONS also affects aggregate and window functions, but not procedures, again just like the specific-object GRANT command. ALL TABLES also affects views and foreign tables, just like the specific-object GRANT command. This functionality is currently supported only for tables, sequences, functions, and procedures. There is also an option to grant privileges on all objects of the same type within one or more schemas. Alternatively, use ROUTINE to refer to a function, aggregate function, window function, or procedure regardless of its precise type. The FUNCTION syntax works for plain functions, aggregate functions, and window functions, but not for procedures use PROCEDURE for those. The PRIVILEGES key word is optional in PostgreSQL, though it is required by strict SQL. Grant all of the privileges available for the object's type. Specific types of privileges, as defined in Section 5.7. (However, a similar effect can be obtained by granting or revoking membership in the role that owns the object see below.) The owner implicitly has all grant options for the object, too. The right to drop an object, or to alter its definition in any way, is not treated as a grantable privilege it is inherent in the owner, and cannot be granted or revoked. (The owner could, however, choose to revoke some of their own privileges for safety.) There is no need to grant privileges to the owner of an object (usually the user that created it), as the owner has all privileges by default. This clause is currently present in this form only for SQL compatibility. If GRANTED BY is specified, the specified grantor must be the current user. Grant options cannot be granted to PUBLIC. Without a grant option, the recipient cannot do that. If WITH GRANT OPTION is specified, the recipient of the privilege can in turn grant it to others. Any particular role will have the sum of privileges granted directly to it, privileges granted to any role it is presently a member of, and privileges granted to PUBLIC. PUBLIC can be thought of as an implicitly defined group that always includes all roles. The key word PUBLIC indicates that the privileges are to be granted to all roles, including those that might be created later. These privileges are added to those already granted, if any. This variant of the GRANT command gives specific privileges on a database object to one or more roles.
0 Comments
Leave a Reply. |