database/postgres
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2026-01-05 23:38:41 +03:00
Code Activity

Make UPDATE and DELETE privileges distinct. Add REFERENCES and TRIGGER

Browse Source 
privileges.  INSERT and COPY FROM now require INSERT (only).  Add
privileges regression test.
This commit is contained in:
Peter Eisentraut
2001-05-27 09:59:30 +00:00
parent 52350c7ad9
commit 96147a6d1c
26 changed files with 725 additions and 827 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
doc/src/sgml/ref/copy.sgml
View File

@@ -1,13 +1,11 @@
<!--
$Header: /cvsroot/pgsql/doc/src/sgml/ref/copy.sgml,v 1.20 2001/01/13 23:58:55 petere Exp $
$Header: /cvsroot/pgsql/doc/src/sgml/ref/copy.sgml,v 1.21 2001/05/27 09:59:27 petere Exp $
Postgres documentation
-->
<refentry id="SQL-COPY">
<refmeta>
<refentrytitle id="sql-copy-title">
COPY
</refentrytitle>
<refentrytitle id="sql-copy-title">COPY</refentrytitle>
<refmiscinfo>SQL - Language Statements</refmiscinfo>
</refmeta>
<refnamediv>

6
doc/src/sgml/ref/create_rule.sgml
View File

@@ -1,13 +1,11 @@
<!--
$Header: /cvsroot/pgsql/doc/src/sgml/ref/create_rule.sgml,v 1.22 2001/01/13 23:58:55 petere Exp $
$Header: /cvsroot/pgsql/doc/src/sgml/ref/create_rule.sgml,v 1.23 2001/05/27 09:59:27 petere Exp $
Postgres documentation
-->
<refentry id="SQL-CREATERULE">
<refmeta>
<refentrytitle id="sql-createrule-title">
CREATE RULE
</refentrytitle>
<refentrytitle id="sql-createrule-title">CREATE RULE</refentrytitle>
<refmiscinfo>SQL - Language Statements</refmiscinfo>
</refmeta>
<refnamediv>

6
doc/src/sgml/ref/create_trigger.sgml
View File

@@ -1,13 +1,11 @@
<!--
$Header: /cvsroot/pgsql/doc/src/sgml/ref/create_trigger.sgml,v 1.12 2000/10/05 19:48:18 momjian Exp $
$Header: /cvsroot/pgsql/doc/src/sgml/ref/create_trigger.sgml,v 1.13 2001/05/27 09:59:28 petere Exp $
Postgres documentation
-->
<refentry id="SQL-CREATETRIGGER">
<refmeta>
<refentrytitle id="SQL-CREATETRIGGER-TITLE">
CREATE TRIGGER
</refentrytitle>
<refentrytitle id="SQL-CREATETRIGGER-TITLE">CREATE TRIGGER</refentrytitle>
<refmiscinfo>SQL - Language Statements</refmiscinfo>
</refmeta>
<refnamediv>

6
doc/src/sgml/ref/delete.sgml
View File

@@ -1,13 +1,11 @@
<!--
$Header: /cvsroot/pgsql/doc/src/sgml/ref/delete.sgml,v 1.12 2001/01/13 23:58:55 petere Exp $
$Header: /cvsroot/pgsql/doc/src/sgml/ref/delete.sgml,v 1.13 2001/05/27 09:59:28 petere Exp $
Postgres documentation
-->
<refentry id="SQL-DELETE">
<refmeta>
<refentrytitle id="SQL-DELETE-TITLE">
DELETE
</refentrytitle>
<refentrytitle id="SQL-DELETE-TITLE">DELETE</refentrytitle>
<refmiscinfo>SQL - Language Statements</refmiscinfo>
</refmeta>
<refnamediv>

555
doc/src/sgml/ref/grant.sgml
View File

@@ -1,444 +1,253 @@
<!--
$Header: /cvsroot/pgsql/doc/src/sgml/ref/grant.sgml,v 1.9 2000/10/05 19:48:18 momjian Exp $
$Header: /cvsroot/pgsql/doc/src/sgml/ref/grant.sgml,v 1.10 2001/05/27 09:59:28 petere Exp $
Postgres documentation
-->
<refentry id="SQL-GRANT">
<refmeta>
<refentrytitle id="SQL-GRANT-TITLE">
GRANT
</refentrytitle>
<refentrytitle>GRANT</refentrytitle>
<refmiscinfo>SQL - Language Statements</refmiscinfo>
</refmeta>
<refnamediv>
<refname>
GRANT
</refname>
<refpurpose>
Grants access privilege to a user, a group or all users
</refpurpose>
<refname>GRANT</refname>
<refpurpose>Grants access privileges to a user, a group, or all users</refpurpose>
</refnamediv>
<refsynopsisdiv>
<refsynopsisdivinfo>
<date>1999-07-20</date>
</refsynopsisdivinfo>
<synopsis>
GRANT <replaceable class="PARAMETER">privilege</replaceable> [, ...] ON <replaceable class="PARAMETER">object</replaceable> [, ...]
TO { PUBLIC | GROUP <replaceable class="PARAMETER">group</replaceable> | <replaceable class="PARAMETER">username</replaceable> }
</synopsis>
<refsect2 id="R2-SQL-GRANT-1">
<refsect2info>
<date>1998-09-23</date>
</refsect2info>
<title>
Inputs
</title>
<para>
<variablelist>
<varlistentry>
<term><replaceable class="PARAMETER">privilege</replaceable></term>
<listitem>
<para>
The possible privileges are:
<variablelist>
<varlistentry>
<term>SELECT</term>
<listitem>
<para>
Access all of the columns of a specific
table/view.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>INSERT</term>
<listitem>
<para>
Insert data into all columns of a
specific table.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>UPDATE</term>
<listitem>
<para>
Update all columns of a specific
table.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>DELETE</term>
<listitem>
<para>
Delete rows from a specific table.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>RULE</term>
<listitem>
<para>
Define rules on the table/view
(See CREATE RULE statement).
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>ALL</term>
<listitem>
<para>
Grant all privileges.
</para>
</listitem>
</varlistentry>
</variablelist>
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><replaceable class="PARAMETER">object</replaceable></term>
<listitem>
<para>
The name of an object to which to grant access.
The possible objects are:
<itemizedlist spacing="compact" mark="bullet">
<listitem>
<para>
table
</para>
</listitem>
<listitem>
<para>
view
</para>
</listitem>
<listitem>
<para>
sequence
</para>
</listitem>
</itemizedlist>
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>PUBLIC</term>
<listitem>
<para>
A short form representing all users.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>GROUP <replaceable class="PARAMETER">group</replaceable></term>
<listitem>
<para>
A <replaceable class="PARAMETER">group</replaceable> to whom to grant privileges.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<replaceable class="PARAMETER">username</replaceable>
</term>
<listitem>
<para>
The name of a user to whom to grant privileges. PUBLIC is a short form
representing all users.
</para>
</listitem>
</varlistentry>
</variablelist>
</para>
</refsect2>
<refsect2 id="R2-SQL-GRANT-2">
<refsect2info>
<date>1998-09-23</date>
</refsect2info>
<title>
Outputs
</title>
<para>
<variablelist>
<varlistentry>
<term><computeroutput>
CHANGE
</computeroutput></term>
<listitem>
<para>
Message returned if successful.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><computeroutput>
ERROR: ChangeAcl: class "<replaceable class="PARAMETER">object</replaceable>" not found
</computeroutput></term>
<listitem>
<para>
Message returned if the specified object is not available or
if it is impossible
to give privileges to the specified group or users.
</para>
</listitem>
</varlistentry>
</variablelist>
</para>
</refsect2>
<synopsis>
GRANT { { SELECT | INSERT | UPDATE | DELETE | RULE | REFERENCES | TRIGGER } [,...] | ALL [ PRIVILEGES ] }
ON [ TABLE ] <replaceable class="PARAMETER">objectname</replaceable> [, ...]
TO { <replaceable class="PARAMETER">username</replaceable> | GROUP <replaceable class="PARAMETER">groupname</replaceable> | PUBLIC }
</synopsis>
</refsynopsisdiv>
<refsect1 id="R1-SQL-GRANT-1">
<refsect1info>
<date>1998-09-23</date>
</refsect1info>
<title>
Description
</title>
<refsect1 id="sql-grant-description">
<title>Description</title>
<para>
<command>GRANT</command> allows the creator of an object to give specific permissions to
all users (PUBLIC) or to a certain user or group.
Users other than the creator don't have any access permission
unless the creator GRANTs permissions, after the object
is created.
The <command>GRANT</command> command gives specific permissions on
an object (table, view, sequence) to a user or a group of users.
The special key word <literal>PUBLIC</literal> indicates that the
privileges are to be granted to all users, including those that may
be created later.
</para>
<para>
Once a user has a privilege on an object, he is enabled to exercise
that privilege.
There is no need to GRANT privileges to the creator of
an object, the creator automatically holds ALL privileges, and can
also drop the object.
Users other than the creator do not have any access privileges
unless the creator grants permissions, after the object is created.
There is no need to grant privileges to the creator of an object,
as the creator automatically holds all privileges, and can also
drop the object.
</para>
<refsect2 id="R2-SQL-GRANT-3">
<refsect2info>
<date>1998-09-23</date>
</refsect2info>
<title>
Notes
</title>
<para>
The possible privileges are:
<variablelist>
<varlistentry>
<term>SELECT</term>
<listitem>
<para>
Allows <xref linkend="sql-select"> from any column of the
specified table, view, or sequence. Also allows the use of
<xref linkend="sql-copy"> FROM.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>INSERT</term>
<listitem>
<para>
Allows <xref linkend="sql-insert"> of a new row into the
specified table. Also allows <xref linkend="sql-copy"> TO.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>UPDATE</term>
<listitem>
<para>
Allows <xref linkend="sql-update"> of any column of the
specified table. <literal>SELECT ... FOR UPDATE</literal>
also requires this privilege (besides the
<literal>SELECT</literal> privilege). For sequences, this
privilege allows the use of <function>currval</function> and
<function>nextval</function>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>DELETE</term>
<listitem>
<para>
Allows the <xref linkend="sql-delete"> of a row from the
specified table.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>RULE</term>
<listitem>
<para>
Allows the creation of a rule on the table/view. (See <xref
linkend="sql-createrule"> statement).
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>REFERENCES</term>
<listitem>
<para>
To create of a table with a foreign key constraint, it is
necessary to have this privilege on the table with the primary
key.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>TRIGGER</term>
<listitem>
<para>
Allows the creation of a trigger on the specified table. (See
<xref linkend="sql-createtrigger"> statement).
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>ALL PRIVILEGES</term>
<listitem>
<para>
Grant all of the above privileges at once. The
<literal>PRIVILEGES</literal> key word is optional, but it is
required by strict SQL.
</para>
</listitem>
</varlistentry>
</variablelist>
The privileges required by other commands are listed on the
reference page of the respective command.
</para>
</refsect1>
<refsect1 id="SQL-GRANT-notes">
<title>Notes</title>
<para>
Currently, to grant privileges in <productname>Postgres</productname>
to only a few columns, you must
create a view having desired columns and then grant privileges
create a view having the desired columns and then grant privileges
to that view.
</para>
<para>
Use <command>psql \z</command>
for further information about permissions
Use <xref linkend="app-psql">'s <command>\z</command> command
to obtain information about privileges
on existing objects:
<programlisting>
Database = lusitania
<programlisting>
Database = lusitania
+------------------+---------------------------------------------+
| Relation | Grant/Revoke Permissions |
+------------------+---------------------------------------------+
| mytable | {"=rw","miriam=arwR","group todos=rw"} |
| mytable | {"=rw","miriam=arwdRxt","group todos=rw"} |
+------------------+---------------------------------------------+
Legend:
uname=arwR -- privileges granted to a user
group gname=arwR -- privileges granted to a GROUP
group gname=arwR -- privileges granted to a group
=arwR -- privileges granted to PUBLIC
r -- SELECT
w -- UPDATE/DELETE
a -- INSERT
r -- SELECT ("read")
w -- UPDATE ("write")
a -- INSERT ("append")
d -- DELETE
R -- RULE
arwR -- ALL
</programlisting>
x -- REFERENCES
t -- TRIGGER
arwdRxt -- ALL PRIVILEGES
</programlisting>
</para>
<para>
Refer to REVOKE statements to revoke access privileges.
The <xref linkend="sql-revoke"> command is used to revoke access
privileges.
</para>
</refsect2>
</refsect1>
<refsect1 id="R1-SQL-GRANT-2">
<title>
Usage
</title>
<refsect1 id="sql-grant-examples">
<title>Examples</title>
<para>
Grant insert privilege to all users on table films:
<programlisting>
<programlisting>
GRANT INSERT ON films TO PUBLIC;
</programlisting>
</programlisting>
</para>
<para>
Grant all privileges to user manuel on view kinds:
<programlisting>
GRANT ALL ON kinds TO manuel;
</programlisting>
<programlisting>
GRANT ALL PRIVILEGES ON kinds TO manuel;
</programlisting>
</para>
</refsect1>
<refsect1 id="R1-SQL-GRANT-3">
<title>
Compatibility
</title>
<refsect1 id="sql-grant-compatibility">
<title>Compatibility</title>
<refsect2 id="R2-SQL-GRANT-4">
<refsect2info>
<date>1998-09-23</date>
</refsect2info>
<title>
SQL92
</title>
<para>
The <acronym>SQL92</acronym> syntax for GRANT allows setting privileges
for individual columns
within a table, and allows setting a privilege to grant
the same privileges to others:
<refsect2>
<title>SQL92</title>
<synopsis>
<para>
The <literal>PRIVILEGES</literal> key word in <literal>ALL
PRIVILEGES</literal> is required. <acronym>SQL</acronym> does not
support setting the privileges on more than one table per command.
</para>
<para>
The <acronym>SQL92</acronym> syntax for GRANT allows setting
privileges for individual columns within a table, and allows
setting a privilege to grant the same privileges to others:
<synopsis>
GRANT <replaceable class="PARAMETER">privilege</replaceable> [, ...]
ON <replaceable class="PARAMETER">object</replaceable> [ ( <replaceable class="PARAMETER">column</replaceable> [, ...] ) ] [, ...]
TO { PUBLIC | <replaceable class="PARAMETER">username</replaceable> [, ...] } [ WITH GRANT OPTION ]
</synopsis>
</synopsis>
</para>
<para>
Fields are compatible with those in the <acronym>Postgres</acronym>
implementation, with the following additions:
<acronym>SQL</acronym> allows to grant the USAGE privilege on
other kinds of objects: CHARACTER SET, COLLATION, TRANSLATION, DOMAIN.
</para>
<variablelist>
<varlistentry>
<term><replaceable class="PARAMETER">privilege</replaceable></term>
<listitem>
<para>
<acronym>SQL92</acronym> permits additional privileges to be specified:
<variablelist>
<varlistentry>
<term>SELECT</term>
<listitem>
<para>
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>REFERENCES</term>
<listitem>
<para>
Allowed to reference some or all of the columns of a specific
table/view in integrity constraints.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>USAGE</term>
<listitem>
<para>
Allowed to use a domain, character set, collation
or translation.
If an object specifies anything other than a table/view,
<replaceable class="PARAMETER">privilege</replaceable>
must specify only USAGE.
</para>
</listitem>
</varlistentry>
</variablelist>
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><replaceable class="PARAMETER">object</replaceable></term>
<listitem>
<para>
<variablelist>
<varlistentry>
<term>[ TABLE ] <replaceable class="PARAMETER">table</replaceable></term>
<listitem>
<para>
<acronym>SQL92</acronym> allows the additional
non-functional keyword <literal>TABLE</literal>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>CHARACTER SET</term>
<listitem>
<para>
Allowed to use the specified character set.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>COLLATION</term>
<listitem>
<para>
Allowed to use the specified collation sequence.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>TRANSLATION</term>
<listitem>
<para>
Allowed to use the specified character set translation.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>DOMAIN</term>
<listitem>
<para>
Allowed to use the specified domain.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>WITH GRANT OPTION</term>
<listitem>
<para>
Allowed to grant the same privilege to others.
</para>
</listitem>
</varlistentry>
</variablelist>
</para>
</listitem>
</varlistentry>
</variablelist>
<para>
The TRIGGER privilege was introduced in SQL99. The RULE privilege
is a PostgreSQL extension.
</para>
</refsect2>
</refsect1>
<refsect1>
<title>See Also</title>
<simpara>
<xref linkend="sql-revoke">
</simpara>
</refsect1>
</refentry>
<!-- Keep this comment at the end of the file

6
doc/src/sgml/ref/insert.sgml
View File

@@ -1,13 +1,11 @@
<!--
$Header: /cvsroot/pgsql/doc/src/sgml/ref/insert.sgml,v 1.13 2001/01/13 23:58:55 petere Exp $
$Header: /cvsroot/pgsql/doc/src/sgml/ref/insert.sgml,v 1.14 2001/05/27 09:59:28 petere Exp $
Postgres documentation
-->
<refentry id="SQL-INSERT">
<refmeta>
<refentrytitle id="SQL-INSERT-TITLE">
INSERT
</refentrytitle>
<refentrytitle id="SQL-INSERT-TITLE">INSERT</refentrytitle>
<refmiscinfo>SQL - Language Statements</refmiscinfo>
</refmeta>
<refnamediv>

6
doc/src/sgml/ref/psql-ref.sgml
View File

@@ -1,5 +1,5 @@
<!--
$Header: /cvsroot/pgsql/doc/src/sgml/ref/psql-ref.sgml,v 1.53 2001/05/17 21:50:18 petere Exp $
$Header: /cvsroot/pgsql/doc/src/sgml/ref/psql-ref.sgml,v 1.54 2001/05/27 09:59:28 petere Exp $
Postgres documentation
-->
@@ -1187,8 +1187,8 @@ Access permissions for database "test"
</para>
<para>
The commands <xref linkend="SQL-GRANT" endterm="SQL-GRANT-title"> and
<xref linkend="SQL-REVOKE" endterm="SQL-REVOKE-title">
The commands <xref linkend="SQL-GRANT"> and
<xref linkend="SQL-REVOKE">
are used to set access permissions.
</para>

396
doc/src/sgml/ref/revoke.sgml
View File

@@ -1,379 +1,96 @@
<!--
$Header: /cvsroot/pgsql/doc/src/sgml/ref/revoke.sgml,v 1.13 2000/12/25 23:15:26 petere Exp $
$Header: /cvsroot/pgsql/doc/src/sgml/ref/revoke.sgml,v 1.14 2001/05/27 09:59:28 petere Exp $
Postgres documentation
-->
<refentry id="SQL-REVOKE">
<refmeta>
<refentrytitle id="SQL-REVOKE-TITLE">
REVOKE
</refentrytitle>
<refentrytitle>REVOKE</refentrytitle>
<refmiscinfo>SQL - Language Statements</refmiscinfo>
</refmeta>
<refnamediv>
<refname>
REVOKE
</refname>
<refpurpose>
Revokes access privilege from a user, a group or all users.
</refpurpose>
<refname>REVOKE</refname>
<refpurpose>Revokes access privilege from a user, a group, or all users.</refpurpose>
</refnamediv>
<refsynopsisdiv>
<refsynopsisdivinfo>
<date>1999-07-20</date>
</refsynopsisdivinfo>
<synopsis>
REVOKE <replaceable class="PARAMETER">privilege</replaceable> [, ...]
ON <replaceable class="PARAMETER">object</replaceable> [, ...]
FROM { PUBLIC | GROUP <replaceable class="PARAMETER">groupname</replaceable> | <replaceable class="PARAMETER">username</replaceable> }
</synopsis>
<refsect2 id="R2-SQL-REVOKE-1">
<refsect2info>
<date>1998-09-24</date>
</refsect2info>
<title>
Inputs
</title>
<para>
<variablelist>
<varlistentry>
<term><replaceable class="PARAMETER">privilege</replaceable></term>
<listitem>
<para>
The possible privileges are:
<variablelist>
<varlistentry>
<term>SELECT</term>
<listitem>
<para>
Privilege to access all of the columns of a specific
table/view.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>INSERT</term>
<listitem>
<para>
Privilege to insert data into all columns of a
specific table.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>UPDATE</term>
<listitem>
<para>
Privilege to update all columns of a specific
table.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>DELETE</term>
<listitem>
<para>
Privilege to delete rows from a specific table.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>RULE</term>
<listitem>
<para>
Privilege to define rules on table/view.
(See
<xref linkend="sql-createrule" endterm="sql-createrule-title">).
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>ALL</term>
<listitem>
<para>
Rescind all privileges.
</para>
</listitem>
</varlistentry>
</variablelist>
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><replaceable class="PARAMETER">object</replaceable></term>
<listitem>
<para>
The name of an object from which to revoke access.
The possible objects are:
<itemizedlist spacing="compact" mark="bullet">
<listitem>
<para>
table
</para>
</listitem>
<listitem>
<para>
view
</para>
</listitem>
<listitem>
<para>
sequence
</para>
</listitem>
</itemizedlist>
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><replaceable class="PARAMETER">group</replaceable></term>
<listitem>
<para>
The name of a group from whom to revoke privileges.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><replaceable class="PARAMETER">username</replaceable></term>
<listitem>
<para>
The name of a user from whom revoke privileges. Use the PUBLIC keyword
to specify all users.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>PUBLIC</term>
<listitem>
<para>
Rescind the specified privilege(s) for all users.
</para>
</listitem>
</varlistentry>
</variablelist>
</para>
</refsect2>
<refsect2 id="R2-SQL-REVOKE-2">
<refsect2info>
<date>1998-09-24</date>
</refsect2info>
<title>
Outputs
</title>
<para>
<variablelist>
<varlistentry>
<term><computeroutput>
CHANGE
</computeroutput></term>
<listitem>
<para>
Message returned if successfully.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><computeroutput>
ERROR
</computeroutput></term>
<listitem>
<para>
Message returned if object is not available or impossible
to revoke privileges from a group or users.
</para>
</listitem>
</varlistentry>
</variablelist>
</para>
</refsect2>
<synopsis>
REVOKE { { SELECT | INSERT | UPDATE | DELETE | RULE | REFERENCES | TRIGGER } [,...] | ALL [ PRIVILEGES ] }
ON [ TABLE ] <replaceable class="PARAMETER">object</replaceable> [, ...]
FROM { <replaceable class="PARAMETER">username</replaceable> | GROUP <replaceable class="PARAMETER">groupname</replaceable> | PUBLIC }
</synopsis>
</refsynopsisdiv>
<refsect1 id="R1-SQL-REVOKE-1">
<refsect1info>
<date>1998-09-24</date>
</refsect1info>
<title>
Description
</title>
<refsect1 id="SQL-REVOKE-description">
<title>Description</title>
<para>
<command>REVOKE</command> allows creator of an object to revoke permissions granted
before, from all users (via PUBLIC) or a certain user or group.
<command>REVOKE</command> allows the creator of an object to revoke
permissions granted before, from a users or a group of users. The
key word <literal>PUBLIC</literal> means to revoke this privilege
from all users.
</para>
<refsect2 id="R2-SQL-REVOKE-3">
<refsect2info>
<date>1998-09-24</date>
</refsect2info>
<title>
Notes
</title>
<para>
Refer to psql \z command for further information about permissions
on existing objects:
<programlisting>
Database = lusitania
+------------------+---------------------------------------------+
| Relation | Grant/Revoke Permissions |
+------------------+---------------------------------------------+
| mytable | {"=rw","miriam=arwR","group todos=rw"} |
+------------------+---------------------------------------------+
Legend:
uname=arwR -- privileges granted to a user
group gname=arwR -- privileges granted to a GROUP
=arwR -- privileges granted to PUBLIC
r -- SELECT
w -- UPDATE/DELETE
a -- INSERT
R -- RULE
arwR -- ALL
</programlisting>
</para>
<tip>
<para>
Currently, to create a GROUP you have to insert
data manually into table pg_group as:
<programlisting>
INSERT INTO pg_group VALUES ('todos');
CREATE USER miriam IN GROUP todos;
</programlisting>
</para>
</tip>
</refsect2>
<para>
See the description of the <xref linkend="sql-grant"> command for
the meaning of the privilege types.
</para>
</refsect1>
<refsect1 id="R1-SQL-REVOKE-2">
<title>
Usage
</title>
<refsect1 id="SQL-REVOKE-notes">
<title>Notes</title>
<para>
Use <xref linkend="app-psql">'s <command>\z</command> command to
display the privileges granted on existing objects. See also <xref
linkend="sql-grant"> for information about the format.
</para>
</refsect1>
<refsect1 id="SQL-REVOKE-examples">
<title>Examples</title>
<para>
Revoke insert privilege from all users on table
<literal>films</literal>:
<programlisting>
<programlisting>
REVOKE INSERT ON films FROM PUBLIC;
</programlisting>
</programlisting>
</para>
<para>
Revoke all privileges from user <literal>manuel</literal> on view <literal>kinds</literal>:
<programlisting>
REVOKE ALL ON kinds FROM manuel;
</programlisting>
<programlisting>
REVOKE ALL PRIVILEGES ON kinds FROM manuel;
</programlisting>
</para>
</refsect1>
<refsect1 id="R1-SQL-REVOKE-3">
<title>
Compatibility
</title>
<refsect1 id="SQL-REVOKE-compatibility">
<title>Compatibility</title>
<refsect2 id="R2-SQL-REVOKE-4">
<refsect2info>
<date>1998-09-01</date>
</refsect2info>
<title>
SQL92
</title>
<refsect2>
<title>SQL92</title>
<para>
The SQL92 syntax for <command>REVOKE</command>
has additional capabilities for rescinding
privileges, including those on individual columns in tables:
The compatibility notes of the <xref linkend="sql-grant"> command
apply analogously to <command>REVOKE</command>. The syntax summary is:
<variablelist>
<varlistentry>
<term>
<synopsis>
REVOKE { SELECT | DELETE | USAGE | ALL PRIVILEGES } [, ...]
ON <replaceable class="parameter">object</replaceable>
FROM { PUBLIC | <replaceable class="parameter">username</replaceable> [, ...] } { RESTRICT | CASCADE }
REVOKE { INSERT | UPDATE | REFERENCES } [, ...] [ ( <replaceable class="parameter">column</replaceable> [, ...] ) ]
ON <replaceable class="parameter">object</replaceable>
FROM { PUBLIC | <replaceable class="parameter">username</replaceable> [, ...] } { RESTRICT | CASCADE }
</synopsis>
</term>
<listitem>
<para>
Refer to
<xref linkend="sql-grant" endterm="sql-grant-title">
for details on individual fields.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<synopsis>
REVOKE GRANT OPTION FOR <replaceable class="parameter">privilege</replaceable> [, ...]
ON <replaceable class="parameter">object</replaceable>
FROM { PUBLIC | <replaceable class="parameter">username</replaceable> [, ...] } { RESTRICT | CASCADE }
</synopsis>
</term>
<listitem>
<para>
Rescinds authority for a user to grant the specified privilege
to others.
Refer to
<xref linkend="sql-grant" endterm="sql-grant-title">
for details on individual fields.
</para>
</listitem>
</varlistentry>
</variablelist>
</para>
<para>
The possible objects are:
<simplelist>
<member>
[ TABLE ] table/view
</member>
<member>
CHARACTER SET character-set
</member>
<member>
COLLATION collation
</member>
<member>
TRANSLATION translation
</member>
<member>
DOMAIN domain
</member>
</simplelist>
<synopsis>
REVOKE [ GRANT OPTION FOR ] { SELECT | INSERT | UPDATE | DELETE | REFERENCES }
ON <replaceable class="parameter">object</replaceable> [ ( <replaceable class="parameter">column</replaceable> [, ...] ) ]
FROM { PUBLIC | <replaceable class="parameter">username</replaceable> [, ...] }
{ RESTRICT | CASCADE }
</synopsis>
</para>
<para>
If user1 gives a privilege WITH GRANT OPTION to user2,
and user2 gives it to user3 then user1 can revoke
this privilege in cascade using the CASCADE keyword.
</para>
<para>
If user1 gives a privilege WITH GRANT OPTION to user2,
and user2 gives it to user3, then if user1 tries to revoke
this privilege it fails if he specify the RESTRICT
@@ -381,6 +98,15 @@ REVOKE GRANT OPTION FOR <replaceable class="parameter">privilege</replaceable> [
</para>
</refsect2>
</refsect1>
<refsect1>
<title>See Also</title>
<simpara>
<xref linkend="sql-grant">
</simpara>
</refsect1>
</refentry>
<!-- Keep this comment at the end of the file

6
doc/src/sgml/ref/select.sgml
View File

@@ -1,13 +1,11 @@
<!--
$Header: /cvsroot/pgsql/doc/src/sgml/ref/select.sgml,v 1.40 2001/03/24 23:03:26 petere Exp $
$Header: /cvsroot/pgsql/doc/src/sgml/ref/select.sgml,v 1.41 2001/05/27 09:59:28 petere Exp $
Postgres documentation
-->
<refentry id="SQL-SELECT">
<refmeta>
<refentrytitle id="sql-select-title">
SELECT
</refentrytitle>
<refentrytitle id="sql-select-title">SELECT</refentrytitle>
<refmiscinfo>SQL - Language Statements</refmiscinfo>
</refmeta>
<refnamediv>

6
doc/src/sgml/ref/update.sgml
View File

@@ -1,13 +1,11 @@
<!--
$Header: /cvsroot/pgsql/doc/src/sgml/ref/update.sgml,v 1.14 2001/01/13 23:58:55 petere Exp $
$Header: /cvsroot/pgsql/doc/src/sgml/ref/update.sgml,v 1.15 2001/05/27 09:59:28 petere Exp $
Postgres documentation
-->
<refentry id="SQL-UPDATE">
<refmeta>
<refentrytitle id="SQL-UPDATE-TITLE">
UPDATE
</refentrytitle>
<refentrytitle id="SQL-UPDATE-TITLE">UPDATE</refentrytitle>
<refmiscinfo>SQL - Language Statements</refmiscinfo>
</refmeta>
<refnamediv>