mirror of
https://github.com/postgres/postgres.git
synced 2025-04-25 21:42:33 +03:00
269 lines
7.3 KiB
Plaintext
269 lines
7.3 KiB
Plaintext
<!--
|
|
$Header: /cvsroot/pgsql/doc/src/sgml/ref/grant.sgml,v 1.13 2001/11/11 19:24:28 momjian Exp $
|
|
Postgres documentation
|
|
-->
|
|
|
|
<refentry id="SQL-GRANT">
|
|
<refmeta>
|
|
<refentrytitle>GRANT</refentrytitle>
|
|
<refmiscinfo>SQL - Language Statements</refmiscinfo>
|
|
</refmeta>
|
|
|
|
<refnamediv>
|
|
<refname>GRANT</refname>
|
|
<refpurpose>define access privileges</refpurpose>
|
|
</refnamediv>
|
|
|
|
<refsynopsisdiv>
|
|
<synopsis>
|
|
GRANT { { SELECT | INSERT | UPDATE | DELETE | RULE | REFERENCES | TRIGGER } [,...] | ALL [ PRIVILEGES ] }
|
|
ON [ TABLE ] <replaceable class="PARAMETER">objectname</replaceable> [, ...]
|
|
TO { <replaceable class="PARAMETER">username</replaceable> | GROUP <replaceable class="PARAMETER">groupname</replaceable> | PUBLIC } [, ...]
|
|
</synopsis>
|
|
</refsynopsisdiv>
|
|
|
|
<refsect1 id="sql-grant-description">
|
|
<title>Description</title>
|
|
|
|
<para>
|
|
The <command>GRANT</command> command gives specific permissions on
|
|
an object (table, view, sequence) to a user or a group of users.
|
|
The special key word <literal>PUBLIC</literal> indicates that the
|
|
privileges are to be granted to all users, including those that may
|
|
be created later.
|
|
</para>
|
|
|
|
<para>
|
|
Users other than the creator do not have any access privileges
|
|
unless the creator grants permissions, after the object is created.
|
|
There is no need to grant privileges to the creator of an object,
|
|
as the creator automatically holds all privileges, and can also
|
|
drop the object.
|
|
</para>
|
|
|
|
<para>
|
|
The possible privileges are:
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>SELECT</term>
|
|
<listitem>
|
|
<para>
|
|
Allows <xref linkend="sql-select"> from any column of the
|
|
specified table, view, or sequence. Also allows the use of
|
|
<xref linkend="sql-copy"> FROM.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>INSERT</term>
|
|
<listitem>
|
|
<para>
|
|
Allows <xref linkend="sql-insert"> of a new row into the
|
|
specified table. Also allows <xref linkend="sql-copy"> TO.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>UPDATE</term>
|
|
<listitem>
|
|
<para>
|
|
Allows <xref linkend="sql-update"> of any column of the
|
|
specified table. <literal>SELECT ... FOR UPDATE</literal>
|
|
also requires this privilege (besides the
|
|
<literal>SELECT</literal> privilege). For sequences, this
|
|
privilege allows the use of <function>currval</function> and
|
|
<function>nextval</function>.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>DELETE</term>
|
|
<listitem>
|
|
<para>
|
|
Allows the <xref linkend="sql-delete"> of a row from the
|
|
specified table.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>RULE</term>
|
|
<listitem>
|
|
<para>
|
|
Allows the creation of a rule on the table/view. (See <xref
|
|
linkend="sql-createrule"> statement).
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>REFERENCES</term>
|
|
<listitem>
|
|
<para>
|
|
To create a table with a foreign key constraint, it is
|
|
necessary to have this privilege on the table with the primary
|
|
key.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>TRIGGER</term>
|
|
<listitem>
|
|
<para>
|
|
Allows the creation of a trigger on the specified table. (See
|
|
<xref linkend="sql-createtrigger"> statement).
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>ALL PRIVILEGES</term>
|
|
<listitem>
|
|
<para>
|
|
Grant all of the above privileges at once. The
|
|
<literal>PRIVILEGES</literal> key word is optional, but it is
|
|
required by strict SQL.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
|
|
The privileges required by other commands are listed on the
|
|
reference page of the respective command.
|
|
</para>
|
|
</refsect1>
|
|
|
|
|
|
<refsect1 id="SQL-GRANT-notes">
|
|
<title>Notes</title>
|
|
|
|
<para>
|
|
Currently, to grant privileges in <productname>Postgres</productname>
|
|
to only a few columns, you must
|
|
create a view having the desired columns and then grant privileges
|
|
to that view.
|
|
</para>
|
|
|
|
<para>
|
|
Use <xref linkend="app-psql">'s <command>\z</command> command
|
|
to obtain information about privileges
|
|
on existing objects:
|
|
<programlisting>
|
|
Database = lusitania
|
|
+------------------+---------------------------------------------+
|
|
| Relation | Grant/Revoke Permissions |
|
|
+------------------+---------------------------------------------+
|
|
| mytable | {"=rw","miriam=arwdRxt","group todos=rw"} |
|
|
+------------------+---------------------------------------------+
|
|
Legend:
|
|
uname=arwR -- privileges granted to a user
|
|
group gname=arwR -- privileges granted to a group
|
|
=arwR -- privileges granted to PUBLIC
|
|
|
|
r -- SELECT ("read")
|
|
w -- UPDATE ("write")
|
|
a -- INSERT ("append")
|
|
d -- DELETE
|
|
R -- RULE
|
|
x -- REFERENCES
|
|
t -- TRIGGER
|
|
arwdRxt -- ALL PRIVILEGES
|
|
</programlisting>
|
|
</para>
|
|
|
|
<para>
|
|
The <xref linkend="sql-revoke"> command is used to revoke access
|
|
privileges.
|
|
</para>
|
|
</refsect1>
|
|
|
|
<refsect1 id="sql-grant-examples">
|
|
<title>Examples</title>
|
|
|
|
<para>
|
|
Grant insert privilege to all users on table films:
|
|
|
|
<programlisting>
|
|
GRANT INSERT ON films TO PUBLIC;
|
|
</programlisting>
|
|
</para>
|
|
|
|
<para>
|
|
Grant all privileges to user manuel on view kinds:
|
|
|
|
<programlisting>
|
|
GRANT ALL PRIVILEGES ON kinds TO manuel;
|
|
</programlisting>
|
|
</para>
|
|
</refsect1>
|
|
|
|
<refsect1 id="sql-grant-compatibility">
|
|
<title>Compatibility</title>
|
|
|
|
<refsect2>
|
|
<title>SQL92</title>
|
|
|
|
<para>
|
|
The <literal>PRIVILEGES</literal> key word in <literal>ALL
|
|
PRIVILEGES</literal> is required. <acronym>SQL</acronym> does not
|
|
support setting the privileges on more than one table per command.
|
|
</para>
|
|
|
|
<para>
|
|
The <acronym>SQL92</acronym> syntax for GRANT allows setting
|
|
privileges for individual columns within a table, and allows
|
|
setting a privilege to grant the same privileges to others:
|
|
|
|
<synopsis>
|
|
GRANT <replaceable class="PARAMETER">privilege</replaceable> [, ...]
|
|
ON <replaceable class="PARAMETER">object</replaceable> [ ( <replaceable class="PARAMETER">column</replaceable> [, ...] ) ] [, ...]
|
|
TO { PUBLIC | <replaceable class="PARAMETER">username</replaceable> [, ...] } [ WITH GRANT OPTION ]
|
|
</synopsis>
|
|
</para>
|
|
|
|
<para>
|
|
<acronym>SQL</acronym> allows to grant the USAGE privilege on
|
|
other kinds of objects: CHARACTER SET, COLLATION, TRANSLATION, DOMAIN.
|
|
</para>
|
|
|
|
<para>
|
|
The TRIGGER privilege was introduced in SQL99. The RULE privilege
|
|
is a PostgreSQL extension.
|
|
</para>
|
|
</refsect2>
|
|
|
|
</refsect1>
|
|
|
|
|
|
<refsect1>
|
|
<title>See Also</title>
|
|
|
|
<simpara>
|
|
<xref linkend="sql-revoke">
|
|
</simpara>
|
|
</refsect1>
|
|
|
|
</refentry>
|
|
|
|
<!-- Keep this comment at the end of the file
|
|
Local variables:
|
|
mode: sgml
|
|
sgml-omittag:nil
|
|
sgml-shorttag:t
|
|
sgml-minimize-attributes:nil
|
|
sgml-always-quote-attributes:t
|
|
sgml-indent-step:1
|
|
sgml-indent-data:t
|
|
sgml-parent-document:nil
|
|
sgml-default-dtd-file:"../reference.ced"
|
|
sgml-exposed-tags:nil
|
|
sgml-local-catalogs:"/usr/lib/sgml/catalog"
|
|
sgml-local-ecat-files:nil
|
|
End:
|
|
-->
|