<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head profile="http://internetalchemy.org/2003/02/profile"> <link rel="foaf" type="application/rdf+xml" title="FOAF" href="http://www.openlinksw.com/dataspace/uda/about.rdf" /> <link rel="schema.dc" href="http://purl.org/dc/elements/1.1/" /> <meta name="dc.subject" content="SQL" /> <meta name="dc.subject" content="SQL Reference" /> <meta name="dc.subject" content="Select" /> <meta name="dc.subject" content="Update" /> <meta name="dc.subject" content="delete" /> <meta name="dc.subject" content="Select Statement" /> <meta name="dc.subject" content="SQL Syntax" /> <meta name="dc.subject" content="Syntax" /> <meta name="dc.title" content="8. SQL Reference" /> <meta name="dc.subject" content="8. SQL Reference" /> <meta name="dc.creator" content="OpenLink Software Documentation Team ; " /> <meta name="dc.copyright" content="OpenLink Software, 1999 - 2009" /> <link rel="top" href="index.html" title="OpenLink Virtuoso Universal Server: Documentation" /> <link rel="search" href="/doc/adv_search.vspx" title="Search OpenLink Virtuoso Universal Server: Documentation" /> <link rel="parent" href="sqlreference.html" title="Chapter Contents" /> <link rel="prev" href="spasviewsandtables.html" title="Stored Procedures as Views & Derived Tables" /> <link rel="next" href="SETstmt.html" title="SET Statement" /> <link rel="shortcut icon" href="../images/misc/favicon.ico" type="image/x-icon" /> <link rel="stylesheet" type="text/css" href="doc.css" /> <link rel="stylesheet" type="text/css" href="/doc/translation.css" /> <title>8. SQL Reference</title> <meta http-equiv="Content-Type" content="text/xhtml; charset=UTF-8" /> <meta name="author" content="OpenLink Software Documentation Team ; " /> <meta name="copyright" content="OpenLink Software, 1999 - 2009" /> <meta name="keywords" content="SQL; SQL Reference; Select; Update; delete; Select Statement; SQL Syntax; Syntax; " /> <meta name="GENERATOR" content="OpenLink XSLT Team" /> </head> <body> <div id="header"> <a name="GRANT" /> <img src="../images/misc/logo.jpg" alt="" /> <h1>8. SQL Reference</h1> </div> <div id="navbartop"> <div> <a class="link" href="sqlreference.html">Chapter Contents</a> | <a class="link" href="spasviewsandtables.html" title="Stored Procedures as Views & Derived Tables">Prev</a> | <a class="link" href="SETstmt.html" title="SET Statement">Next</a> </div> </div> <div id="currenttoc"> <form method="post" action="/doc/adv_search.vspx"> <div class="search">Keyword Search: <br /> <input type="text" name="q" /> <input type="submit" name="go" value="Go" /> </div> </form> <div> <a href="http://www.openlinksw.com/">www.openlinksw.com</a> </div> <div> <a href="http://docs.openlinksw.com/">docs.openlinksw.com</a> </div> <br /> <div> <a href="index.html">Book Home</a> </div> <br /> <div> <a href="contents.html">Contents</a> </div> <div> <a href="preface.html">Preface</a> </div> <br /> <div class="selected"> <a href="sqlreference.html">SQL Reference</a> </div> <br /> <div> <a href="sqlrefDATATYPES.html">Datatypes</a> </div> <div> <a href="udt.html">User Defined Types</a> </div> <div> <a href="sqlrefxmldatatype.html">XML Column Type</a> </div> <div> <a href="catidentifiers.html">Identifier Case & Quoting</a> </div> <div> <a href="wideidentifiers.html">Wide Character Identifiers</a> </div> <div> <a href="QUALIFIEDNAMES.html">Qualified Names</a> </div> <div> <a href="litsbraceescs.html">Literals, Brace Escapes</a> </div> <div> <a href="CREATETABLE.html">CREATE TABLE Statement</a> </div> <div> <a href="DROPTABLE.html">DROP TABLE Statement</a> </div> <div> <a href="CREATEINDEX.html">CREATE INDEX Statement</a> </div> <div> <a href="DROPINDEX.html">DROP INDEX Statement</a> </div> <div> <a href="ALTERTABLE.html">ALTER TABLE Statement</a> </div> <div> <a href="CREATEVIEW.html">CREATE VIEW Statement</a> </div> <div> <a href="CREATEXMLSCHEMA.html">CREATE XML SCHEMA Statement</a> </div> <div> <a href="DROPXMLSCHEMA.html">DROP XML SCHEMA Statement</a> </div> <div> <a href="sequenceobjects.html">Sequence Objects</a> </div> <div> <a href="insertSTMT.html">INSERT Statement</a> </div> <div> <a href="updatestmt.html">UPDATE Statement</a> </div> <div> <a href="SELECTSTMT.html">SELECT Statement</a> </div> <div> <a href="COMMIT_ROLLBACK.html">COMMIT WORK, ROLLBACK WORK Statement</a> </div> <div> <a href="CHECKPOINT.html">CHECKPOINT, SHUTDOWN Statement</a> </div> <div> <a href="spasviewsandtables.html">Stored Procedures as Views & Derived Tables</a> </div> <div class="selected"> <a href="GRANT.html">GRANT, REVOKE Statement</a> </div> <div> <a href="SETstmt.html">SET Statement</a> </div> <div> <a href="anytimequeries.html">Anytime Queries</a> </div> <div> <a href="besteffortunion.html">Best Effort Union</a> </div> <div> <a href="aggregates.html">Standard and User-Defined Aggregate Functions</a> </div> <div> <a href="sqloptimizer.html">Virtuoso SQL Optimization</a> </div> <div> <a href="sqlinverse.html">SQL Inverse Functions</a> </div> <div> <a href="GRAMMAR.html">SQL Grammar</a> </div> <div> <a href="BITMAPINDICES.html">Bitmap Indices</a> </div> <div> <a href="transitivityinsQL.html">Transitivity in SQL</a> </div> <div> <a href="sqlreffastphrasematch.html">Fast Phrase Match Processor</a> </div> <br /> </div> <div id="text"> <a name="GRANT" /> <h2>8.23. GRANT, REVOKE Statement</h2> <div> <pre class="programlisting"> privilege_def : GRANT ALL PRIVILEGES TO grantee | GRANT privileges ON table TO grantee_commalist opt_with_grant_option | GRANT grantee_commalist TO grantee_commalist opt_with_admin_option ; privilege_revoke : REVOKE ALL PRIVILEGES FROM grantee_commalist | REVOKE privileges ON table FROM grantee_commalist | REVOKE grantee_commalist FROM grantee_commalist ; opt_with_grant_option : /* empty */ | WITH GRANT OPTION ; opt_with_admin_option : /* empty */ | WITH ADMIN OPTION ; privileges : ALL PRIVILEGES | ALL | operation_commalist ; operation_commalist : operation | operation_commalist ',' operation ; operation : SELECT priv_opt_column_commalist | INSERT | DELETE | UPDATE priv_opt_column_commalist | REFERENCES opt_column_commalist | EXECUTE | REXECUTE | role_name ; grantee_commalist : grantee | grantee_commalist ',' grantee ; grantee : PUBLIC | user ; user : IDENTIFIER role_name : IDENTIFIER </pre> </div> <p> The GRANT and REVOKE statements are used to define privileges on resources to users and user groups (roles). A resource is a table, view or stored procedure. A grantee can be PUBLIC, meaning any present or future user accounts or a user name. Granting a privilege to a user name means that this user AND any users which have this user as their user group have the privilege. </p> <p> Only a granted privilege can be revoked. The sequence: </p> <div> <pre class="programlisting"> grant select on employee to public; revoke select (e_review) from joe; </pre> </div> <p> Is invalid because the privilege being revoked was not granted, instead it was implied by the select on all column to public. </p> <p> Any role name created by the CREATE ROLE statement is a valid grantee and a valid grantable operation. </p> <p> The term 'effective privilege of a user' means the set of privileges given to a user by virtue of 1. granting them to public 2. granting them to a role which is granted to the user or to a role either directly or indirectly granted to the user or 3. granting them, to the specific user. The dba user and all users whose group is 'dba' have all privileges. </p> <p> The phrase </p> <div> <pre class="programlisting"> GRANT ALL PRIVILEGES TO user; </pre> </div> <p> is synonymous with setting the user's group to 'dba'. </p> <p> The effective privileges inside a trigger are those of the owner of the table whose trigger is executing. The privilege of executing a trigger is derived from the privilege of performing the trigger action, e.g. update of a specific column. </p> <p> The effective privilege inside a stored procedure is that of the owner of the procedure. The privilege to execute a given procedure is granted with the EXECUTE clause. </p> <div class="note"> <div class="notetitle">Note:</div> <p>The grantee names are identifiers. This means that their case can be converted to upper case unless they are quoted. The identifier case conversion depends on the global CaseMode setting. </p> </div> <p> A user may grant or revoke privileges on resources of which he/she is the owner. A user with effective dba privileges may manipulate any privileges. </p> <a name="" /> <div class="example"> <div class="exampletitle">Examples:</div> <div> <pre class="programlisting"> grant update ("Salary") on "Employees" to "Manager"; grant execute on "SalesReport" to "Accounting"; </pre> </div> </div> <p> <strong>GRANT REFERENCES</strong> is a privilege required by a user on a table so that this user can create new tables referencing such tables in foreign keys where he/she would otherwise be restricted.</p> <div class="formalpara"> <strong>Remote SQL Data Sources</strong> <p>To provide further consistent security to remote data, only the DBA group is permitted to use the <span class="computeroutput">rexecute()</span>, unless explicitly granted. Caution is required here since any user granted use of <span class="computeroutput">rexecute()</span> has full control of the remote data source set-up by the DBA, however limited to the overall abilities of the remote user on the remote data source.</p> </div> <p>Users can be granted and denied access to <span class="computeroutput">rexecute()</span> using the following syntax:</p> <div> <pre class="programlisting"> GRANT REXECUTE ON '<attached_dsn_name>' TO <user_name> REVOKE REXECUTE ON '<attached_dsn_name>' FROM <user_name> </pre> </div> <div class="formalpara"> <strong>UDTs</strong> <p>Security of UDTs is maintained through normal SQL GRANT and REVOKE statements via a simple extension. You can define the level of access to both native and externally hosted UDTs. Grants for persistent user defined types are persisted into the SYS_GRANTS table. Grants on temporary user defined types are in-memory only and are lost (together with the temporary user defined type definition) when the server is restarted.</p> </div> <p>There are two GRANT/REVOKE types for UDTs as follows:</p> <ul> <li> <strong>EXECUTE</strong> - all methods and members of a class are accessible to the grantee.</li> <li> <strong>UNDER</strong> - the grantee can create subclasses of the class.</li> </ul> <div> <pre class="programlisting"> GRANT/REVOKE EXECUTE on <user_defined_type> GRANT/REVOKE UNDER on <user_defined_type> </pre> </div> <div class="note"> <div class="notetitle">Note:</div> <p>SQL modules, user defined types and SQL stored procedures are exposed to GRANT/REVOKE in the same namespace, therefore care must be taken avoid inadvertently granting to multiple objects at the same time.</p> </div> <div class="tip"> <div class="tiptitle">See Also:</div> <p> <a href="databaseadmsrv.html#vdbSTOREDPROCS">Virtual Database Procedures & Functions</a> </p> </div> <table border="0" width="90%" id="navbarbottom"> <tr> <td align="left" width="33%"> <a href="spasviewsandtables.html" title="Stored Procedures as Views & Derived Tables">Previous</a> <br />Stored Procedures as Views & Derived Tables</td> <td align="center" width="34%"> <a href="sqlreference.html">Chapter Contents</a> </td> <td align="right" width="33%"> <a href="SETstmt.html" title="SET Statement">Next</a> <br />SET Statement</td> </tr> </table> </div> <div id="footer"> <div>Copyright© 1999 - 2009 OpenLink Software All rights reserved.</div> <div id="validation"> <a href="http://validator.w3.org/check/referer"> <img src="http://www.w3.org/Icons/valid-xhtml10" alt="Valid XHTML 1.0!" height="31" width="88" /> </a> <a href="http://jigsaw.w3.org/css-validator/"> <img src="http://jigsaw.w3.org/css-validator/images/vcss" alt="Valid CSS!" height="31" width="88" /> </a> </div> </div> </body> </html>