<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<HTML
><HEAD
><TITLE
>Privileges</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.79"><LINK
REV="MADE"
HREF="mailto:pgsql-docs@postgresql.org"><LINK
REL="HOME"
TITLE="PostgreSQL 8.0.11 Documentation"
HREF="index.html"><LINK
REL="UP"
TITLE="Data Definition"
HREF="ddl.html"><LINK
REL="PREVIOUS"
TITLE="Modifying Tables"
HREF="ddl-alter.html"><LINK
REL="NEXT"
TITLE="Schemas"
HREF="ddl-schemas.html"><LINK
REL="STYLESHEET"
TYPE="text/css"
HREF="stylesheet.css"><META
HTTP-EQUIV="Content-Type"
CONTENT="text/html; charset=ISO-8859-1"><META
NAME="creation"
CONTENT="2007-02-02T03:57:22"></HEAD
><BODY
CLASS="SECT1"
><DIV
CLASS="NAVHEADER"
><TABLE
SUMMARY="Header navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="5"
ALIGN="center"
VALIGN="bottom"
>PostgreSQL 8.0.11 Documentation</TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="top"
><A
HREF="ddl-alter.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="top"
><A
HREF="ddl.html"
>Fast Backward</A
></TD
><TD
WIDTH="60%"
ALIGN="center"
VALIGN="bottom"
>Chapter 5. Data Definition</TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="top"
><A
HREF="ddl.html"
>Fast Forward</A
></TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="top"
><A
HREF="ddl-schemas.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="DDL-PRIV"
>5.7. Privileges</A
></H1
><A
NAME="AEN2358"
></A
><A
NAME="AEN2360"
></A
><P
>   When you create a database object, you become its owner.  By
   default, only the owner of an object can do anything with the
   object. In order to allow other users to use it,
   <I
CLASS="FIRSTTERM"
>privileges</I
> must be granted.  (However,
   users that have the superuser attribute can always
   access any object.)
  </P
><P
>   There are several different privileges: <TT
CLASS="LITERAL"
>SELECT</TT
>,
   <TT
CLASS="LITERAL"
>INSERT</TT
>, <TT
CLASS="LITERAL"
>UPDATE</TT
>, <TT
CLASS="LITERAL"
>DELETE</TT
>,
   <TT
CLASS="LITERAL"
>RULE</TT
>, <TT
CLASS="LITERAL"
>REFERENCES</TT
>, <TT
CLASS="LITERAL"
>TRIGGER</TT
>,
   <TT
CLASS="LITERAL"
>CREATE</TT
>, <TT
CLASS="LITERAL"
>TEMPORARY</TT
>, <TT
CLASS="LITERAL"
>EXECUTE</TT
>,
   and <TT
CLASS="LITERAL"
>USAGE</TT
>.  The privileges applicable to a particular
   object vary depending on the object's type (table, function, etc).
   For complete
   information on the different types of privileges supported by
   <SPAN
CLASS="PRODUCTNAME"
>PostgreSQL</SPAN
>, refer to the
   <A
HREF="sql-grant.html"
>GRANT</A
> reference page.  The following sections
   and chapters will also show you how those privileges are used.
  </P
><P
>   The right to modify or destroy an object is always the privilege of
   the owner only.
  </P
><DIV
CLASS="NOTE"
><BLOCKQUOTE
CLASS="NOTE"
><P
><B
>Note: </B
>    To change the owner of a table, index, sequence, or view, use the
    <A
HREF="sql-altertable.html"
>ALTER TABLE</A
> command.  There are corresponding
    <TT
CLASS="LITERAL"
>ALTER</TT
> commands for other object types.
   </P
></BLOCKQUOTE
></DIV
><P
>   To assign privileges, the <TT
CLASS="COMMAND"
>GRANT</TT
> command is
   used. For example, if <TT
CLASS="LITERAL"
>joe</TT
> is an existing user, and
   <TT
CLASS="LITERAL"
>accounts</TT
> is an existing table, the privilege to
   update the table can be granted with
</P><PRE
CLASS="PROGRAMLISTING"
>GRANT UPDATE ON accounts TO joe;</PRE
><P>
   To grant a privilege to a group, use this syntax:
</P><PRE
CLASS="PROGRAMLISTING"
>GRANT SELECT ON accounts TO GROUP staff;</PRE
><P>
   The special <SPAN
CLASS="QUOTE"
>"user"</SPAN
> name <TT
CLASS="LITERAL"
>PUBLIC</TT
> can
   be used to grant a privilege to every user on the system. Writing
   <TT
CLASS="LITERAL"
>ALL</TT
> in place of a specific privilege grants all
   privileges that are relevant for the object type.
  </P
><P
>   To revoke a privilege, use the fittingly named
   <TT
CLASS="COMMAND"
>REVOKE</TT
> command:
</P><PRE
CLASS="PROGRAMLISTING"
>REVOKE ALL ON accounts FROM PUBLIC;</PRE
><P>
   The special privileges of the object owner (i.e., the right to do
   <TT
CLASS="COMMAND"
>DROP</TT
>, <TT
CLASS="COMMAND"
>GRANT</TT
>, <TT
CLASS="COMMAND"
>REVOKE</TT
>, etc.)
   are always implicit in being the owner,
   and cannot be granted or revoked.  But the object owner can choose
   to revoke his own ordinary privileges, for example to make a
   table read-only for himself as well as others.
  </P
><P
>   Ordinarily, only the object's owner (or a superuser) can grant or revoke
   privileges on an object.  However, it is possible to grant a privilege
   <SPAN
CLASS="QUOTE"
>"with grant option"</SPAN
>, which gives the recipient the right to
   grant it in turn to others.  If the grant option is subsequently revoked
   then all who received the privilege from that recipient (directly or
   through a chain of grants) will lose the privilege.  For details see
   the <A
HREF="sql-grant.html"
>GRANT</A
> and <A
HREF="sql-revoke.html"
>REVOKE</A
> reference
   pages.
  </P
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"><TABLE
SUMMARY="Footer navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="ddl-alter.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="index.html"
ACCESSKEY="H"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="ddl-schemas.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>Modifying Tables</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="ddl.html"
ACCESSKEY="U"
>Up</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>Schemas</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>