<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <HTML ><HEAD ><TITLE >Privileges</TITLE ><META NAME="GENERATOR" CONTENT="Modular DocBook HTML Stylesheet Version 1.79"><LINK REV="MADE" HREF="mailto:pgsql-docs@postgresql.org"><LINK REL="HOME" TITLE="PostgreSQL 8.4.12 Documentation" HREF="index.html"><LINK REL="UP" TITLE="Database Roles and Privileges" HREF="user-manag.html"><LINK REL="PREVIOUS" TITLE="Role Attributes" HREF="role-attributes.html"><LINK REL="NEXT" TITLE="Role Membership" HREF="role-membership.html"><LINK REL="STYLESHEET" TYPE="text/css" HREF="stylesheet.css"><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1"><META NAME="creation" CONTENT="2012-05-31T23:30:11"></HEAD ><BODY CLASS="SECT1" ><DIV CLASS="NAVHEADER" ><TABLE SUMMARY="Header navigation table" WIDTH="100%" BORDER="0" CELLPADDING="0" CELLSPACING="0" ><TR ><TH COLSPAN="5" ALIGN="center" VALIGN="bottom" >PostgreSQL 8.4.12 Documentation</TH ></TR ><TR ><TD WIDTH="10%" ALIGN="left" VALIGN="top" ><A HREF="role-attributes.html" ACCESSKEY="P" >Prev</A ></TD ><TD WIDTH="10%" ALIGN="left" VALIGN="top" ><A HREF="user-manag.html" >Fast Backward</A ></TD ><TD WIDTH="60%" ALIGN="center" VALIGN="bottom" >Chapter 20. Database Roles and Privileges</TD ><TD WIDTH="10%" ALIGN="right" VALIGN="top" ><A HREF="user-manag.html" >Fast Forward</A ></TD ><TD WIDTH="10%" ALIGN="right" VALIGN="top" ><A HREF="role-membership.html" ACCESSKEY="N" >Next</A ></TD ></TR ></TABLE ><HR ALIGN="LEFT" WIDTH="100%"></DIV ><DIV CLASS="SECT1" ><H1 CLASS="SECT1" ><A NAME="PRIVILEGES" >20.3. Privileges</A ></H1 ><A NAME="AEN28820" ></A ><A NAME="AEN28822" ></A ><A NAME="AEN28824" ></A ><A NAME="AEN28826" ></A ><P > When an object is created, it is assigned an owner. The owner is normally the role that executed the creation statement. For most kinds of objects, the initial state is that only the owner (or a superuser) can do anything with the object. To allow other roles to use it, <I CLASS="FIRSTTERM" >privileges</I > must be granted. There are several different kinds of privilege: <TT CLASS="LITERAL" >SELECT</TT >, <TT CLASS="LITERAL" >INSERT</TT >, <TT CLASS="LITERAL" >UPDATE</TT >, <TT CLASS="LITERAL" >DELETE</TT >, <TT CLASS="LITERAL" >TRUNCATE</TT >, <TT CLASS="LITERAL" >REFERENCES</TT >, <TT CLASS="LITERAL" >TRIGGER</TT >, <TT CLASS="LITERAL" >CREATE</TT >, <TT CLASS="LITERAL" >CONNECT</TT >, <TT CLASS="LITERAL" >TEMPORARY</TT >, <TT CLASS="LITERAL" >EXECUTE</TT >, and <TT CLASS="LITERAL" >USAGE</TT >. For more information on the different types of privileges supported by <SPAN CLASS="PRODUCTNAME" >PostgreSQL</SPAN >, see the <A HREF="sql-grant.html" ><I >GRANT</I ></A > reference page. </P ><P > To assign privileges, the <TT CLASS="COMMAND" >GRANT</TT > command is used. So, if <TT CLASS="LITERAL" >joe</TT > is an existing role, and <TT CLASS="LITERAL" >accounts</TT > is an existing table, the privilege to update the table can be granted with: </P><PRE CLASS="PROGRAMLISTING" >GRANT UPDATE ON accounts TO joe;</PRE ><P> The special name <TT CLASS="LITERAL" >PUBLIC</TT > can be used to grant a privilege to every role on the system. Writing <TT CLASS="LITERAL" >ALL</TT > in place of a specific privilege specifies that all privileges that apply to the object will be granted. </P ><P > To revoke a privilege, use the fittingly named <A HREF="sql-revoke.html" ><I >REVOKE</I ></A > command: </P><PRE CLASS="PROGRAMLISTING" >REVOKE ALL ON accounts FROM PUBLIC;</PRE ><P> </P ><P > The special privileges of an object's owner (i.e., the right to modify or destroy the object) are always implicit in being the owner, and cannot be granted or revoked. But the owner can choose to revoke his own ordinary privileges, for example to make a table read-only for himself as well as others. </P ><P > An object can be assigned to a new owner with an <TT CLASS="COMMAND" >ALTER</TT > command of the appropriate kind for the object. Superusers can always do this; ordinary roles can only do it if they are both the current owner of the object (or a member of the owning role) and a member of the new owning role. </P ></DIV ><DIV CLASS="NAVFOOTER" ><HR ALIGN="LEFT" WIDTH="100%"><TABLE SUMMARY="Footer navigation table" WIDTH="100%" BORDER="0" CELLPADDING="0" CELLSPACING="0" ><TR ><TD WIDTH="33%" ALIGN="left" VALIGN="top" ><A HREF="role-attributes.html" ACCESSKEY="P" >Prev</A ></TD ><TD WIDTH="34%" ALIGN="center" VALIGN="top" ><A HREF="index.html" ACCESSKEY="H" >Home</A ></TD ><TD WIDTH="33%" ALIGN="right" VALIGN="top" ><A HREF="role-membership.html" ACCESSKEY="N" >Next</A ></TD ></TR ><TR ><TD WIDTH="33%" ALIGN="left" VALIGN="top" >Role Attributes</TD ><TD WIDTH="34%" ALIGN="center" VALIGN="top" ><A HREF="user-manag.html" ACCESSKEY="U" >Up</A ></TD ><TD WIDTH="33%" ALIGN="right" VALIGN="top" >Role Membership</TD ></TR ></TABLE ></DIV ></BODY ></HTML >