Privileges control the operations which users are allowed to perform in the database. Well-structured privileges are essential for maintaining data security.
There are three types of privileges:
- System privileges, which give the right to create global objects within the database.
- Object privileges, which give rights over certain specified objects in the database.
- Access privileges, which give rights of access to the data in a specified table or view.
System privileges are granted to the system administrator upon installation, and may be passed on to other idents. Objects and access privileges are initially granted only to the creator of an object. The creator may however pass the privileges on to other idents.
Granting and Revoking Privileges
Privileges are granted to idents with the
GRANTstatement and revoked from idents with the
All privileges may be granted with the `with grant option', which means that the receiver of the privilege in turn has the right to grant that privilege to other idents.
The creator of an object is automatically granted full privileges on that object with grant option. Thus the creator of:
- a group is automatically a member of that group
- a program ident may enter it
- a table has full access privileges
- a schema may create objects in it and drop them, etc.
When privileges that were granted with the `with grant option' are revoked, the right to grant those privileges to other idents is also revoked.
The `with grant option' can be revoked separately without revoking the privilege itself.
Idents may only grant privileges that they themselves possess to other idents, that is, idents cannot grant privileges to themselves.
Likewise, privileges may only be revoked by the grantor - idents cannot revoke privileges from themselves.
Certain operations are not controlled by explicit privileges, but may only be performed by the creator of the object involved. These operations include
ALTER(with the exception of
ALTER IDENT, which may be performed by either the ident himself or by the creator of the ident),
Mimer Information Technology AB
Voice: +46 18 780 92 00
Fax: +46 18 780 92 40