| Current File : //usr/share/doc/postgresql-9.2.24/html/ddl-priv.html |
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<HTML
><HEAD
><TITLE
>Privileges</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.79"><LINK
REV="MADE"
HREF="mailto:pgsql-docs@postgresql.org"><LINK
REL="HOME"
TITLE="PostgreSQL 9.2.24 Documentation"
HREF="index.html"><LINK
REL="UP"
TITLE="Data Definition"
HREF="ddl.html"><LINK
REL="PREVIOUS"
TITLE="Modifying Tables"
HREF="ddl-alter.html"><LINK
REL="NEXT"
TITLE="Schemas"
HREF="ddl-schemas.html"><LINK
REL="STYLESHEET"
TYPE="text/css"
HREF="stylesheet.css"><META
HTTP-EQUIV="Content-Type"
CONTENT="text/html; charset=ISO-8859-1"><META
NAME="creation"
CONTENT="2017-11-06T22:43:11"></HEAD
><BODY
CLASS="SECT1"
><DIV
CLASS="NAVHEADER"
><TABLE
SUMMARY="Header navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="5"
ALIGN="center"
VALIGN="bottom"
><A
HREF="index.html"
>PostgreSQL 9.2.24 Documentation</A
></TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="top"
><A
TITLE="Modifying Tables"
HREF="ddl-alter.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="top"
><A
HREF="ddl.html"
ACCESSKEY="U"
>Up</A
></TD
><TD
WIDTH="60%"
ALIGN="center"
VALIGN="bottom"
>Chapter 5. Data Definition</TD
><TD
WIDTH="20%"
ALIGN="right"
VALIGN="top"
><A
TITLE="Schemas"
HREF="ddl-schemas.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="DDL-PRIV"
>5.6. Privileges</A
></H1
><P
> When an object is created, it is assigned an owner. The
owner is normally the role that executed the creation statement.
For most kinds of objects, the initial state is that only the owner
(or a superuser) can do anything with the object. To allow
other roles to use it, <I
CLASS="FIRSTTERM"
>privileges</I
> must be
granted.
</P
><P
> There are different kinds of privileges: <TT
CLASS="LITERAL"
>SELECT</TT
>,
<TT
CLASS="LITERAL"
>INSERT</TT
>, <TT
CLASS="LITERAL"
>UPDATE</TT
>, <TT
CLASS="LITERAL"
>DELETE</TT
>,
<TT
CLASS="LITERAL"
>TRUNCATE</TT
>, <TT
CLASS="LITERAL"
>REFERENCES</TT
>, <TT
CLASS="LITERAL"
>TRIGGER</TT
>,
<TT
CLASS="LITERAL"
>CREATE</TT
>, <TT
CLASS="LITERAL"
>CONNECT</TT
>, <TT
CLASS="LITERAL"
>TEMPORARY</TT
>,
<TT
CLASS="LITERAL"
>EXECUTE</TT
>, and <TT
CLASS="LITERAL"
>USAGE</TT
>.
The privileges applicable to a particular
object vary depending on the object's type (table, function, etc).
For complete information on the different types of privileges
supported by <SPAN
CLASS="PRODUCTNAME"
>PostgreSQL</SPAN
>, refer to the
<A
HREF="sql-grant.html"
>GRANT</A
> reference
page. The following sections and chapters will also show you how
those privileges are used.
</P
><P
> The right to modify or destroy an object is always the privilege of
the owner only.
</P
><P
> An object can be assigned to a new owner with an <TT
CLASS="COMMAND"
>ALTER</TT
>
command of the appropriate kind for the object, e.g. <A
HREF="sql-altertable.html"
>ALTER TABLE</A
>. Superusers can always do
this; ordinary roles can only do it if they are both the current owner
of the object (or a member of the owning role) and a member of the new
owning role.
</P
><P
> To assign privileges, the <TT
CLASS="COMMAND"
>GRANT</TT
> command is
used. For example, if <TT
CLASS="LITERAL"
>joe</TT
> is an existing user, and
<TT
CLASS="LITERAL"
>accounts</TT
> is an existing table, the privilege to
update the table can be granted with:
</P><PRE
CLASS="PROGRAMLISTING"
>GRANT UPDATE ON accounts TO joe;</PRE
><P>
Writing <TT
CLASS="LITERAL"
>ALL</TT
> in place of a specific privilege grants all
privileges that are relevant for the object type.
</P
><P
> The special <SPAN
CLASS="QUOTE"
>"user"</SPAN
> name <TT
CLASS="LITERAL"
>PUBLIC</TT
> can
be used to grant a privilege to every user on the system. Also,
<SPAN
CLASS="QUOTE"
>"group"</SPAN
> roles can be set up to help manage privileges when
there are many users of a database — for details see
<A
HREF="user-manag.html"
>Chapter 20</A
>.
</P
><P
> To revoke a privilege, use the fittingly named
<TT
CLASS="COMMAND"
>REVOKE</TT
> command:
</P><PRE
CLASS="PROGRAMLISTING"
>REVOKE ALL ON accounts FROM PUBLIC;</PRE
><P>
The special privileges of the object owner (i.e., the right to do
<TT
CLASS="COMMAND"
>DROP</TT
>, <TT
CLASS="COMMAND"
>GRANT</TT
>, <TT
CLASS="COMMAND"
>REVOKE</TT
>, etc.)
are always implicit in being the owner,
and cannot be granted or revoked. But the object owner can choose
to revoke his own ordinary privileges, for example to make a
table read-only for himself as well as others.
</P
><P
> Ordinarily, only the object's owner (or a superuser) can grant or
revoke privileges on an object. However, it is possible to grant a
privilege <SPAN
CLASS="QUOTE"
>"with grant option"</SPAN
>, which gives the recipient
the right to grant it in turn to others. If the grant option is
subsequently revoked then all who received the privilege from that
recipient (directly or through a chain of grants) will lose the
privilege. For details see the <A
HREF="sql-grant.html"
>GRANT</A
> and
<A
HREF="sql-revoke.html"
>REVOKE</A
> reference pages.
</P
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"><TABLE
SUMMARY="Footer navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="ddl-alter.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="index.html"
ACCESSKEY="H"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="ddl-schemas.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>Modifying Tables</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="ddl.html"
ACCESSKEY="U"
>Up</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>Schemas</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>