grant.sgml

PostgreSQL 8.1.4的源码 适用于Linux下的开源数据库系统

<!--
$PostgreSQL: pgsql/doc/src/sgml/ref/grant.sgml,v 1.50 2005/10/20 19:18:01 tgl Exp $
PostgreSQL documentation
-->

<refentry id="SQL-GRANT">
 <refmeta>
  <refentrytitle id="sql-grant-title">GRANT</refentrytitle>
  <refmiscinfo>SQL - Language Statements</refmiscinfo>
 </refmeta>

 <refnamediv>
  <refname>GRANT</refname>
  <refpurpose>define access privileges</refpurpose>
 </refnamediv>

 <indexterm zone="sql-grant">
  <primary>GRANT</primary>
 </indexterm>

 <refsynopsisdiv>
<synopsis>
GRANT { { SELECT | INSERT | UPDATE | DELETE | RULE | REFERENCES | TRIGGER }
    [,...] | ALL [ PRIVILEGES ] }
    ON [ TABLE ] <replaceable class="PARAMETER">tablename</replaceable> [, ...]
    TO { <replaceable class="PARAMETER">username</replaceable> | GROUP <replaceable class="PARAMETER">groupname</replaceable> | PUBLIC } [, ...] [ WITH GRANT OPTION ]

GRANT { { CREATE | TEMPORARY | TEMP } [,...] | ALL [ PRIVILEGES ] }
    ON DATABASE <replaceable>dbname</replaceable> [, ...]
    TO { <replaceable class="PARAMETER">username</replaceable> | GROUP <replaceable class="PARAMETER">groupname</replaceable> | PUBLIC } [, ...] [ WITH GRANT OPTION ]

GRANT { EXECUTE | ALL [ PRIVILEGES ] }
    ON FUNCTION <replaceable>funcname</replaceable> ( [ [ <replaceable class="parameter">argmode</replaceable> ] [ <replaceable class="parameter">argname</replaceable> ] <replaceable class="parameter">argtype</replaceable> [, ...] ] ) [, ...]
    TO { <replaceable class="PARAMETER">username</replaceable> | GROUP <replaceable class="PARAMETER">groupname</replaceable> | PUBLIC } [, ...] [ WITH GRANT OPTION ]

GRANT { USAGE | ALL [ PRIVILEGES ] }
    ON LANGUAGE <replaceable>langname</replaceable> [, ...]
    TO { <replaceable class="PARAMETER">username</replaceable> | GROUP <replaceable class="PARAMETER">groupname</replaceable> | PUBLIC } [, ...] [ WITH GRANT OPTION ]

GRANT { { CREATE | USAGE } [,...] | ALL [ PRIVILEGES ] }
    ON SCHEMA <replaceable>schemaname</replaceable> [, ...]
    TO { <replaceable class="PARAMETER">username</replaceable> | GROUP <replaceable class="PARAMETER">groupname</replaceable> | PUBLIC } [, ...] [ WITH GRANT OPTION ]

GRANT { CREATE | ALL [ PRIVILEGES ] }
    ON TABLESPACE <replaceable>tablespacename</> [, ...]
    TO { <replaceable class="PARAMETER">username</replaceable> | GROUP <replaceable class="PARAMETER">groupname</replaceable> | PUBLIC } [, ...] [ WITH GRANT OPTION ]

GRANT <replaceable class="PARAMETER">role</replaceable> [, ...]
    TO { <replaceable class="PARAMETER">username</replaceable> | GROUP <replaceable class="PARAMETER">groupname</replaceable> | PUBLIC } [, ...] [ WITH ADMIN OPTION ]
</synopsis>
 </refsynopsisdiv>

 <refsect1 id="sql-grant-description">
  <title>Description</title>

  <para>
   The <command>GRANT</command> command has two basic variants: one
   that grants privileges on a database object (table, view, sequence,
   database, function, procedural language, schema, or tablespace),
   and one that grants membership in a role.  These variants are
   similar in many ways, but they are different enough to be described
   separately.
  </para>

  <para>
   As of <productname>PostgreSQL</productname> 8.1, the concepts of users and
   groups have been unified into a single kind of entity called a role.
   It is therefore no longer necessary to use the keyword <literal>GROUP</>
   to identify whether a grantee is a user or a group.  <literal>GROUP</>
   is still allowed in the command, but it is a noise word.
  </para>

 <refsect2 id="sql-grant-description-objects">
  <title>GRANT on Database Objects</title>

  <para>
   This variant of the <command>GRANT</command> command gives specific
   privileges on a database object to
   one or more roles.  These privileges are added
   to those already granted, if any.
  </para>

  <para>
   The key word <literal>PUBLIC</literal> indicates that the
   privileges are to be granted to all roles, including those that may
   be created later.  <literal>PUBLIC</literal> may be thought of as an
   implicitly defined group that always includes all roles.
   Any particular role will have the sum
   of privileges granted directly to it, privileges granted to any role it
   is presently a member of, and privileges granted to
   <literal>PUBLIC</literal>.
  </para>

  <para>
   If <literal>WITH GRANT OPTION</literal> is specified, the recipient
   of the privilege may in turn grant it to others.  Without a grant
   option, the recipient cannot do that.  Grant options cannot be granted
   to <literal>PUBLIC</literal>.
  </para>

  <para>
   There is no need to grant privileges to the owner of an object
   (usually the user that created it),
   as the owner has all privileges by default.  (The owner could,
   however, choose to revoke some of his own privileges for safety.)
   The right to drop an object, or to alter its definition in any way is
   not described by a grantable privilege; it is inherent in the owner,
   and cannot be granted or revoked.  The owner implicitly has all grant
   options for the object, too.
  </para>

  <para>
   Depending on the type of object, the initial default privileges may
   include granting some privileges to <literal>PUBLIC</literal>.
   The default is no public access for tables, schemas, and tablespaces;
   <literal>TEMP</> table creation privilege for databases;
   <literal>EXECUTE</> privilege for functions; and
   <literal>USAGE</> privilege for languages.
   The object owner may of course revoke these privileges.  (For maximum
   security, issue the <command>REVOKE</> in the same transaction that
   creates the object; then there is no window in which another user
   may use the object.)
  </para>

  <para>
   The possible privileges are:

   <variablelist>
    <varlistentry>
     <term>SELECT</term>
     <listitem>
      <para>
       Allows <xref linkend="sql-select" endterm="sql-select-title"> from any column of the
       specified table, view, or sequence.  Also allows the use of
       <xref linkend="sql-copy" endterm="sql-copy-title"> TO.  For sequences, this
       privilege also allows the use of the <function>currval</function> function.
      </para>
     </listitem>
    </varlistentry>

    <varlistentry>
     <term>INSERT</term>
     <listitem>
      <para>
       Allows <xref linkend="sql-insert" endterm="sql-insert-title"> of a new row into the
       specified table.  Also allows <xref linkend="sql-copy" endterm="sql-copy-title"> FROM.
      </para>
     </listitem>
    </varlistentry>

    <varlistentry>
     <term>UPDATE</term>
     <listitem>
      <para>
       Allows <xref linkend="sql-update" endterm="sql-update-title"> of any
       column of the specified table.  <literal>SELECT ... FOR UPDATE</literal>
       and <literal>SELECT ... FOR SHARE</literal>
       also require this privilege (besides the
       <literal>SELECT</literal> privilege).  For sequences, this
       privilege allows the use of the <function>nextval</function> and
       <function>setval</function> functions.
      </para>
     </listitem>
    </varlistentry>

    <varlistentry>
     <term>DELETE</term>
     <listitem>
      <para>
       Allows <xref linkend="sql-delete" endterm="sql-delete-title"> of a row from the
       specified table.
      </para>
     </listitem>
    </varlistentry>

    <varlistentry>
     <term>RULE</term>
     <listitem>
      <para>
       Allows the creation of a rule on the table/view.  (See the <xref
       linkend="sql-createrule" endterm="sql-createrule-title"> statement.)
      </para>
     </listitem>
    </varlistentry>

    <varlistentry>
     <term>REFERENCES</term>
     <listitem>
      <para>
       To create a foreign key constraint, it is
       necessary to have this privilege on both the referencing and
       referenced tables.
      </para>
     </listitem>
    </varlistentry>

    <varlistentry>
     <term>TRIGGER</term>
     <listitem>
      <para>
       Allows the creation of a trigger on the specified table.  (See the
       <xref linkend="sql-createtrigger" endterm="sql-createtrigger-title"> statement.)
      </para>
     </listitem>
    </varlistentry>

    <varlistentry>
     <term>CREATE</term>
     <listitem>
      <para>
       For databases, allows new schemas to be created within the database.
      </para>
      <para>
       For schemas, allows new objects to be created within the schema.
       To rename an existing object, you must own the object <emphasis>and</>
       have this privilege for the containing schema.
      </para>
      <para>
       For tablespaces, allows tables and indexes to be created within the
       tablespace, and allows databases to be created that have the tablespace
       as their default tablespace.  (Note that revoking this privilege
       will not alter the placement of existing objects.)
      </para>
     </listitem>
    </varlistentry>

    <varlistentry>
     <term>TEMPORARY</term>
     <term>TEMP</term>
     <listitem>
      <para>
       Allows temporary tables to be created while using the database.
      </para>
     </listitem>
    </varlistentry>

    <varlistentry>
     <term>EXECUTE</term>
     <listitem>
      <para>
       Allows the use of the specified function and the use of any
       operators that are implemented on top of the function.  This is
       the only type of privilege that is applicable to functions.
       (This syntax works for aggregate functions, as well.)
      </para>
     </listitem>
    </varlistentry>

    <varlistentry>
     <term>USAGE</term>
     <listitem>
      <para>
       For procedural languages, allows the use of the specified language for
       the creation of functions in that language.  This is the only type
       of privilege that is applicable to procedural languages.
      </para>
      <para>
       For schemas, allows access to objects contained in the specified
       schema (assuming that the objects' own privilege requirements are
       also met).  Essentially this allows the grantee to <quote>look up</>
       objects within the schema.
      </para>
     </listitem>
    </varlistentry>

    <varlistentry>
     <term>ALL PRIVILEGES</term>
     <listitem>
      <para>
       Grant all of the available privileges at once.
       The <literal>PRIVILEGES</literal> key word is optional in
       <productname>PostgreSQL</productname>, though it is required by
       strict SQL.