SYNOPSIS
GRANT { { SELECT | INSERT | UPDATE | DELETE | RULE | REFERENCES | TRIGGER }
[,...] | ALL [ PRIVILEGES ] }
ON [ TABLE ] tablename [, ...]
TO { username | GROUP groupname | PUBLIC } [, ...] [ WITH GRANT OPTION ]
GRANT { { CREATE | TEMPORARY | TEMP } [,...] | ALL [ PRIVILEGES ] }
ON DATABASE dbname [, ...]
TO { username | GROUP groupname | PUBLIC } [, ...] [ WITH GRANT OPTION ]
GRANT { EXECUTE | ALL [ PRIVILEGES ] }
ON FUNCTION funcname ([type, ...]) [, ...]
TO { username | GROUP groupname | PUBLIC } [, ...] [ WITH GRANT OPTION ]
GRANT { USAGE | ALL [ PRIVILEGES ] }
ON LANGUAGE langname [, ...]
TO { username | GROUP groupname | PUBLIC } [, ...] [ WITH GRANT OPTION ]
GRANT { { CREATE | USAGE } [,...] | ALL [ PRIVILEGES ] }
ON SCHEMA schemaname [, ...]
TO { username | GROUP groupname | PUBLIC } [, ...] [ WITH GRANT OPTION ]
DESCRIPTION Description
GRANT command specific permissions on an object (tables, views, sequences, procedure language function, or mode) to give a user or a group of users or a plurality of users. These permissions will be added to those already given permission, if these permissions words.
The key word PUBLIC indicates that the privileges be granted to all users, including those that may be created later. PUBLIC can be seen as an implicitly defined group that always includes all users. Any particular user will have directly given his / her permission, plus, as well as the sum of the privileges granted to PUBLIC plus his / her position in any group.
If you declare WITH GRANT OPTION, then subject to the rights of others who may be given. By default, when this is not allowed. Grant options can only be granted to individual users, not to groups or PUBLIC.
For the owner of an object (usually the creator), there is no need to grant privileges as owners default on hold all rights. (However, for security reasons the owner can choose to revoke some of his own authority) to delete an object of power, or any power to modify it is not right is given to the best description; it is inherent in the creator, and can not be given or revoked.
Depending on the object, the initial default privileges may include granting some privileges to PUBLIC. The default mode for tables and there is no public access; TEMP table creation privilege for the database; EXECUTE privilege for functions; and USAGE privilege for languages. The object owner may of course revoke these privileges. (For maximum security, issue the REVOKE in creating the object of the same transaction; then it will not open a window to other users of the object.)
The possible privileges are:
- SELECT
-
Allow table declared, or sequence [the SELECT SELECT (. 7)] any field. Also allows COPY [ Copy (. 7)] of the TO source. For sequences, this privilege also allows the use of currval function. - INSERT
-
INSERT statement to the permission table [ INSERT (. 7)] a new row. Also allows COPY [ Copy (. 7)] the FROM. - UPDATE
-
Allow the specified table in any column of the UPDATE [ Update (. 7)]. SELECT ... FOR UPDATE also requires this privilege (besides the SELECT privilege). For example, this privilege allows the use nextval and setval. - DELETE
-
Allow the DELETE [from the specified table Delete (. 7)] line. - RULE
-
It allows you to create rules on the table / view. (See RULE the CREATE [ create_rule (7)] statement.) - REFERENCES
-
To create a foreign key constraint, you must have this privilege on the reference table and the reference table. - TRIGGER
-
It allows you to create a trigger on the specified table. (TRIGGER See the CREATE [ create_trigger (7)] statement.) - CREATE
-
For databases, it allows the creation of a new model in the database.
For mode allows you to create new objects in this mode. To rename an existing object, you must own the object and. You have this privilege for the schema contains the object. - TEMPORARY
- TEMP
-
It allows you to create a temporary table when using the database. - EXECUTE
-
Specified functions and allows the use of any operator to achieve these functions. This is the only type of privilege that is applicable to functions. (This syntax works for aggregate functions.) - USAGE
-
For procedural languages, allows the creation of functions in that language use of the specified language. This is the only type of privilege that applies to process language.
For mode to allow access to objects contained in the specified mode (assuming ownership of the object is required also provided). Essentially this allows the grantee to object "query" mode. - ALL PRIVILEGES
-
One-time grant all privileges applicable to the object. PRIVILEGES key word is optional in PostgreSQL, but requires strict SQL keyword.
The privileges required by other commands are listed on the reference page of the respective command.
NOTES Note
REVOKE [ REVOKE (7)] command is used to remove access.
We should note that database superusers can access all objects regardless of object privilege settings. This feature is similar to Unix permissions of the root system. And the same root, except when absolutely necessary, always operate as a super user identity is unwise.
If a superuser chooses to issue a GRANT or REVOKE command, the command is performed as though it were issued by the owner of the affected object. In particular, privileges granted via such a command will appear to have been granted by the object owner.
Currently, only a few columns to give permission, you must create a few lines that have a view and then grant privileges to that view in PostgreSQL.
Use psql (1) of the \ z command to obtain information about the permissions on existing objects.
=> \z mytable
Access privileges for database "lusitania"
Schema | Table | Access privileges
--------+---------+---------------------------------------
public | mytable | {=r/postgres,miriam=arwdRxt/postgres,"group todos=arw/postgres"}
(1 row)
\ Z entry display is explained as follows:
= xxxx - privileges granted to PUBLIC
uname = xxxx - privileges granted to a user
group gname = xxxx - privileges given to a group of
r - SELECT ( "Read")
W - the UPDATE ( "write")
A - INSERT ( "append")
D - the DELETE
R & lt - the RULE
X - the REFERENCES
T - TRIGGER
X-- the EXECUTE
the U-- the USAGE
C - the CREATE
T - TEMPORARY
arwdRxt - ALL PRIVILEGES (for Tables)
* - licensing option for preceding privilege
/ yyyy - granted this privilege user
After completing construction miriam user table do the following statement, the results can be obtained in the above example
GRANT SELECT ON mytable TO PUBLIC; GRANT SELECT, UPDATE, INSERT ON mytable TO GROUP todos;
If a given object of "Access privileges" field is empty, which means that the object has default privileges (that is, its privileges field is NULL). Default privileges always include all privileges of the owner, and depending on the object, may include some privileges for PUBLIC. GRANT or REVOKE first object will instantiate the default permissions (for example, to produce {=, miriam = arwdRxt}) and then modify it according to the specific needs of each.
EXAMPLES Examples
The watch films insert permissions granted to all users:
GRANT INSERT ON films TO PUBLIC;
Manuel give users permission to view all kinds of:
GRANT ALL PRIVILEGES ON kinds TO manuel;
COMPATIBILITY The
According to the SQL standard, PRIVILEGES keywords in ALL PRIVILEGES is required. SQL does not support multiple tables set up in the one command authority.
SQL standard allows in a table set permissions for individual columns:
GRANT privileges
ON table [ ( column [, ...] ) ] [, ...]
TO { PUBLIC | username [, ...] } [ WITH GRANT OPTION ]
SQL standard provides for a USAGE privilege on other kinds of objects: character sets, collations, translations, domains.
RULE privilege, and privileges on databases, schemas, languages, and sequences are PostgreSQL extensions.