Working with Grants
You can perform the following basic operations on grants (object permissions):
• Grant any permission allowed for a particular object type to any group, role, or user (including public, which encompasses all current and future users)
• View all types of object permissions granted to a particular group, role, or user, or view the permissions granted for a particular object type
• Revoke a previously granted permission
In SQL, you can grant and revoke permissions using the GRANT and REVOKE statements. To display granted privileges, select data from the iidbprivileges system catalog.
In Actian Director, use the Modify or Properties dialog for user, group, and role.
In VDBA, you can access grants in a number of ways using the Database Object Manager. For example, if you expand the branch for a group, role, or user object, there is a Grants sub-branch where you can access all permissions that have been granted to that particular group, role, or user. You can also expand the branch for other object types, such as a database or a table, and use the associated Grantees… sub-branch to access all groups, roles, and users that have been granted each permission allowed for that type of object. For the detailed steps for performing these procedures, see online help.
Object Ownership and Granting Object Permissions
When you create an object, you become the owner of that object.
As the owner, you are automatically entitled to grant and revoke permissions for the object (with views, you must also own the base tables). When you grant permissions for an object (other than a database) to another user, you can also grant permission for that user to grant permissions for the object to other users, and you can likewise revoke that permission if necessary.
The GRANT Statement
The GRANT statement is used to grant permissions. This statement has the general form:
GRANT privilege ON object TO whom
The full syntax of a GRANT statement is:
GRANT ALL [PRIVILEGES] | privilege {, privilege}
[ON [object_type] [schema.]object_name {, [schema.]object_name}]
TO PUBLIC | [authorization_type] auth_id {, auth_id} [WITH GRANT OPTION];
The default object type is TABLE, which is used for any table or view. The default authorization type is USER.
Authorization identifiers specify who is receiving the permissions. Authorizations can be specified for:
• Individual users
Permissions defined by a particular GRANT statement can be issued to one or more end users, specifying the login user identifier.
• The key word PUBLIC, which includes all users. The authorization type PUBLIC is not followed by any auth_ids.
For example: Grant all query permissions for the games table to all sessions:
GRANT ALL ON games TO PUBLIC;
• A defined group
• A defined role
Authorizations for the individual user and PUBLIC are always in effect but can be adjusted by group and role permissions.
For complete information on the GRANT statement, see the SQL Reference Guide.
Last modified date: 08/29/2024