GRANT

In a secured database, use the GRANT statement to manage access permissions for tables, views, and stored procedures. GRANT can give users rights to these permissions, can create new users, and can assign the users to existing user groups. If needed, use CREATE GROUP to create a new group before using GRANT.

The following topics cover use of GRANT statements:

CREATETAB, CREATESP, CREATEVIEW, and LOGIN TO keywords are extensions to the SQL grammar. You can use the GRANT statement to grant privileges for CREATE TABLE, CREATE VIEW, and CREATE PROCEDURE. The following table lists the syntax for a given action.

CREATETAB, CREATEVIEW, and CREATESP must be explicitly granted. These privileges are not included as part of a GRANT ALL statement.

GRANT LOGIN TO creates a user and allows that user to access the secured database. You must specify a user name and password to create a user. Optionally, you may specify an existing group for the new user. If needed, use CREATE GROUP to create a new group before using GRANT LOGIN TO.

The following constraints apply to permissions on objects:

For example, if you issue GRANT ALL ON * to User1, then User1 has all permissions listed in the table.

If you issue GRANT ALL ON VIEW myview1 TO User2, then User2 has ALTER, DELETE, INSERT, UPDATE, and SELECT permissions on myview1.

The following topics provide cover particular uses of GRANT to manage data security:

Relational security is based on the existence of a default user named Master who has full access to the database when security is turned on. When you turn security on, you will be required to specify a password for the Master user.

Security must be turned on to perform this statement.

The Master user can create groups and other users using the GRANT LOGIN TO, CREATE USER, or CREATE GROUP commands and manage data access for these groups and users.

If you want to grant the same privileges to all users, you can grant them to the PUBLIC group. All users inherit the default privileges assigned to the PUBLIC group.

User name and password must be enclosed in double quotes if they contain spaces or other nonalphanumeric characters.

For further general information about users and groups, see Master User and Users and Groups in Advanced Operations Guide, and Assigning Permissions Tasks in PSQL User's Guide.

An owner name is a string of bytes that unlocks access to a Btrieve file. Btrieve owner names have no connection with any operating system or database user name but rather serve as a file access password. For more information, see Owner Names.

If a Btrieve file that serves as a table in a secure SQL database has an owner name, the database Master user must provide that owner name in a GRANT statement to authorize access to the table, including for the Master user itself.

After the Master user has executed a GRANT statement for a user, that user can access the table, without having to give the owner name, simply by logging into the database. This authorization lasts for the duration of the current database connection. Also note that the SET OWNER statement allows you to specify one or more owner names for the connection session. See SET OWNER.

If a user tries to run SQL commands on a table that has an owner name, access is refused unless the Master user has granted rights to the table for that user by using the owner name in a GRANT statement.

If a table has an owner name with the read-only setting chosen, all users have SELECT rights on the table.

Views and stored procedures can be trusted or non-trusted, depending on how you want to handle the permissions for the objects referenced by the view or stored procedure.

Views and stored procedures reference objects, such as tables, other views or other stored procedures. Granting permissions on every referenced object could become highly time consuming depending on the number of objects and users. A simpler approach for many situations is the concept of a trusted view or stored procedure.

A trusted view or stored procedure is one that can be executed without having to explicitly set permissions for each referenced object. For example, if trusted view myview1 references tables t1 and t2, the Master user can grant permissions for myview1 without having to grant them for t1 and t2.

A non-trusted view or stored procedure is one that cannot be executed without having to explicitly set permissions for each referenced object.

The following table compares characteristics between trusted and non-trusted objects.

This section provides a number of examples of GRANT.

Table 26 Characteristics of Trusted and Non-trusted Views and Stored Procedures
Object	Characteristic	Notes
Trusted view or trusted stored procedure	Requires V2 metadata	See PSQL Metadata.
Requires WITH EXECUTE AS ‘MASTER’ clause in CREATE statement	See CREATE VIEW and CREATE PROCEDURE.
Only Master user can create the object	See Master User in Advanced Operations Guide.
Only Master user can delete the object	See DROP VIEW and DROP PROCEDURE
Master user must grant object permissions to other users	By default, only the Master user can access trusted views or stored procedures and must grant permissions to them.
GRANT and REVOKE statements applicable to object	See also REVOKE.
Object can exist in a secured or in an unsecured database	See PSQL Security in Advanced Operations Guide.
Changing a trusted object to a non-trusted one (or vice versa) requires deletion then recreation of object8	The ALTER statement for a view or stored procedure cannot be used to add or remove the trusted characteristic of the object. If you need to change a trusted object to a non-trusted one, you must first delete the object then recreate it without the WITH EXECUTE AS ‘MASTER’ clause. Similarly, if you need to change a non-trusted object to a trusted one, you must first delete the object then recreate it with the WITH EXECUTE AS ‘MASTER’ clause.
Non-trusted view or non-trusted stored procedures	Any user can create the object	User must be granted CREATEVIEW or CREATESP privilege. See Remarks.
Any user can delete the object	User must be granted ALTER permission on the view or stored procedure. See GRANT.
ALTER permission required to delete the object	ALTER permission is also required to delete a table. Note that, by default, only the Master user can delete trusted objects. Users (other than Master) who did not create the view or stored procedure must be granted ALTER permissions to delete the view or stored procedure.
All users, by default, have all permissions for the object	For V2 metadata, if an unsecured database contains non-trusted objects, all permissions for the non-trusted objects are automatically granted to PUBLIC if security is enabled on the database.
User executing the view or stored procedure needs permissions for the objects referenced by the view or stored procedure	The user must also have permissions on the top-most object. That is, on the view or stored procedure that references the other objects.
GRANT and REVOKE statements applicable to object	See GRANT and REVOKE.
Object can exist in a secured or in an unsecured database	See PSQL Security in Advanced Operations Guide.
Changing a trusted object to a non-trusted one (or vice versa) requires deletion then recreation of object	Same as above for trusted view or trusted stored procedure.

A GRANT ALL statement grants the INSERT, UPDATE, ALTER, SELECT, DELETE and REFERENCES privileges to the specified user or group. In addition, the user or group is granted the CREATE TABLE right for the dictionary. The following statement grants all of these permissions to user dannyd for table Class.

The following statement grants ALTER permission to user debieq for table Class.

The following statement gives INSERT permission to keithv and miked for table Class. The table has an owner name of winsvr644AdminGrp.

The following statement gives INSERT permission to keithv and miked for table Class.

The following statement grants INSERT permission on two columns, First_name and Last_name, in the Person table to users keithv and brendanb

The following statement grants CREATE TABLE rights to users aideenw and punitas

The following GRANT LOGIN TO statement grants login rights to a user named ravi and specifies his password as password.

The user name and password here only refer to PSQL databases and are not related to user names and passwords set at the operating system level. PSQL user names, groups, and passwords can also be set through the PSQL Control Center (PCC).

The following example grants login rights to users named dannyd and travisk and specifies their passwords as password and 1234567 respectively.

If there are spaces in a name you may use double quotes as in the following example. This statement grants login rights to user named Jerry Gentry and Punita and specifies their password as sun and moon respectively

The following example grants the login rights to a user named Jerry Gentry with password 123456 and a user named travisk with password abcdef. It also adds them to the group psql_dev

The Master user has all rights on a table that does not have an owner name. To grant permissions on a table that has a Btrieve owner name, the Master user must supply the correct owner name in the GRANT statement.

The following example grants the SELECT right to the user Master on table t1 that has a Btrieve owner name of abcd.

You can set an owner name on a table using Function Executor or the Maintenance utility under the Tools menu in PCC. For more information, see Owner Names in Advanced Operations Guide.

After the Master user performs the following set of SQL statements, the user jsmith has SELECT access to all tables in the current database. The user also has DELETE access to tab1 and UPDATE access to tab2.

If the following statement is performed later by any user with CREATE TABLE privileges, the user jsmith will have SELECT access to the newly created table.

The following example grants EXECUTE permissions on stored procedure cal_rtrn_rate to all users.

The following example shows how members of the group Accounting can update only the salary column in the employee table (employee is part of the Demodata sample database).

Assume that the following stored procedure exists:

Note that users belonging to group Accounting cannot update other columns in the Employee table because permissions were granted only for the stored procedure and the stored procedure updates only the salary column.

The following example assumes that you have enabled security on the Demodata sample database and added a user named USAcctsMgr. You now want to grant SELECT rights to the ID column in table Person to that user. Use the following statement.

To GRANT Privileges for This Action	Use This Keyword with GRANT
CREATE TABLE	CREATETAB
CREATE VIEW	CREATEVIEW
CREATE PROCEDURE	CREATESP
LOGIN AS GROUP MEMBER	LOGIN TO

Permission	Table1	View1	Stored Procedure
CREATETAB
CREATEVIEW
CREATESP
ALTER2
DELETE
INSERT
REFERENCES
SELECT
UPDATE
EXECUTE3
1 Columns can be specified only for tables. Permissions for a view can be granted only to the entire view, not to single columns. 2 To drop a table, view, or stored procedure, a user must have ALTER permission on that object. Trusted views and stored procedures can be dropped only by the Master user. 3 EXECUTE applies only to stored procedures. A stored procedure can be executed with either a CALL or an EXECUTE statement. The procedure can be trusted or non-trusted. See Trusted and Non-Trusted Objects.

Permission Included by ALL	Table	View	Stored Procedure
ALTER1
DELETE
INSERT
REFERENCES
SELECT
UPDATE
EXECUTE
1To drop a table, view, or stored procedure, a user must have ALTER permission on that object. Trusted views and stored procedures can be dropped only by the Master user.