When a database object is created, it is assigned an owner. The
owner is the user that executed the creation statement. There is
currently no simple way to change the owner of a database
object. By default, only an owner (or a superuser) can do anything
with the object. In order to allow other users to use it,
privileges must be granted.
Currently, there are four different privileges: select (read),
insert (append), and update/delete (write), as well as
RULE, the permission to create a rewrite rule on
a table. The right to modify or destroy an object is always the
privilege of the owner only. To assign privileges, the
GRANT command is used. So, if
joe is an existing user, and
accounts is an existing table, write access can
be granted with
GRANT UPDATE ON accounts TO joe; |
The user executing this command must be the owner of the table. To
grant a privilege to a group, use
GRANT SELECT ON accounts TO GROUP staff; |
The special
"user" name
PUBLIC can
be used to grant a privilege to every user on the system. Using
ALL in place of a privilege specifies that all
privileges will be granted.
To revoke a privilege, use the fittingly named
REVOKE command:
REVOKE ALL ON accounts FROM PUBLIC; |
The set of privileges held by the table owner is always implicit
and is never revokable.