Baoding-FenShuaJiang
/
Green_GoodERP18_FSJ_Standard
Volgen 1
Ster 0
Wiki 捐赠
gooderp18绿色标准版
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branch: master
Branches Labels
${ item.name }
Maak branch ${ searchTerm }
van 'master'
${ noResults }
Green_GoodERP18_FSJ_Standard/PostgreSQL/doc/postgresql/html/sql-grant.html

294 lines
21KB
Ruw Permalink Blame Geschiedenis 

  1. <?xml version="1.0" encoding="UTF-8" standalone="no"?>

  2. <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>GRANT</title><link rel="stylesheet" type="text/css" href="stylesheet.css" /><link rev="made" href="pgsql-docs@lists.postgresql.org" /><meta name="generator" content="DocBook XSL Stylesheets V1.79.1" /><link rel="prev" href="sql-fetch.html" title="FETCH" /><link rel="next" href="sql-importforeignschema.html" title="IMPORT FOREIGN SCHEMA" /></head><body><div xmlns="http://www.w3.org/TR/xhtml1/transitional" class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="5" align="center">GRANT</th></tr><tr><td width="10%" align="left"><a accesskey="p" href="sql-fetch.html" title="FETCH">Prev</a> </td><td width="10%" align="left"><a accesskey="u" href="sql-commands.html" title="SQL Commands">Up</a></td><th width="60%" align="center">SQL Commands</th><td width="10%" align="right"><a accesskey="h" href="index.html" title="PostgreSQL 12.4 Documentation">Home</a></td><td width="10%" align="right"> <a accesskey="n" href="sql-importforeignschema.html" title="IMPORT FOREIGN SCHEMA">Next</a></td></tr></table><hr></hr></div><div class="refentry" id="SQL-GRANT"><div class="titlepage"></div><a id="id-1.9.3.150.1" class="indexterm"></a><div class="refnamediv"><h2><span class="refentrytitle">GRANT</span></h2><p>GRANT — define access privileges</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><pre class="synopsis">

  3. GRANT { { SELECT | INSERT | UPDATE | DELETE | TRUNCATE | REFERENCES | TRIGGER }

  4.     [, ...] | ALL [ PRIVILEGES ] }

  5.     ON { [ TABLE ] <em class="replaceable"><code>table_name</code></em> [, ...]

  6.          | ALL TABLES IN SCHEMA <em class="replaceable"><code>schema_name</code></em> [, ...] }

  7.     TO <em class="replaceable"><code>role_specification</code></em> [, ...] [ WITH GRANT OPTION ]

  8. 

  9. GRANT { { SELECT | INSERT | UPDATE | REFERENCES } ( <em class="replaceable"><code>column_name</code></em> [, ...] )

  10.     [, ...] | ALL [ PRIVILEGES ] ( <em class="replaceable"><code>column_name</code></em> [, ...] ) }

  11.     ON [ TABLE ] <em class="replaceable"><code>table_name</code></em> [, ...]

  12.     TO <em class="replaceable"><code>role_specification</code></em> [, ...] [ WITH GRANT OPTION ]

  13. 

  14. GRANT { { USAGE | SELECT | UPDATE }

  15.     [, ...] | ALL [ PRIVILEGES ] }

  16.     ON { SEQUENCE <em class="replaceable"><code>sequence_name</code></em> [, ...]

  17.          | ALL SEQUENCES IN SCHEMA <em class="replaceable"><code>schema_name</code></em> [, ...] }

  18.     TO <em class="replaceable"><code>role_specification</code></em> [, ...] [ WITH GRANT OPTION ]

  19. 

  20. GRANT { { CREATE | CONNECT | TEMPORARY | TEMP } [, ...] | ALL [ PRIVILEGES ] }

  21.     ON DATABASE <em class="replaceable"><code>database_name</code></em> [, ...]

  22.     TO <em class="replaceable"><code>role_specification</code></em> [, ...] [ WITH GRANT OPTION ]

  23. 

  24. GRANT { USAGE | ALL [ PRIVILEGES ] }

  25.     ON DOMAIN <em class="replaceable"><code>domain_name</code></em> [, ...]

  26.     TO <em class="replaceable"><code>role_specification</code></em> [, ...] [ WITH GRANT OPTION ]

  27. 

  28. GRANT { USAGE | ALL [ PRIVILEGES ] }

  29.     ON FOREIGN DATA WRAPPER <em class="replaceable"><code>fdw_name</code></em> [, ...]

  30.     TO <em class="replaceable"><code>role_specification</code></em> [, ...] [ WITH GRANT OPTION ]

  31. 

  32. GRANT { USAGE | ALL [ PRIVILEGES ] }

  33.     ON FOREIGN SERVER <em class="replaceable"><code>server_name</code></em> [, ...]

  34.     TO <em class="replaceable"><code>role_specification</code></em> [, ...] [ WITH GRANT OPTION ]

  35. 

  36. GRANT { EXECUTE | ALL [ PRIVILEGES ] }

  37.     ON { { FUNCTION | PROCEDURE | ROUTINE } <em class="replaceable"><code>routine_name</code></em> [ ( [ [ <em class="replaceable"><code>argmode</code></em> ] [ <em class="replaceable"><code>arg_name</code></em> ] <em class="replaceable"><code>arg_type</code></em> [, ...] ] ) ] [, ...]

  38.          | ALL { FUNCTIONS | PROCEDURES | ROUTINES } IN SCHEMA <em class="replaceable"><code>schema_name</code></em> [, ...] }

  39.     TO <em class="replaceable"><code>role_specification</code></em> [, ...] [ WITH GRANT OPTION ]

  40. 

  41. GRANT { USAGE | ALL [ PRIVILEGES ] }

  42.     ON LANGUAGE <em class="replaceable"><code>lang_name</code></em> [, ...]

  43.     TO <em class="replaceable"><code>role_specification</code></em> [, ...] [ WITH GRANT OPTION ]

  44. 

  45. GRANT { { SELECT | UPDATE } [, ...] | ALL [ PRIVILEGES ] }

  46.     ON LARGE OBJECT <em class="replaceable"><code>loid</code></em> [, ...]

  47.     TO <em class="replaceable"><code>role_specification</code></em> [, ...] [ WITH GRANT OPTION ]

  48. 

  49. GRANT { { CREATE | USAGE } [, ...] | ALL [ PRIVILEGES ] }

  50.     ON SCHEMA <em class="replaceable"><code>schema_name</code></em> [, ...]

  51.     TO <em class="replaceable"><code>role_specification</code></em> [, ...] [ WITH GRANT OPTION ]

  52. 

  53. GRANT { CREATE | ALL [ PRIVILEGES ] }

  54.     ON TABLESPACE <em class="replaceable"><code>tablespace_name</code></em> [, ...]

  55.     TO <em class="replaceable"><code>role_specification</code></em> [, ...] [ WITH GRANT OPTION ]

  56. 

  57. GRANT { USAGE | ALL [ PRIVILEGES ] }

  58.     ON TYPE <em class="replaceable"><code>type_name</code></em> [, ...]

  59.     TO <em class="replaceable"><code>role_specification</code></em> [, ...] [ WITH GRANT OPTION ]

  60. 

  61. GRANT <em class="replaceable"><code>role_name</code></em> [, ...] TO <em class="replaceable"><code>role_specification</code></em> [, ...]

  62.     [ WITH ADMIN OPTION ]

  63.     [ GRANTED BY <em class="replaceable"><code>role_specification</code></em> ]

  64. 

  65. <span class="phrase">where <em class="replaceable"><code>role_specification</code></em> can be:</span>

  66. 

  67.     [ GROUP ] <em class="replaceable"><code>role_name</code></em>

  68.   | PUBLIC

  69.   | CURRENT_USER

  70.   | SESSION_USER

  71. </pre></div><div class="refsect1" id="SQL-GRANT-DESCRIPTION"><h2>Description</h2><p>

  72.    The <code class="command">GRANT</code> command has two basic variants: one

  73.    that grants privileges on a database object (table, column, view, foreign

  74.    table, sequence, database, foreign-data wrapper, foreign server, function, procedure,

  75.    procedural language, schema, or tablespace), and one that grants

  76.    membership in a role.  These variants are similar in many ways, but

  77.    they are different enough to be described separately.

  78.   </p><div class="refsect2" id="SQL-GRANT-DESCRIPTION-OBJECTS"><h3>GRANT on Database Objects</h3><p>

  79.    This variant of the <code class="command">GRANT</code> command gives specific

  80.    privileges on a database object to

  81.    one or more roles.  These privileges are added

  82.    to those already granted, if any.

  83.   </p><p>

  84.    The key word <code class="literal">PUBLIC</code> indicates that the

  85.    privileges are to be granted to all roles, including those that might

  86.    be created later.  <code class="literal">PUBLIC</code> can be thought of as an

  87.    implicitly defined group that always includes all roles.

  88.    Any particular role will have the sum

  89.    of privileges granted directly to it, privileges granted to any role it

  90.    is presently a member of, and privileges granted to

  91.    <code class="literal">PUBLIC</code>.

  92.   </p><p>

  93.    If <code class="literal">WITH GRANT OPTION</code> is specified, the recipient

  94.    of the privilege can in turn grant it to others.  Without a grant

  95.    option, the recipient cannot do that.  Grant options cannot be granted

  96.    to <code class="literal">PUBLIC</code>.

  97.   </p><p>

  98.    There is no need to grant privileges to the owner of an object

  99.    (usually the user that created it),

  100.    as the owner has all privileges by default.  (The owner could,

  101.    however, choose to revoke some of their own privileges for safety.)

  102.   </p><p>

  103.    The right to drop an object, or to alter its definition in any way, is

  104.    not treated as a grantable privilege; it is inherent in the owner,

  105.    and cannot be granted or revoked.  (However, a similar effect can be

  106.    obtained by granting or revoking membership in the role that owns

  107.    the object; see below.)  The owner implicitly has all grant

  108.    options for the object, too.

  109.   </p><p>

  110.    The possible privileges are:

  111. 

  112.    </p><div class="variablelist"><dl class="variablelist"><dt><span class="term"><code class="literal">SELECT</code><br /></span><span class="term"><code class="literal">INSERT</code><br /></span><span class="term"><code class="literal">UPDATE</code><br /></span><span class="term"><code class="literal">DELETE</code><br /></span><span class="term"><code class="literal">TRUNCATE</code><br /></span><span class="term"><code class="literal">REFERENCES</code><br /></span><span class="term"><code class="literal">TRIGGER</code><br /></span><span class="term"><code class="literal">CREATE</code><br /></span><span class="term"><code class="literal">CONNECT</code><br /></span><span class="term"><code class="literal">TEMPORARY</code><br /></span><span class="term"><code class="literal">EXECUTE</code><br /></span><span class="term"><code class="literal">USAGE</code></span></dt><dd><p>

  113.        Specific types of privileges, as defined in <a class="xref" href="ddl-priv.html" title="5.7. Privileges">Section 5.7</a>.

  114.       </p></dd><dt><span class="term"><code class="literal">TEMP</code></span></dt><dd><p>

  115.        Alternative spelling for <code class="literal">TEMPORARY</code>.

  116.       </p></dd><dt><span class="term"><code class="literal">ALL PRIVILEGES</code></span></dt><dd><p>

  117.        Grant all of the privileges available for the object's type.

  118.        The <code class="literal">PRIVILEGES</code> key word is optional in

  119.        <span class="productname">PostgreSQL</span>, though it is required by

  120.        strict SQL.

  121.       </p></dd></dl></div><p>

  122.   </p><p>

  123.    The <code class="literal">FUNCTION</code> syntax works for plain functions,

  124.    aggregate functions, and window functions, but not for procedures;

  125.    use <code class="literal">PROCEDURE</code> for those.

  126.    Alternatively, use <code class="literal">ROUTINE</code> to refer to a function,

  127.    aggregate function, window function, or procedure regardless of its

  128.    precise type.

  129.   </p><p>

  130.    There is also an option to grant privileges on all objects of the same

  131.    type within one or more schemas.  This functionality is currently supported

  132.    only for tables, sequences, functions, and procedures.  <code class="literal">ALL

  133.    TABLES</code> also affects views and foreign tables, just like the

  134.    specific-object <code class="command">GRANT</code> command.  <code class="literal">ALL

  135.    FUNCTIONS</code> also affects aggregate and window functions, but not

  136.    procedures, again just like the specific-object <code class="command">GRANT</code>

  137.    command.  Use <code class="literal">ALL ROUTINES</code> to include procedures.

  138.   </p></div><div class="refsect2" id="SQL-GRANT-DESCRIPTION-ROLES"><h3>GRANT on Roles</h3><p>

  139.    This variant of the <code class="command">GRANT</code> command grants membership

  140.    in a role to one or more other roles.  Membership in a role is significant

  141.    because it conveys the privileges granted to a role to each of its

  142.    members.

  143.   </p><p>

  144.    If <code class="literal">WITH ADMIN OPTION</code> is specified, the member can

  145.    in turn grant membership in the role to others, and revoke membership

  146.    in the role as well.  Without the admin option, ordinary users cannot

  147.    do that.  A role is not considered to hold <code class="literal">WITH ADMIN

  148.    OPTION</code> on itself, but it may grant or revoke membership in

  149.    itself from a database session where the session user matches the

  150.    role.  Database superusers can grant or revoke membership in any role

  151.    to anyone.  Roles having <code class="literal">CREATEROLE</code> privilege can grant

  152.    or revoke membership in any role that is not a superuser.

  153.   </p><p>

  154.    If <code class="literal">GRANTED BY</code> is specified, the grant is recorded as

  155.    having been done by the specified role.  Only database superusers may

  156.    use this option, except when it names the same role executing the command.

  157.   </p><p>

  158.    Unlike the case with privileges, membership in a role cannot be granted

  159.    to <code class="literal">PUBLIC</code>.  Note also that this form of the command

  160.    does not allow the noise word <code class="literal">GROUP</code>

  161.    in <em class="replaceable"><code>role_specification</code></em>.

  162.   </p></div></div><div class="refsect1" id="SQL-GRANT-NOTES"><h2>Notes</h2><p>

  163.     The <a class="xref" href="sql-revoke.html" title="REVOKE"><span class="refentrytitle">REVOKE</span></a> command is used

  164.     to revoke access privileges.

  165.    </p><p>

  166.     Since <span class="productname">PostgreSQL</span> 8.1, the concepts of users and

  167.     groups have been unified into a single kind of entity called a role.

  168.     It is therefore no longer necessary to use the keyword <code class="literal">GROUP</code>

  169.     to identify whether a grantee is a user or a group.  <code class="literal">GROUP</code>

  170.     is still allowed in the command, but it is a noise word.

  171.    </p><p>

  172.     A user may perform <code class="command">SELECT</code>, <code class="command">INSERT</code>, etc. on a

  173.     column if they hold that privilege for either the specific column or

  174.     its whole table.  Granting the privilege at the table level and then

  175.     revoking it for one column will not do what one might wish: the

  176.     table-level grant is unaffected by a column-level operation.

  177.    </p><p>

  178.     When a non-owner of an object attempts to <code class="command">GRANT</code> privileges

  179.     on the object, the command will fail outright if the user has no

  180.     privileges whatsoever on the object.  As long as some privilege is

  181.     available, the command will proceed, but it will grant only those

  182.     privileges for which the user has grant options.  The <code class="command">GRANT ALL

  183.     PRIVILEGES</code> forms will issue a warning message if no grant options are

  184.     held, while the other forms will issue a warning if grant options for

  185.     any of the privileges specifically named in the command are not held.

  186.     (In principle these statements apply to the object owner as well, but

  187.     since the owner is always treated as holding all grant options, the

  188.     cases can never occur.)

  189.    </p><p>

  190.     It should be noted that database superusers can access

  191.     all objects regardless of object privilege settings.  This

  192.     is comparable to the rights of <code class="literal">root</code> in a Unix system.

  193.     As with <code class="literal">root</code>, it's unwise to operate as a superuser

  194.     except when absolutely necessary.

  195.    </p><p>

  196.     If a superuser chooses to issue a <code class="command">GRANT</code> or <code class="command">REVOKE</code>

  197.     command, the command is performed as though it were issued by the

  198.     owner of the affected object.  In particular, privileges granted via

  199.     such a command will appear to have been granted by the object owner.

  200.     (For role membership, the membership appears to have been granted

  201.     by the containing role itself.)

  202.    </p><p>

  203.     <code class="command">GRANT</code> and <code class="command">REVOKE</code> can also be done by a role

  204.     that is not the owner of the affected object, but is a member of the role

  205.     that owns the object, or is a member of a role that holds privileges

  206.     <code class="literal">WITH GRANT OPTION</code> on the object.  In this case the

  207.     privileges will be recorded as having been granted by the role that

  208.     actually owns the object or holds the privileges

  209.     <code class="literal">WITH GRANT OPTION</code>.  For example, if table

  210.     <code class="literal">t1</code> is owned by role <code class="literal">g1</code>, of which role

  211.     <code class="literal">u1</code> is a member, then <code class="literal">u1</code> can grant privileges

  212.     on <code class="literal">t1</code> to <code class="literal">u2</code>, but those privileges will appear

  213.     to have been granted directly by <code class="literal">g1</code>.  Any other member

  214.     of role <code class="literal">g1</code> could revoke them later.

  215.    </p><p>

  216.     If the role executing <code class="command">GRANT</code> holds the required privileges

  217.     indirectly via more than one role membership path, it is unspecified

  218.     which containing role will be recorded as having done the grant.  In such

  219.     cases it is best practice to use <code class="command">SET ROLE</code> to become the

  220.     specific role you want to do the <code class="command">GRANT</code> as.

  221.    </p><p>

  222.     Granting permission on a table does not automatically extend

  223.     permissions to any sequences used by the table, including

  224.     sequences tied to <code class="type">SERIAL</code> columns.  Permissions on

  225.     sequences must be set separately.

  226.    </p><p>

  227.     See <a class="xref" href="ddl-priv.html" title="5.7. Privileges">Section 5.7</a> for more information about specific

  228.     privilege types, as well as how to inspect objects' privileges.

  229.    </p></div><div class="refsect1" id="SQL-GRANT-EXAMPLES"><h2>Examples</h2><p>

  230.    Grant insert privilege to all users on table <code class="literal">films</code>:

  231. 

  232. </p><pre class="programlisting">

  233. GRANT INSERT ON films TO PUBLIC;

  234. </pre><p>

  235.   </p><p>

  236.    Grant all available privileges to user <code class="literal">manuel</code> on view

  237.    <code class="literal">kinds</code>:

  238. 

  239. </p><pre class="programlisting">

  240. GRANT ALL PRIVILEGES ON kinds TO manuel;

  241. </pre><p>

  242. 

  243.    Note that while the above will indeed grant all privileges if executed by a

  244.    superuser or the owner of <code class="literal">kinds</code>, when executed by someone

  245.    else it will only grant those permissions for which the someone else has

  246.    grant options.

  247.   </p><p>

  248.    Grant membership in role <code class="literal">admins</code> to user <code class="literal">joe</code>:

  249. 

  250. </p><pre class="programlisting">

  251. GRANT admins TO joe;

  252. </pre></div><div class="refsect1" id="SQL-GRANT-COMPATIBILITY"><h2>Compatibility</h2><p>

  253.     According to the SQL standard, the <code class="literal">PRIVILEGES</code>

  254.     key word in <code class="literal">ALL PRIVILEGES</code> is required.  The

  255.     SQL standard does not support setting the privileges on more than

  256.     one object per command.

  257.    </p><p>

  258.     <span class="productname">PostgreSQL</span> allows an object owner to revoke their

  259.     own ordinary privileges: for example, a table owner can make the table

  260.     read-only to themselves by revoking their own <code class="literal">INSERT</code>,

  261.     <code class="literal">UPDATE</code>, <code class="literal">DELETE</code>, and <code class="literal">TRUNCATE</code>

  262.     privileges.  This is not possible according to the SQL standard.  The

  263.     reason is that <span class="productname">PostgreSQL</span> treats the owner's

  264.     privileges as having been granted by the owner to themselves; therefore they

  265.     can revoke them too.  In the SQL standard, the owner's privileges are

  266.     granted by an assumed entity <span class="quote">“<span class="quote">_SYSTEM</span>”</span>.  Not being

  267.     <span class="quote">“<span class="quote">_SYSTEM</span>”</span>, the owner cannot revoke these rights.

  268.    </p><p>

  269.     According to the SQL standard, grant options can be granted to

  270.     <code class="literal">PUBLIC</code>; PostgreSQL only supports granting grant options

  271.     to roles.

  272.    </p><p>

  273.     The SQL standard allows the <code class="literal">GRANTED BY</code> option to

  274.     be used in all forms of <code class="command">GRANT</code>.  PostgreSQL only

  275.     supports it when granting role membership, and even then only superusers

  276.     may use it in nontrivial ways.

  277.    </p><p>

  278.     The SQL standard provides for a <code class="literal">USAGE</code> privilege

  279.     on other kinds of objects: character sets, collations,

  280.     translations.

  281.    </p><p>

  282.     In the SQL standard, sequences only have a <code class="literal">USAGE</code>

  283.     privilege, which controls the use of the <code class="literal">NEXT VALUE FOR</code>

  284.     expression, which is equivalent to the

  285.     function <code class="function">nextval</code> in PostgreSQL.  The sequence

  286.     privileges <code class="literal">SELECT</code> and <code class="literal">UPDATE</code> are

  287.     PostgreSQL extensions.  The application of the

  288.     sequence <code class="literal">USAGE</code> privilege to

  289.     the <code class="literal">currval</code> function is also a PostgreSQL extension (as

  290.     is the function itself).

  291.    </p><p>

  292.     Privileges on databases, tablespaces, schemas, and languages are

  293.     <span class="productname">PostgreSQL</span> extensions.

  294.    </p></div><div class="refsect1" id="id-1.9.3.150.9"><h2>See Also</h2><span class="simplelist"><a class="xref" href="sql-revoke.html" title="REVOKE"><span class="refentrytitle">REVOKE</span></a>, <a class="xref" href="sql-alterdefaultprivileges.html" title="ALTER DEFAULT PRIVILEGES"><span class="refentrytitle">ALTER DEFAULT PRIVILEGES</span></a></span></div></div><div class="navfooter"><hr /><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="sql-fetch.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="sql-commands.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="sql-importforeignschema.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">FETCH </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> IMPORT FOREIGN SCHEMA</td></tr></table></div></body></html>
上海开阖软件有限公司 沪ICP备12045867号-1