diff options
| -rw-r--r-- | doc/src/sgml/ref/grant.sgml | 57 |
1 files changed, 37 insertions, 20 deletions
diff --git a/doc/src/sgml/ref/grant.sgml b/doc/src/sgml/ref/grant.sgml index 70e9d581c83..13e19042f50 100644 --- a/doc/src/sgml/ref/grant.sgml +++ b/doc/src/sgml/ref/grant.sgml @@ -1,5 +1,5 @@ <!-- -$Header: /cvsroot/pgsql/doc/src/sgml/ref/grant.sgml,v 1.22 2002/04/21 00:26:42 tgl Exp $ +$Header: /cvsroot/pgsql/doc/src/sgml/ref/grant.sgml,v 1.23 2002/04/22 19:17:40 tgl Exp $ PostgreSQL documentation --> @@ -157,11 +157,10 @@ GRANT { { CREATE | USAGE } [,...] | ALL [ PRIVILEGES ] } <term>CREATE</term> <listitem> <para> - For databases, allows new schemas to be created in the database. + For databases, allows new schemas to be created within the database. </para> <para> - For schemas, allows new objects to be created within the specified - schema. + For schemas, allows new objects to be created within the schema. </para> </listitem> </varlistentry> @@ -196,9 +195,9 @@ GRANT { { CREATE | USAGE } [,...] | ALL [ PRIVILEGES ] } of privilege that is applicable to procedural languages. </para> <para> - For schemas, allows the use of objects contained in the specified + For schemas, allows access to objects contained in the specified schema (assuming that the objects' own privilege requirements are - met). Essentially this allows the grantee to <quote>look up</> + also met). Essentially this allows the grantee to <quote>look up</> objects within the schema. </para> </listitem> @@ -227,6 +226,11 @@ GRANT { { CREATE | USAGE } [,...] | ALL [ PRIVILEGES ] } <title>Notes</title> <para> + The <xref linkend="sql-revoke" endterm="sql-revoke-title"> command is used + to revoke access privileges. + </para> + + <para> It should be noted that database <firstterm>superusers</> can access all objects regardless of object privilege settings. This is comparable to the rights of <literal>root</> in a Unix system. @@ -243,19 +247,19 @@ GRANT { { CREATE | USAGE } [,...] | ALL [ PRIVILEGES ] } <para> Use <xref linkend="app-psql">'s <command>\z</command> command - to obtain information about privileges - on existing objects: + to obtain information about existing privileges, for example: +<programlisting> +lusitania=> \z mytable + Access privileges for database "lusitania" + Table | Access privileges +---------+--------------------------------------- + mytable | {=r,miriam=arwdRxt,"group todos=arw"} +</programlisting> + The entries shown by <command>\z</command> are interpreted thus: <programlisting> - Database = lusitania - +------------------+---------------------------------------------+ - | Relation | Grant/Revoke Permissions | - +------------------+---------------------------------------------+ - | mytable | {"=rw","miriam=arwdRxt","group todos=rw"} | - +------------------+---------------------------------------------+ - Legend: - uname=arwR -- privileges granted to a user - group gname=arwR -- privileges granted to a group - =arwR -- privileges granted to PUBLIC + =xxxx -- privileges granted to PUBLIC + uname=xxxx -- privileges granted to a user + group gname=xxxx -- privileges granted to a group r -- SELECT ("read") w -- UPDATE ("write") @@ -270,11 +274,24 @@ GRANT { { CREATE | USAGE } [,...] | ALL [ PRIVILEGES ] } T -- TEMPORARY arwdRxt -- ALL PRIVILEGES (for tables) </programlisting> + + The above example display would be seen by user <literal>miriam</> after + creating table <literal>mytable</> and doing + +<programlisting> +GRANT SELECT ON mytable TO PUBLIC; +GRANT SELECT,UPDATE,INSERT ON mytable TO GROUP todos; +</programlisting> </para> <para> - The <xref linkend="sql-revoke" endterm="sql-revoke-title"> command is used to revoke access - privileges. + If the <quote>Access privileges</> column is empty for a given object, +it means the object has default privileges (that is, its privileges field +is NULL). Currently, default privileges are interpreted the same way +for all object types: all privileges for the owner and no privileges for +anyone else. The first <command>GRANT</> on an object will instantiate +this default (producing, for example, <literal>{=,miriam=arwdRxt}</>) +and then modify it per the specified request. </para> </refsect1> |