GRANT
Use the GRANT
command to assign system
and object permissions to roles. System permissions control
the commands that can be run in the ObjectServer. Object permissions control
access to individual objects, such as tables.
Syntax for granting system permissions
GRANT system_permission,...
TO ROLE 'role_name',...
[ WITH GRANT OPTION ];
The value of system_permission can be any of the following subcommands:
ISQL
ISQL WRITE
ALTER SYSTEM DROP CONNECTION
ALTER SYSTEM SHUTDOWN
ALTER SYSTEM BACKUP
ALTER SYSTEM SET PROPERTY
CREATE DATABASE
CREATE FILE
CREATE RESTRICTION FILTER
CREATE SQL PROCEDURE
CREATE EXTERNAL PROCEDURE
CREATE SIGNAL
CREATE TRIGGER GROUP
CREATE USER
CREATE GROUP
CREATE ROLE
ALTER USER
ALTER GROUP
ALTER ROLE
DROP USER
DROP GROUP
DROP ROLE
GRANT ROLE
REVOKE ROLE
The role_name is a text string containing the unique name of the role or roles to which you are assigning permissions.
The WITH GRANT OPTION option enables the roles to whom the permission is granted to grant the permission to other roles.
SELECT
* FROM catalog.security_permissions WHERE Object = 'SYSTEM' ORDER
BY Permission;
Example for granting system permissions
grant create database to role 'DDL_Admin';
Syntax for granting object permissions
GRANT object_permission,... ON permission_object object_name
TO ROLE 'role_name',...
[ WITH GRANT OPTION ];
You can assign one or more permissions to ObjectServer objects. Use object_permission to define the SQL commands that authorized users can run on an ObjectServer object of type permission_object. The object_name is a text string containing the unique name of the object.
The owner of the object (its creator) automatically has the grant and revoke permissions associated with that object, and can grant and revoke those permissions to other roles. The following table lists the permissions that the owner has for each object type. The owner can also grant these permissions to other users.
Objects (permission_object) | Permissions (object_permission) |
---|---|
DATABASE | DROP CREATE TABLE CREATE VIEW |
TABLE | DROP ALTER SELECT INSERT UPDATE DELETE CREATE INDEX DROP INDEX |
VIEW | DROP ALTER SELECT UPDATE DELETE |
TRIGGER GROUP | DROP ALTER CREATE TRIGGER |
TRIGGER | DROP ALTER |
FILE | DROP ALTER WRITE |
SQL PROCEDURE EXTERNAL PROCEDURE |
DROP ALTER EXECUTE |
SIGNAL | DROP ALTER RAISE |
RESTRICTION FILTER | DROP ALTER |
The role_name is a text string containing the unique name of the role or roles to which the permissions are being assigned.
The WITH GRANT OPTION option enables the roles to whom the permission is granted to grant the permission to other roles.
Example for granting object permissions
grant drop on database testdb to role 'DDL_Admin';