Академический Документы
Профессиональный Документы
Культура Документы
GRANT
Syntax
Syntax Elements
System privileges are used to restrict administrative tasks. The table below describes the supported
system privileges.
Schema privileges are used to restrict the access and modifications on a schema and the objects
stored in this schema. The following schema privileges are defined:
CREATE ANY
This privilege allows the creation of all kinds of objects, in particular, tables, views, sequences,
synonyms, SQLScript functions, or database procedures in a schema.
Object privileges are used to restrict the access and modifications on database objects. Database
objects are tables, views, sequences, procedures, etc. The table below describes the supported object
privileges.
Command
Object Privilege Privilege Description Comment
Types
This privilege is a collection of
all Data Definition
Language(DDL) and Data This privilege collection is
Manipulation Language(DML) dynamically evaluated for
privileges that the grantor the given grantor and
ALL PRIVILEGES DDL & DML
currently possesses and is object. ALL PRIVILEGES is
allowed to grant further. The applicable to a table or
privilege it grants is specific to view
the particular object being
acted upon.
Authorizes the ALTER
ALTER DDL
command for the object
Authorizes debug-functionality
for the procedure or
DEBUG DML calculation view or for the
procedures and calculation
views of a schema.
Authorizes the DELETE and
DELETE DML TRUNCATE commands for the
object
Authorizes the DROP
DROP DDL
commands for the object
Authorizes the execution of an
SQLScript function or a
EXECUTE DML database procedure using the
CALLS or CALL command
respectively.
Authorizes the creation,
INDEX DDL modification or dropping of
indexes for the object
The INSERT and UPDATE
privilege are both required
Authorizes the INSERT
INSERT DML on the object to allow the
command for the object.
REPLACE and UPSERT
commands to be used.
Authorizes the usage of all
tables in this schema or this
REFERENCES DDL
table in a foreign key
definition.
Authorizes the SELECT
SELECT DML command for this object or the
usage of a sequence.
Authorizes the CREATE
TRIGGER / DROP TRIGGER
TRIGGER DDL command for the specified
table or the tables in the
specified schema.
he INSERT and UPDATE
privilege are both required
on the object to allow the
REPLACE and UPSERT
Authorizes the UPDATE commands to be used. The
UPDATE DML
command for that object. UPDATE privilege is also
required to perform delta
merges of column store
tables using the MERGE
DELTA command.
Components of the SAP HANA
database can create new
system privileges. These
privileges use the component-
<identifier>.<identifier> DDL
name as first identifier of the
system privilege and the
component-privilege-name as
the second identifier.
Not all object privileges are applicable to all kinds of database objects. For details of which object
types allow which privilege to be used please see the table below.
DELETE, INSERT and UPDATE on views are valid for updatable views only. Updatable views have the
following characteristics:
Object privileges are used to restrict the access and modifications on database objects like tables,
views, sequences, procedures and synonyms.
The grantee can be a user or a role. In case a privilege or role is granted to a role, then all user being
granted that role, will have the specified privilege or role.
A role is a named collection of privileges and can be granted to either a user or a role.
If you want to allow several database users to perform the same actions, you should create a role,
grant the needed privileges to this role, and finally grant the role to the different database users.
When granting roles to roles, a tree of roles can be build. When granting a role (R) to a role or user
(G), G will have all privileges directly granted to R and all privileges granted to roles which had been
granted to R.
Description
GRANT is used to grant privileges and structured privileges to users and roles. GRANT is also used to
grant roles to users and other roles.
The specified users, roles, objects, and structured privileges have to exist before they can be used in
the GRANT command.
In order to use the GRANT command to grant privileges to other users and roles, a user must have
the privilege and also the permissions required to grant that privilege.
Although the SYSTEM user has many privileges, it cannot select or change data in other user's tables
unless this privilege has been explicitly granted.
All users have the privilege to create objects in their own default schema. The default schema for a
user always has the same schema name as the user.
For tables created by users, users have all privileges and may grant all privilges further to other users
and roles.
For objects which are dependent on other objects, like views being dependent on tables, it can occur
the owner of the dependent object does not have a complete set of privileges. This can occur if the
user do not have the privileges on the underlying objects on which their object depends.
Users can have privileges on an object, but may not have sufficient priviliges to grant them to other
users and roles.
USERS: shows all users, their creator, creation date and some info about their current states.
ROLES: shows all roles, their creator and creation date.
GRANTED_ROLES: shows which roles are granted to which user or role.
GRANTED_PRIVILEGES: shows which privileges are granted to which user or role.
Examples
You grant the SELECT on any object privilege in my_schema to the role
role_for_work_on_my_schema.
You grant the INSERT privilege for the work_done table to the role role_for_work_on_my_schema.
You grant DELETE privilige for this table to the worker user.
You grant the worker user the privilege to create any kind of object in the my_schema schema.
The result of the above commands is that the worker user has the privilege to SELECT all tables and
views in schema my_schema, to INSERT into and DELETE from table my_schema.work_done and to
create objects in schema my_schema. Additionally the worker user is allowed to grant DELETE on the
table myschema.work_done to other users and roles.
You grant the privileges INIFILE ADMIN and TRACE ADMIN to the user worker. You grant these
privileges along with the permission for the worker user to grant them further.